Policy Precedence

Policy Precedence

List view

Quick Start
Welcome
Console & Settings
Release Notes
November 25, 2025 WitnessAI Update
November 18, 2025 WitnessAI Update
November 11, 2025 WitnessAI Update
October 28, 2025 WitnessAI Update
October 23, 2025 WitnessAI Update
October 9, 2025 WitnessAI Update
October 2, 2025 WitnessAI Update
September 30, 2025: WitnessAI Update
September 23, 2025: WitnessAI Update
August 12, 2025: WitnessAI Update
July 31, 2025: WitnessAI Update
July 18, 2025: WitnessAI Update
June 23, 2025: WitnessAI Update
June 9, 2025: WitnessAI Update
April 11, 2025: WitnessAI Release v2.0
Supported Applications & LLMs
User Guide
Home
Discovery
Discovered Apps
App Catalog
Analytics
Conversations
Users
Alerts
Policies
Lists
Private Applications
Settings
Configuration
Access Control
System
Secure AI Portal
User Menu
Policies & GuardRails
Policy Creation
Policy Precedence
File Attachments
GuardRail: Behavioral Activity
GuardRail: PCI DSS
GuardRail: Data Protection
GuardRail: Harmful Response Prevention (Beta)
GuardRail: Model Identity Protection
GuardRail: Model Protection
GuardRail: Organizational Behavior (Beta)
GuardRail: Risk Analysis
Witness Anywhere: Remote Device Security
WA: Remote Device Security
Stunnel
Azure Intune: Single-User VDI
Azure Intune: Multi-User VDI
CrowdStrike (Windows)
GPO (Windows)
Jamf (macOS) (Beta)
SentinelOne
Witness Anywhere: FAQ
Witness Anywhere Overview
Witness Attack
Witness Attack: AI Red Teaming 
Administrator Guide
Accessibility
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Identity Providers
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Network Security
Netskope SWG
Palo Alto Networks NGFW
Prisma Access: DNS Sinkhole
Prisma Access: Explicit Proxy
Zscaler Internet Access
Zscaler Beta
Status Page
API Reference
Input API
Complete API
Text-Completion API
Prompt-Protect API
Encryption

Policy Processing

WitnessAI employs a “first-match” or “top-down” policy processing approach.
In this approach, User Prompts and Model Responses are checked by each Policy in the order Policies are listed on the Policy console, from top to bottom.
The first, or top-most Policy that matches the Prompts, and the combination of Policy and GuardRail attributes such as: Source (Users and/or Groups), Destination (Providers, Applications, Models, and/or Lists), Prompt, Intent, Behavior, and Response (in the case of the Harmful Response Prevention Guardrail), will perform the GuardRail Actions configured in the Policy.
After the first match, the User Prompt will not be checked by any more policies in the list.
This is why the Global Block Policy (GBP) is pinned to the top of the Policy list. Any AI service that is on the Blocked Apps List will be automatically added to the GBP and all traffic will be blocked. Since the traffic will be blocked, no further Policies and GuardRails will be applied.
The Attachment Block Policy (ABP) is pinned just below the GBP. Full ABP details are on the File Attachment page.
 
notion image
 
notion image
 
notion image
 
notion image