Skip to Content

Manage tags

A tag is a reusable label you attach to one or more (platform, scope) pairs. Instead of listing every scope a rule should cover, you tag the scopes once and then point a policy or guardrail at the tag. Tag mail.send, stripe:charge, and github:repo.delete as tag:sensitive, and a single require-approval guardrail on tag:sensitive now covers all three — and any scope you tag later.

Tags live on the standalone Tags page (under Governance). The same panel also appears as the Manage tags modal inside the policy editor.

Create a tag

On the Tags page, add a tag with a short, lowercase id (for example pii, sensitive, read-only). The id is what rules reference as tag:<id>. Tags are scoped to your org — they’re invisible to other orgs.

Assign a tag to scopes

For each tag, assign the (platform, scope) pairs it should cover. A scope can carry more than one tag, and the same tag can span multiple platforms — that’s the point: one label, many scopes, across connectors.

Use a tag in a rule

Once a tag exists, it appears in the target dropdown wherever you build a rule:

  • Policies — allow / deny / require-approval a tag for a team member’s agents. See Manage user policies.
  • Guardrails — org-wide deny or require-approval on a tag, optionally filtered by role (the classic “members never see tag:pii”). See Manage org guardrails.

A tag rule resolves to every scope currently carrying that tag at decision time, so tagging a new scope immediately brings it under existing tag rules — no rule edits needed.

Last updated on