> For the complete documentation index, see [llms.txt](https://docs.keeper.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.keeper.io/keeperpam/endpoint-privilege-manager/policies/policy-types.md).

# Policy: Types

<figure><img src="/files/yPy3794svGYFZuBsSL2x" alt=""><figcaption></figcaption></figure>

## Policy: Types

KEPM policies define what Keeper governs on an endpoint. Each policy is built around a **type** that determines the category of action being controlled. Every policy is assigned a status, one or more controls, and filters that scope it to specific users, machines, applications, AI agents, and time windows.

Multiple policy types can be active on the same endpoint simultaneously. When policies conflict, Keeper enforces the most restrictive outcome.

### Privilege Elevation

The Privilege Elevation policy intercepts requests to run applications or actions with administrator-level privileges and enforces the configured control before allowing the elevation to proceed. It is the primary mechanism for **just-in-time privilege elevation** — ensuring users only gain elevated access for specific, verified actions rather than operating with persistent admin rights.

On Windows, Keeper intercepts UAC elevation events automatically. On macOS and Linux, users initiate elevation requests through the Keeper Client system tray UI. All elevations are executed through an ephemeral service account, keeping privileged actions isolated and auditable.

Supported controls: **Auto-Approve, Auto-Deny, Admin Approval, MFA, Justification**

Learn more → Privilege Elevation Policy Type

### Least Privilege

The Least Privilege policy removes local administrator rights from standard users on targeted endpoints. It is the recommended **starting point** for any KEPM deployment — without it, users may already hold admin rights, rendering elevation controls ineffective.

When enforced, Keeper removes targeted users from the local Administrators group and notifies them on-screen. Built-in system accounts and domain admin accounts are automatically protected and cannot be affected. A configurable exclusion list allows specific accounts to be exempt from enforcement.

Supported controls: **Auto-Approve, Auto-Deny**

Learn more → Least Privilege Policy Type

### File Access

The File Access policy controls access to specific files on an endpoint — both executable files (applications, scripts, binaries) and non-executable files (configuration files, sensitive data, documents). Unlike Privilege Elevation, File Access policies apply to **any user on the system**, including those with existing admin rights.

For executables, access is intercepted at the point of execution. For non-executable files, Keeper restricts read, write, and delete operations at the ACL level until the required control is satisfied. File Access policies do not apply to Keeper-protected system paths, and if both a File Access and Privilege Elevation policy exist for the same executable, the Privilege Elevation policy takes precedence.

Supported controls: **Auto-Approve, Auto-Deny, Admin Approval, MFA, Justification**

Learn more → File Access Policy Type

### Command Line

The Command Line policy governs the use of `sudo` on **macOS and Linux** systems. It is the Unix equivalent of the Privilege Elevation policy, providing consistent privileged-access governance across all supported platforms.

When applied, Keeper replaces the standard `sudo` command with `keepersudo` via a PAM module. Users must submit elevation requests through `keepersudo`, satisfying whatever control the policy requires before the command is executed. Keeper maintains an explicit allowlist of commands eligible for elevation on each endpoint.

Supported controls: **Auto-Approve, Auto-Deny, Admin Approval, MFA, Justification**

Learn more → Command Line Policy Type

***

### Agentic AI Policy Types

Agentic policy types extend KEPM's enforcement model to autonomous AI agents, treating each agent as a first-class principal subject to the same allow, deny, and approval controls that govern human users. They are scoped using an **Agentic AI Collection** — a group of known and flagged AI agent applications — and support targeting by AI-likelihood detection score so that controls apply only to processes confidently identified as agents.

Agentic policies enforce controls actively, but are designed to be introduced in **Monitor** mode first, so administrators can observe agent behavior and tune scope and risk thresholds before enforcing. See Policy: Phased Rollout Planning for recommended sequencing.

#### Agentic AI

The Agentic AI policy governs **who can run AI** — controlling which users and machines are permitted to launch AI agent applications in the first place. It acts as the run/don't-run gate for agentic tooling across the fleet, determining whether an identified AI agent is allowed to start.

Supported controls: **Auto-Approve, Auto-Deny, Admin Approval, End User Approval, MFA, Justification**

[Learn more → Agentic AI Policy Type](/keeperpam/endpoint-privilege-manager/policies/policy-types/agentic-ai-policy.md)

#### Agentic Access

The Agentic Access policy controls **what an AI agent may execute on the user's behalf** — governing the actions a running agent takes, including the sub-processes it spawns. Where Agentic AI decides whether an agent may run, Agentic Access governs what it is permitted to do once running.

