| Type | What it controls | Typical use |
|---|---|---|
| Agentic AI | What an AI agent (autonomous assistant, MCP-connected tool, or other non-human identity) is allowed to do on the endpoint. | Govern agent-initiated actions; require approval or deny high-risk agent behavior. |
| Agentic Access | The child processes an AI agent launches (e.g., an IDE agent spawning git or where). | Allow trusted subprocesses of an agent without prompting on every spawn; require approval or deny others. |
| Agentic Privilege Elevation | When an AI agent can run with elevated (administrator/root) privileges. | Require approval or deny agent-initiated elevation; allow specific elevated actions for trusted agents. |
| Command Line | Execution of commands (e.g., PowerShell, shell, scripts). | Block dangerous commands; require approval for sensitive scripts. |
| File Access | Access to files and folders. | Block or allow access to sensitive paths; require justification or approval for certain files. |
| Least Privilege | Whether a user keeps or loses local administrator rights. | Remove standing admin from most users; allow exceptions for specific roles or machines. |
| Privilege Elevation | When users can run as administrator (or elevate privileges). | Require MFA, approval, or justification before elevation; allow or block specific apps. |
| Advanced Mode: Keeper Updates | Which version of KEPM each endpoint should run. | Keep endpoints on the latest release automatically, or pin a specific version for validation or change windows. |
| Advanced Mode: Update Jobs | Deploying or updating job definitions on the agent. | Deploy automation and enforcement jobs from a central place. |
| Advanced Mode: Update Settings | Pushing configuration to the agent (e.g., plugin or global settings). | Roll out settings from the dashboard without touching each endpoint. |
| Status | Evaluated? | Enforced? | What happens |
|---|---|---|---|
| Off | No | No | Policy is ignored. Use this to disable a policy without deleting it. |
| Enforce | Yes | Yes | Policy is evaluated and controls are applied. |
| Monitor | Yes | No | Policy is evaluated and logged, but no control is applied—actions are allowed. Use to see impact before enforcing. |
| Monitor & Notify | Yes | No | Same as Monitor, but users or admins can be notified when the policy would have matched. Good for training and gradual rollout. |
| Control | Meaning |
|---|---|
| Admin Approval | Requires an authorized approver to review and approve the request before the action can proceed. Best for higher-risk actions that should have human oversight. |
| Auto-Approve | Automatically approves the request without prompting the user or an approver, while still logging the action. Best for low-risk actions you want to permit silently but retain a record of. |
| Auto-Deny | Automatically denies the request without prompting the user or an approver, while still logging the attempt. Best for actions that should never be permitted but that you want visibility into when they are attempted. |
| End User Approval | Allows the user to approve their own request to proceed, without requiring a separate authorized approver. Best for lower-risk actions where you want the user to confirm intent and create an audit record, but full approver oversight is unnecessary. |
| Justification | Requires the user to provide a written reason for why they need the action. Creates accountability and improves auditability. |
| MFA | Requires the user to complete multi-factor authentication to confirm their identity before proceeding. Helps prevent misuse if a password is compromised. |