Neural Inverse is Open Source →
DocsIAM Policy Engine

IAM Policy Engine

The Neural Inverse IAM Policy Engine controls what AI capabilities are available to which developers on which projects. Policies are defined using Allow/Deny statements against a custom ni: action namespace, evaluated server-side with no client bypass.

Policy Structure

A policy is a JSON document with an array of statements:

{
  "statements": [
    {
      "sid": "AllowPowerMode",
      "effect": "Allow",
      "actions": ["ni:powermode:use", "ni:powermode:configure"],
      "resources": ["*"]
    },
    {
      "sid": "BlockTerminalAutoApprove",
      "effect": "Deny",
      "actions": ["ni:powermode:autoapprove:terminal"],
      "resources": ["*"]
    }
  ]
}

Each statement has:

  • effect - Allow or Deny. Deny takes precedence over Allow.
  • actions - one or more ni: action strings. Wildcards are supported: ni:powermode:*, ni:*
  • resources - optional resource ARNs scoping the statement, or * for all resources
  • sid - optional identifier for the statement

Resource ARN format: ni:{service}:{orgId}:{resourceType}/{resourceId}

Examples:

  • ni:models:*:model/claude-sonnet-4-6 - a specific model
  • ni:models:*:model/* - all models
  • ni:project:*:project/proj_abc123 - a specific project

Scope Inheritance

Policies apply at four levels. The most specific scope that has policies attached wins entirely.

ScopePriorityDescription
User1 (highest)Overrides everything. For elevated access or restrictions on specific individuals.
Subproject2Overrides project and org. For sensitive modules within a project.
Project3Overrides org defaults. For project-specific restrictions or grants.
Org4 (lowest)Baseline policy for all developers in the organisation.

Example: Scope Override

Scenario: The org allows Power Mode by default. The payments-core project has Power Mode disabled. One senior developer on that project needs it enabled.

Org policy:             ni:powermode:use = Allow
Project policy:         ni:powermode:use = Deny     (overrides org)
User policy (Alice):    ni:powermode:use = Allow     (overrides project)

Alice gets Power Mode on payments-core. Everyone else on that project does not.

Action Reference

IDE Features

ActionDescription
ni:autocomplete:enableAllow FIM / inline autocomplete
ni:autocomplete:configureChange autocomplete model and settings
ni:fim:enableAllow Fill-in-the-Middle completions
ni:fim:configureChange FIM model, trigger, and debounce settings
ni:chat:enableAllow the main AI chat panel
ni:chat:configureConfigure chat model and context window settings
ni:inlinechat:enableAllow inline AI chat inside the editor
ni:codeactions:enableAllow AI-suggested code actions and quick fixes
ni:systemprompt:enableAllow custom system prompts per workspace
ni:systemprompt:configureEdit system prompt content and rules

Power Mode

ActionDescription
ni:powermode:useOpen and run Power Mode autonomous agent sessions
ni:powermode:configureChange Power Mode model, iteration limits, and settings
ni:powermode:autoapprove:terminalAllow automatic terminal command execution without confirmation
ni:powermode:autoapprove:fileAllow automatic file edits without confirmation
ni:powermode:autoapprove:browserAllow automatic browser interactions without confirmation

Workflow Agents

ActionDescription
ni:agents:useRun workflow agent sessions
ni:agents:configureConfigure agent roles, concurrency, and iteration limits
ni:agents:createDefine and save custom agent workflow definitions

Checks Agent (GRC)

ActionDescription
ni:checks:useRun compliance scans via the Checks Agent
ni:checks:viewView GRC violations and compliance status
ni:checks:manageCreate, edit, and delete compliance frameworks and rules
ni:checks:blockcommitsBlock git commits when blocking violations exist

Models

ActionDescription
ni:models:viewBrowse the model marketplace
ni:models:selectChoose models for chat, autocomplete, and agents
ni:models:configureConfigure model parameters, temperature, and context
ni:models:manageAdd, remove, and configure model providers and API keys
ni:models:access:*Access any model in the marketplace
ni:models:access:{model-id}Access a specific model (e.g. ni:models:access:claude-sonnet-4-6)

MCP Servers

ActionDescription
ni:mcp:enableAllow MCP server connections in the IDE
ni:mcp:configureAdd and configure MCP server endpoints
ni:mcp:manageManage the org-wide MCP server registry

AI Behavior

ActionDescription
ni:behavior:configureSet AI behavior rules, safety controls, and persona settings
ni:behavior:manageManage org-wide AI behavior policies

Policy and Governance

ActionDescription
ni:policy:viewView IAM policies and their assignments
ni:policy:configureAttach and detach policies to resources
ni:policy:manageCreate, edit, and delete custom IAM policies

Org and Members

ActionDescription
ni:org:viewView organisation settings and info
ni:org:configureEdit organisation display name and settings
ni:members:viewView team member list
ni:members:manageInvite, remove, and change access for members
ni:billing:viewView billing and usage information
ni:billing:manageManage subscription and billing settings
ni:audit:viewAccess the audit trail and activity log

NI Managed Policies

The platform ships a set of built-in policies you can attach directly without defining your own:

Policy IDWhat it grants
NIIDEFullAccessAll IDE features (autocomplete, FIM, chat, inline chat, code actions, system prompt)
NIAutocompleteAccessFIM and inline autocomplete only
NIChatAccessChat, inline chat, and code actions
NISystemPromptAccessSystem prompt enable and configure
NIPowerModeAccessPower Mode use and configure
NIPowerModeAutoApproveAllAuto-approve for terminal, file edits, and browser
NIPowerModeAutoApproveTerminalAuto-approve for terminal only
NIAgentsAccessWorkflow agents use, configure, and create
NIChecksAgentAccessFull Checks Agent access including commit blocking
NIChecksAgentReadOnlyView violations only
NIModelAccessView, select, configure, and access all models
NIModelAdminAccessAll model actions including provider management
NIModelReadOnlyView models only
NIMCPServerAccessMCP server enable and configure
NIFullAccessAll ni:* actions
NIReadOnlyAccessRead-only access to IDE features, checks, models, org, audit

Agent Execution Controls

Separate from action policies, the org admin can set execution limits that apply globally to all agent sessions:

SettingDescription
Max iterations per Power Mode sessionPrevents runaway agent loops
Max concurrent sub-agentsLimits parallel sub-agent execution
Max iterations per sub-agentPer-agent iteration cap
Auto-approve: TerminalForce On / Force Off / Default per tool type
Auto-approve: File EditsForce On / Force Off / Default per tool type
Auto-approve: BrowserForce On / Force Off / Default per tool type
Lock developer settingsPrevents developers from overriding org execution controls

Managing Policies

Policies are managed in the Enterprise Console under Manage > IAM.

  1. Sign in to platform.your-domain.com as Org Admin
  2. Navigate to Manage > IAM > Policies
  3. Select Attach Policy and choose NI Managed or create a Customer Managed policy
  4. Set the scope: Org, Project, Subproject, or User
  5. Save - changes propagate to connected IDE clients within 30 seconds

Propagation

Policy changes apply to all active IDE sessions within 30 seconds. Developers do not need to restart the IDE. A notification appears in the IDE status bar when policy changes are received.

If the IDE loses connection to the Enterprise instance, it falls back to the last received policy until connection is restored.


Was this page helpful?

Last edited