Manage tags
A tag is a reusable label you attach to one or more (platform, scope)
pairs. Instead of listing every scope a rule should cover, you tag the scopes
once and then point a policy or guardrail at the tag. Tag mail.send,
stripe:charge, and github:repo.delete as tag:sensitive, and a single
require-approval guardrail on tag:sensitive now covers all three — and any
scope you tag later.
Tags live on the standalone Tags page (under Governance). The same panel also appears as the Manage tags modal inside the policy editor.
Create a tag
On the Tags page, add a tag with a short, lowercase id (for example
pii, sensitive, read-only). The id is what rules reference as tag:<id>.
Tags are scoped to your org — they’re invisible to other orgs.
Assign a tag to scopes
For each tag, assign the (platform, scope) pairs it should cover. A scope can carry more than one tag, and the same tag can span multiple platforms — that’s the point: one label, many scopes, across connectors.
Use a tag in a rule
Once a tag exists, it appears in the target dropdown wherever you build a rule:
- Policies — allow / deny / require-approval a tag for a team member’s agents. See Manage user policies.
- Guardrails — org-wide deny or require-approval on a tag, optionally
filtered by role (the classic “members never see
tag:pii”). See Manage org guardrails.
A tag rule resolves to every scope currently carrying that tag at decision time, so tagging a new scope immediately brings it under existing tag rules — no rule edits needed.