![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>\n<\/p>\n
Cisco\u2019s\u202f<\/span>Integrated AI Security and Safety Framework<\/span>\u202fand\u202f<\/span>our recent work on defining taxonomy constitutions<\/span>\u202ffocused on\u00a0defining\u00a0and detecting\u00a0common\u00a0risks\u00a0shared among enterprises when\u00a0deploying AI.\u00a0However,\u00a0while most enterprises share\u00a0a lot of the\u00a0common risk\u00a0categories, they are also diverse,\u00a0and\u00a0it is impossible to develop a complete taxonomy that would fully cover all customer specific cases. A retail bank\u2019s AI assistant, for instance, should answer \u201chow does a 401(k) work\u201d but under SEC and FINRA rules\u00a0may not be able to\u00a0answer \u201cshould I move my savings into index funds\u201d as personalized investment advice. Writing that rule is a thinking task, and the tools on the market for custom guardrails (fixed-category dropdowns, regular-expression fields, labeled-example uploaders, blank paragraph boxes) ask the policy owner for work they have not yet done.<\/span>\u00a0<\/span><\/p>\n We are introducing Policy Studio in Cisco AI Defense, a flexible AI assistant that guides the policy owner through authoring a custom guardrail. In a chat-and-review UI, the owner answers insights: conceptual questions about what the rule should mean, paired with evidence from their own data, like a manager issuing guidance instead of editing a draft. The assistant turns that guidance into policy text, refines it against the data, and publishes the result to the AI Defense guardrails console for runtime enforcement.<\/span>\u00a0<\/span><\/p>\n A Policy Studio guardrail is a human-readable policy document. It names the conduct at issue, states its elements, marks the boundaries against adjacent conduct, and records worked examples for the close cases. Compliance reads it, auditors read it, and at runtime the language model reads it to decide each case. We modeled the document on our constitutions for shared safety risks, which build on\u202f<\/span>Constitutional AI<\/span>\u202fand run 300-plus lines per technique, precise enough that multiple frontier models return the same decision on the same input.<\/span>\u00a0<\/span><\/p>\n A written policy is the artifact\u00a0that\u00a0the bank\u2019s legal, compliance, and audit functions already use.\u00a0A custom guardrail should be no different.<\/span>\u00a0<\/span><\/p>\n Our constitution work showed that writing a policy precise enough to enforce at scale is beyond what an unassisted human author can\u00a0reasonably do, so we focus on meta-prompting: using AI to author the prompt another model will read. A custom guardrail is exactly that kind of prompt, the system\u00a0prompt\u00a0the runtime classifier reads on every request, and Policy Studio authors it. The established work on meta-prompting is automated:\u00a0DSPy\u2019s\u00a0optimizers (<\/span>Khattab et al., 2023<\/span>) and OPRO (<\/span>Yang et al., 2023<\/span>) take a labeled dataset and search the prompt space for a string that reproduces the labels, and the literature reports these methods can match or outperform a human editing the prompt directly when the target behavior is already settled.<\/span>\u00a0<\/span><\/p>\n Authoring a new custom guardrail does not start\u00a0from\u00a0a settled policy. The policy owner works out the advice-versus-education boundary while labeling, and like any expert building a standard for the first time, their reading of it sharpens as they go. The labels record a moving target, and a prompt compiled directly from them inherits the drift.<\/span>\u00a0<\/span><\/p>\n We build on this line of work and extend it to policies that are still forming, through an AI agent rather than a fixed pipeline: Policy Studio reviews the draft against the bank\u2019s chats, flags the gaps, frames the questions for the policy owner to resolve, and rewrites the policy on each answer, so the policy owner holds the direction and the agent handles every iteration.<\/span>\u00a0<\/span><\/p>\n In a Policy Studio session the policy owner and the agent work at different levels: the policy owner decides on general issues, and the agent handles the individual chats and the draft policy text one layer down. We call each general issue an insight, and resolving one guides the agent\u2019s next rewrite, closing the meta-prompting loop. Insights come from two sources, and a session moves continuously between them.