What is a policy decision point for AI?
A PDP is the component that answers one question - should this action be allowed? - for every agent action. Here is what it does and why AI governance needs one.
What a PDP is
A policy decision point (PDP) is the authority that evaluates an action against policy and returns a verdict. It is a well-established idea in access control, now essential for AI: every consequential action an agent takes should pass through a PDP that decides allow, deny, or something in between - and explains why.
The verdicts a good PDP returns
A binary allow-or-deny is too blunt for real actions. A useful PDP returns a graded verdict so the response fits the risk.
| Verdict | Meaning |
|---|---|
| Allow | The action is permitted as-is. |
| Allow with logging | Permitted, but recorded for the trail. |
| Require step-up | Permitted after additional verification. |
| Human review | Held for a person to approve or reject. |
| Block (recommended) | Flagged to be stopped; the attempt is recorded. |
How Fintra’s PDP works
- Evaluates each action deterministically: tenant isolation, scope containment, and a sensitivity ladder.
- Returns a graded verdict plus a risk score and an action trust score.
- Produces explainable trust factors - the drivers behind the decision.
- Emits a tamper-evident ledger hash for every decision, so the record is verifiable.
- The enforced stop point is the approval gate, where human-review verdicts land.
PDP design checklist
- Every consequential action passes through the PDP.
- Verdicts are graded, not just allow or deny.
- Decisions are deterministic and explainable.
- Each decision carries a risk and trust score.
- Decisions are recorded to a tamper-evident trail.
- A clear enforcement point acts on the verdict.
Frequently asked questions
What is a policy decision point?
A policy decision point (PDP) is the component that evaluates an action against policy and returns a verdict - allow, deny, or a graded response like step-up or human review. For AI, it decides whether an agent’s action should proceed. Fintra’s PDP evaluates each action deterministically and returns a graded verdict with a risk score.
What is the difference between a PDP and a PEP?
The PDP decides; the policy enforcement point (PEP) acts on the decision. The PDP might say "hold for approval," and the enforcement point makes that real. In Fintra, the enforced stop for a human-review verdict is the approval gate on consequential actions.
What verdicts should an AI PDP return?
More than allow or deny. A useful PDP grades its response: allow, allow-with-logging, require step-up, human review, and a block recommendation, so the control matches the risk. Fintra returns exactly this graded set alongside a risk score, an action trust score, and explainable factors.
Why does a PDP need to be explainable?
Because "the AI said no" is not an acceptable reason for a governance decision. An explainable PDP shows the factors behind each verdict, which is essential for trust and for audits. Fintra produces the trust factors driving each decision and a tamper-evident ledger hash so the record is verifiable.
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
A decision on every action
A PDP that grades, explains, and records every agent action. Free to start, no card required.
Talk to us