IAM Policy Engine
The Neural Inverse IAM Policy Engine controls what AI capabilities are available to which developers on which projects. Policies are defined using Allow/Deny statements against a custom ni: action namespace, evaluated server-side with no client bypass.
Policy Structure
A policy is a JSON document with an array of statements:
{
"statements": [
{
"sid": "AllowPowerMode",
"effect": "Allow",
"actions": ["ni:powermode:use", "ni:powermode:configure"],
"resources": ["*"]
},
{
"sid": "BlockTerminalAutoApprove",
"effect": "Deny",
"actions": ["ni:powermode:autoapprove:terminal"],
"resources": ["*"]
}
]
}Each statement has:
effect-AlloworDeny. Deny takes precedence over Allow.actions- one or moreni:action strings. Wildcards are supported:ni:powermode:*,ni:*resources- optional resource ARNs scoping the statement, or*for all resourcessid- optional identifier for the statement
Resource ARN format: ni:{service}:{orgId}:{resourceType}/{resourceId}
Examples:
ni:models:*:model/claude-sonnet-4-6- a specific modelni:models:*:model/*- all modelsni:project:*:project/proj_abc123- a specific project
Scope Inheritance
Policies apply at four levels. The most specific scope that has policies attached wins entirely.
| Scope | Priority | Description |
|---|---|---|
| User | 1 (highest) | Overrides everything. For elevated access or restrictions on specific individuals. |
| Subproject | 2 | Overrides project and org. For sensitive modules within a project. |
| Project | 3 | Overrides org defaults. For project-specific restrictions or grants. |
| Org | 4 (lowest) | Baseline policy for all developers in the organisation. |
Example: Scope Override
Scenario: The org allows Power Mode by default. The payments-core project has Power Mode disabled. One senior developer on that project needs it enabled.
Org policy: ni:powermode:use = Allow
Project policy: ni:powermode:use = Deny (overrides org)
User policy (Alice): ni:powermode:use = Allow (overrides project)Alice gets Power Mode on payments-core. Everyone else on that project does not.
Action Reference
IDE Features
| Action | Description |
|---|---|
ni:autocomplete:enable | Allow FIM / inline autocomplete |
ni:autocomplete:configure | Change autocomplete model and settings |
ni:fim:enable | Allow Fill-in-the-Middle completions |
ni:fim:configure | Change FIM model, trigger, and debounce settings |
ni:chat:enable | Allow the main AI chat panel |
ni:chat:configure | Configure chat model and context window settings |
ni:inlinechat:enable | Allow inline AI chat inside the editor |
ni:codeactions:enable | Allow AI-suggested code actions and quick fixes |
ni:systemprompt:enable | Allow custom system prompts per workspace |
ni:systemprompt:configure | Edit system prompt content and rules |
Power Mode
| Action | Description |
|---|---|
ni:powermode:use | Open and run Power Mode autonomous agent sessions |
ni:powermode:configure | Change Power Mode model, iteration limits, and settings |
ni:powermode:autoapprove:terminal | Allow automatic terminal command execution without confirmation |
ni:powermode:autoapprove:file | Allow automatic file edits without confirmation |
ni:powermode:autoapprove:browser | Allow automatic browser interactions without confirmation |
Workflow Agents
| Action | Description |
|---|---|
ni:agents:use | Run workflow agent sessions |
ni:agents:configure | Configure agent roles, concurrency, and iteration limits |
ni:agents:create | Define and save custom agent workflow definitions |
Checks Agent (GRC)
| Action | Description |
|---|---|
ni:checks:use | Run compliance scans via the Checks Agent |
ni:checks:view | View GRC violations and compliance status |
ni:checks:manage | Create, edit, and delete compliance frameworks and rules |
ni:checks:blockcommits | Block git commits when blocking violations exist |
Models
| Action | Description |
|---|---|
ni:models:view | Browse the model marketplace |
ni:models:select | Choose models for chat, autocomplete, and agents |
ni:models:configure | Configure model parameters, temperature, and context |
ni:models:manage | Add, remove, and configure model providers and API keys |
ni:models:access:* | Access any model in the marketplace |
ni:models:access:{model-id} | Access a specific model (e.g. ni:models:access:claude-sonnet-4-6) |
MCP Servers
| Action | Description |
|---|---|
ni:mcp:enable | Allow MCP server connections in the IDE |
ni:mcp:configure | Add and configure MCP server endpoints |
ni:mcp:manage | Manage the org-wide MCP server registry |
AI Behavior
| Action | Description |
|---|---|
ni:behavior:configure | Set AI behavior rules, safety controls, and persona settings |
ni:behavior:manage | Manage org-wide AI behavior policies |
Policy and Governance
| Action | Description |
|---|---|
ni:policy:view | View IAM policies and their assignments |
ni:policy:configure | Attach and detach policies to resources |
ni:policy:manage | Create, edit, and delete custom IAM policies |
Org and Members
| Action | Description |
|---|---|
ni:org:view | View organisation settings and info |
ni:org:configure | Edit organisation display name and settings |
ni:members:view | View team member list |
ni:members:manage | Invite, remove, and change access for members |
ni:billing:view | View billing and usage information |
ni:billing:manage | Manage subscription and billing settings |
ni:audit:view | Access the audit trail and activity log |
NI Managed Policies
The platform ships a set of built-in policies you can attach directly without defining your own:
| Policy ID | What it grants |
|---|---|
NIIDEFullAccess | All IDE features (autocomplete, FIM, chat, inline chat, code actions, system prompt) |
NIAutocompleteAccess | FIM and inline autocomplete only |
NIChatAccess | Chat, inline chat, and code actions |
NISystemPromptAccess | System prompt enable and configure |
NIPowerModeAccess | Power Mode use and configure |
NIPowerModeAutoApproveAll | Auto-approve for terminal, file edits, and browser |
NIPowerModeAutoApproveTerminal | Auto-approve for terminal only |
NIAgentsAccess | Workflow agents use, configure, and create |
NIChecksAgentAccess | Full Checks Agent access including commit blocking |
NIChecksAgentReadOnly | View violations only |
NIModelAccess | View, select, configure, and access all models |
NIModelAdminAccess | All model actions including provider management |
NIModelReadOnly | View models only |
NIMCPServerAccess | MCP server enable and configure |
NIFullAccess | All ni:* actions |
NIReadOnlyAccess | Read-only access to IDE features, checks, models, org, audit |
Agent Execution Controls
Separate from action policies, the org admin can set execution limits that apply globally to all agent sessions:
| Setting | Description |
|---|---|
| Max iterations per Power Mode session | Prevents runaway agent loops |
| Max concurrent sub-agents | Limits parallel sub-agent execution |
| Max iterations per sub-agent | Per-agent iteration cap |
| Auto-approve: Terminal | Force On / Force Off / Default per tool type |
| Auto-approve: File Edits | Force On / Force Off / Default per tool type |
| Auto-approve: Browser | Force On / Force Off / Default per tool type |
| Lock developer settings | Prevents developers from overriding org execution controls |
Managing Policies
Policies are managed in the Enterprise Console under Manage > IAM.
- Sign in to
platform.your-domain.comas Org Admin - Navigate to Manage > IAM > Policies
- Select Attach Policy and choose NI Managed or create a Customer Managed policy
- Set the scope: Org, Project, Subproject, or User
- Save - changes propagate to connected IDE clients within 30 seconds
Propagation
Policy changes apply to all active IDE sessions within 30 seconds. Developers do not need to restart the IDE. A notification appears in the IDE status bar when policy changes are received.
If the IDE loses connection to the Enterprise instance, it falls back to the last received policy until connection is restored.
Last edited