<\/span>\u00a0<\/span><\/p>\n Textual insights read the current draft and flag gaps, silences, and ambiguous clauses the policy owner would not catch on a rereading. An early textual insight in the bank\u2019s session might read:<\/span>\u00a0<\/span><\/p>\n Hypothetical framings<\/span><\/b>\u00a0<\/span><\/p>\n The current draft prohibits recommendations but does not address hypothetical phrasing like \u201cif you were investing in bonds today\u2026\u201d. Compliance guidance typically treats hypothetical advice as advice.<\/span>\u00a0<\/span><\/p>\n Agree \u00b7 Disagree \u00b7 Dismiss<\/span><\/i>\u00a0<\/span><\/p>\n The question names the clause, the missing case, and the decision the policy owner needs to make, and answering it does not require reading a single customer chat.<\/span>\u00a0<\/span><\/p>\n Behavioral insights come from running the current draft against the bank\u2019s production chats and grouping the decisions by the reasoning path that produced them. Each group is a pattern the draft is exhibiting, shown alongside representative cases:<\/span>\u00a0<\/span><\/p>\n Implicit advice via market comparisons \u00b7 FN \u00b7 31 cases<\/span><\/b>\u00a0<\/span><\/p>\n The current draft lets through responses that compare historical returns across asset classes (\u201cindex funds have outperformed active management since 2000\u201d), despite steering the reader toward a specific investment choice.<\/span>\u00a0<\/span><\/p>\n Agree \u00b7 Disagree \u00b7 Dismiss \u00b7 View conversations<\/span><\/i>\u00a0<\/span><\/p>\n The policy owner answers at the pattern level. A single answer applies to every conversation in the group, and after the next rewrite, to cases we have not yet seen. An answered insight changes how the policy gets written. A label\u00a0changes\u00a0one example. The policy owner\u2019s effort scales with the number of distinct judgments in the policy, not with case volume. A policy with ten distinct decisions takes\u00a0on the order of\u00a0ten resolved insights, whether the bank brings in seventy chats or seventy thousand.<\/span>\u00a0<\/span><\/p>\n Textual analysis catches\u00a0gaps\u00a0the data cannot reveal, because cases the policy has already\u00a0made\u00a0impossible to\u00a0observe\u00a0never enter the data. Behavioral analysis catches silent assumptions the policy owner did not know they were making. Running both in the same session makes the policy legible, first to the policy owner and then to an auditor reviewing the bank\u2019s work.<\/span>\u00a0<\/span><\/p>\n The policy the owner writes is the policy that runs. Open-source policy-aware safety models read a natural-language policy at inference, first shown by Meta\u2019s Llama Guard (<\/span>Inan et al., 2023<\/span>) and since confirmed by Google\u2019s\u00a0ShieldGemma\u00a0(<\/span>Zeng et al., 2024<\/span>), NVIDIA\u2019s Aegis Safety Guard (<\/span>Ghosh et al., 2024<\/span>), and OpenAI\u2019s\u202f<\/span>gpt-oss-safeguard<\/span>. In our own constitution work [FORTHCOMING\u00a0arXiv\u00a0link] we find that a reasonably sized open-source model interprets a constitution\u00a0almost as\u00a0accurately as closed-source frontier models, so enterprises can run a written policy in production without a hosted API. Policy Studio publishes the document directly to Cisco AI Defense for enforcement across models and applications.<\/span>\u00a0<\/span><\/p>\nA policy you can read<\/span>\u00a0<\/span><\/h2>\n
Human-centered\u00a0meta-prompting<\/span>\u00a0<\/span><\/h2>\n
Insights: framed questions paired with evidence<\/span>\u00a0<\/span><\/h2>\n
Deploying a written policy at runtime <\/span><\/h2>\n
What this means for Cisco AI Defense customers
<\/span><\/h2>\n
That enforcement layer is the same one our published safety taxonomies run on, and we author both with the same AI-first pattern. Constitutions give customers a specification they can rely on without writing it, and Policy Studio lets them extend it with the rules only they can write, in a session that reads more like drafting a document with a lawyer than filling out a form. The policy owner who defines the rule is the one who writes it, and the rule that runs in production is the rule they wrote. We aim to publish a technical description of the system in our upcoming work.<\/span>\u00a0<\/span><\/p>\n![\"\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/06\/Policy-studio-blogpost-image-0.png\")