docs/edge/en/enterprise/features/agent-control-plane/rules.mdx
Rules let you apply policies — today PII Redaction and Cost Limit — across many automations at once, instead of configuring each deployment individually. Open the Rules tab in the Agent Control Plane to manage them.
<Frame>  </Frame>Each rule card shows the name, description, the scope the rule applies to (selected tools and tags), and a count of engaged automations — deployments that currently match the scope. The toggle on the right enables or disables the rule without deleting it.
manage RBAC permission on Agent Control Plane is required to create, edit, toggle, or delete rules. The read permission is enough to view them.Every rule is one of the types below. Open the tab for the policy you want to enforce.
<Tabs> <Tab title="PII Redaction"> Applies PII redaction to executions of every matching automation, using the same entity catalog and custom recognizers documented in [PII Redaction for Traces](/en/enterprise/features/pii-trace-redactions). <Warning> Creating or editing PII Redaction rules requires an **Enterprise** or **Ultra** plan. On lower tiers the PII editor renders read-only with an "Enterprise" lock pill. </Warning>Configuration — in the PII Mask Type table, check each entity type you want covered and choose how to handle it:
<CREDIT_CARD>).See PII Redaction for Traces for the full entity catalog and how to add organization-level custom recognizers. </Tab>
<Tab title="Cost Limit"> Emails the recipients you choose when a matching automation's LLM spend exceeds a budget threshold in the selected period. Available on **all plans** where the Agent Control Plane is enabled — it is not Enterprise-gated. <Warning> Cost Limit rules are **notify-only**. They never pause, throttle, or stop a run — they only send an email so a human can decide what to do. Adjust the budget or remove the rule if you no longer want the alert. </Warning>Configuration
| Field | Description |
|---|---|
| Budget period | The window spend is measured over: Daily, Weekly, or Monthly (default Monthly). Spend resets at the start of each calendar period. |
| Threshold (USD) | The dollar amount that triggers an alert. Must be greater than 0. The alert fires once the automation's spend for the current period exceeds this value. |
| Recipient emails | Up to 50 email addresses. Type an address and press Enter or comma to add it as a chip; Backspace removes the last chip. These do not need to be CrewAI users. |
| Notify roles | Optionally select organization roles; the alert is sent to every member of the chosen roles. Roles with no members can't be selected. You must provide at least one recipient — an email or a role. |
| Re-alert frequency | How often the alert can re-fire while an automation stays over budget: Once per period, Every hour while over, Every 4h while over, or Daily while over. Re-alerts are capped at 24 per period. |
How spend is measured and matched
The alert email
When an automation goes over budget, recipients get an email summarizing the overage — the automation name, the current spend, the budget threshold, and how far over it is in both dollars and percent (e.g. $0.38 current vs a $0.10 budget = +277%). The email reiterates that the run was not paused.
</Tab>
</Tabs>
More rule types will be added over time.
- **Tools** — only automations whose tool set **exactly matches** the selected tools will engage. Picks from Studio apps, MCPs, OSS tools, and Tool Repository registry tools.
- **Automations** — only automations whose tag set **exactly matches** the selected tags will engage.
Leaving a picker empty means "no filter on this dimension". Leaving both empty means the rule applies to **every** automation in the organization.
Click Engaged N automations on any rule card to see exactly which deployments the rule is currently matching, along with each one's last execution.
<Frame>  </Frame>This is the fastest way to sanity-check a rule's scope before enabling it — for example, to confirm that a rule scoped to the production tag isn't accidentally matching a staging deployment.
Both PII Redaction and Cost Limit can be configured in two places: org-wide as a Rule on this page, or per-deployment under that deployment's Settings. When an enabled org-wide rule's scope matches a deployment, the rule takes precedence over the deployment-owned setting while it's attached.
| Policy | Per-deployment setting | What an attached org-wide rule does |
|---|---|---|
| PII Redaction | Settings → PII Protection (guide) | The rule's entity configuration overrides the deployment's PII settings for that deployment's executions. |
| Cost Limit | Settings → Cost Alerts | The deployment's manual cost alert is paused and the attached cost rule(s) fire instead. The per-deployment form stays editable as a fallback. |
Disable or detach the rule (or change its scope so it no longer matches) and the deployment falls back to its own per-deployment settings.
Prefer org-wide rules when you want to enforce a consistent policy across many deployments; reserve per-deployment configuration for one-off exceptions.