Supported controls: **Auto-Approve, Auto-Deny, Admin Approval, End User Approval, MFA, Justification**

[Learn more → Agentic Access Policy Type](/keeperpam/endpoint-privilege-manager/policies/policy-types/agentic-access-policy.md)

#### Agentic Privilege Elevation

The Agentic Privilege Elevation policy manages **elevation requests made by an AI agent**. Where a standard Privilege Elevation policy manages elevation initiated by a human user, this type applies the same enforcement model to elevation requested by an agent — inserting a decision point at the moment the agent requests administrative rights rather than letting it silently inherit and exercise the user's privileges.

Supported controls: **Auto-Approve, Auto-Deny, Admin Approval, End User Approval, MFA, Justification**

[Learn more → Agentic Privilege Elevation Policy Type](/keeperpam/endpoint-privilege-manager/policies/policy-types/agentic-privilege-elevation-policy.md)

***

### Keeper Updates

The Keeper Updates policy governs how Keeper EPM updates are staged and rolled out across the fleet, including version pinning to a desired version and a user-deferral window for non-critical updates. It allows updates to be approved or deferred before fleet-wide rollout and can require user confirmation before applying.

[Learn more → Keeper Updates Policy Type](/keeperpam/endpoint-privilege-manager/policies/policy-types/advanced-policy-types/keeper-updates.md)

### Advanced Policy Types

Advanced policy types are configured through the **Advanced Mode JSON editor** and cover operational use cases beyond endpoint access control. They are not selectable from the standard policy type dropdown — administrators set the `PolicyType` field directly in JSON and populate the `Extension` object with the required configuration.

#### Update Settings

Pushes plugin or agent configuration to endpoints centrally, without requiring manual file edits on individual machines. The agent's configuration processor applies the provided JSON payload to the target plugin file on each in-scope endpoint.

[Learn more → Update Settings Policy Type](/keeperpam/endpoint-privilege-manager/policies/policy-types/advanced-policy-types/update-settings-policy-type.md)

#### Update Jobs

Deploys, modifies, or removes job definitions on endpoints from a central location. The agent processes the policy and adds, updates, or deletes the specified job file under the `Jobs/` directory on each in-scope endpoint.

[Learn more → Update Jobs Policy Type](/keeperpam/endpoint-privilege-manager/policies/policy-types/advanced-policy-types/update-jobs-policy-type.md)

#### Custom

Provides a schema-flexible policy classification for specialized workflows, internal integrations, or custom evaluators that do not map to any standard KEPM policy type. Custom policies follow the same structural format as all other policy types and support the full range of KEPM controls, with the `Extension` object populated freely to meet the needs of the consuming component.

[Learn more → Custom Policy Type](/keeperpam/endpoint-privilege-manager/policies/policy-types/advanced-policy-types/custom-policy-type.md)

***

#### Policy Type Summary

<table data-header-hidden="false" data-header-sticky><thead><tr><th>Policy Type</th><th width="254.6666259765625">Primary Use Case</th><th width="184.333251953125">Platform</th><th>Configured Via</th></tr></thead><tbody><tr><td><strong>Privilege Elevation</strong></td><td>Just-in-time elevation control</td><td>Windows, macOS, Linux</td><td>Standard UI</td></tr><tr><td><strong>Least Privilege</strong></td><td>Remove local admin rights from standard users</td><td>Windows, macOS, Linux</td><td>Standard UI</td></tr><tr><td><strong>File Access</strong></td><td>Control access to executables and sensitive files</td><td>Windows (full); macOS &#x26; Linux (via Keeper Client UI)</td><td>Standard UI</td></tr><tr><td><strong>Command Line</strong></td><td>Govern <code>sudo</code> usage on Unix-based systems</td><td>macOS, Linux</td><td>Standard UI</td></tr><tr><td><strong>Agentic AI</strong></td><td>Govern which users and machines may run AI agents</td><td>Windows, macOS, Linux</td><td>Standard UI</td></tr><tr><td><strong>Agentic Access</strong></td><td>Control what an AI agent may execute on the user's behalf</td><td>Windows, macOS, Linux</td><td>Standard UI</td></tr><tr><td><strong>Agentic Privilege Elevation</strong></td><td>Manage elevation requests made by an AI agent</td><td>Windows, macOS, Linux</td><td>Standard UI</td></tr><tr><td><strong>Keeper Updates</strong></td><td>Stage, pin, and roll out Keeper EPM updates</td><td>Windows, macOS, Linux</td><td>Standard UI</td></tr><tr><td><strong>Update Settings</strong></td><td>Push plugin/agent configuration to endpoints</td><td>All</td><td>Advanced Mode (JSON)</td></tr><tr><td><strong>Update Jobs</strong></td><td>Deploy or remove job definitions on endpoints</td><td>All</td><td>Advanced Mode (JSON)</td></tr><tr><td><strong>Custom</strong></td><td>Specialized workflows and integrations</td><td>All</td><td>Advanced Mode (JSON)</td></tr></tbody></table>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/policies/policy-types.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.