Enforcement modes explained
Every policy carries an enforcement mode — the dial between full visibility and a hard stop. Shield has five, and the right governance program usually mixes them.
The five modes
- Observe — log only. Usage is recorded in the audit log; nobody is interrupted. The baseline for discovery phases and low-risk tools.
- Warn — show a warning. The user sees a warning and can proceed. An awareness moment without blocking work.
- Justify — require a reason. The user must give a reason to proceed; the reason lands in the audit log. Strong middle ground for sensitive-but-legitimate workflows.
- Transform — redact data. Detected sensitive values are redacted locally, on the device, before anything is sent to the AI tool. The work continues; the sensitive data doesn't leave.
- Block — fully prevent. The action never reaches the AI tool. For secrets, credentials, and tools your organization has ruled out.
How they interact
When several policies match the same action, the strictest action wins — a tool-specific Block beats a general Warn. From Discovery you can also set quick app-level calls (Allow, Warn/Review, Block) without building a full policy first.
Choosing a mode
A pragmatic ladder: start new tools on Observe, move business-relevant flows to Warn or Justify, and use Transform/Block where data must never cross — the starter policies your org began with follow exactly this pattern (transform PII and financial data, block secrets, warn on source code).
Note: mode availability depends on your plan — Starter includes Block and Warn; Business and Enterprise add Justify, Transform, and Observe.
Was this article helpful?
Related articles
Create a policy
Build a policy from the five layers — tools, data types, actions, context, enforcement — and activate it for your organization in minutes.
Read articleData types and on-device detection
Which sensitive data Shield recognizes — PII, financial data, source code, secrets — and why the content never leaves the device to be classified.
Read articleApply policy presets and bundles
Deploy compliance-ready policies from the preset library — EU AI Act, GDPR, DIFC, Korea AI Basic Act, US AI in Employment, and ISO 42001/NIST bundles.
Read articleStill stuck?
Send us the details — we answer within one business day.