Skip to content
Governance

Org-Wide AI Access Policies

Individual token rules are not enough when you manage tens or hundreds of AI access keys. PortEden's Policy system gives account admins centralized control: set permission ceilings for the entire organization, then use Policy Groups to assign fine-grained profiles per team.

The Problem

Giving AI direct access to your data is risky. Here's what can go wrong.

No Centralized Governance

Each token is configured independently. There is no way to enforce a baseline policy across the organization, leaving gaps that individual misconfigurations can exploit.

Inconsistent Permission Profiles

Without group-level policies, every token needs manual configuration. Teams end up with inconsistent access levels and no standard permission profiles.

No Org-Wide Block Lists

Blocking a competitor domain or restricting a sensitive service requires updating every token individually. One missed token is one open door.

How PortEden Protects You

Six layers of security between AI and your data.

Account Policy Ceilings

Define maximum permission boundaries for the entire account. Every token inherits these limits automatically. No token can exceed the ceiling.

Policy Groups

Create groups with their own policies. Assign tokens by team, role, or use case. Each group inherits the account ceiling but can apply stricter limits.

Layered Enforcement

Account policy, group policy, and per-token rules stack together. The most restrictive setting always wins. Fine-grained control at every level.

Centralized Audit

See which policies are applied to which tokens. Track policy changes across the organization with a full governance audit trail.

Syncs with Your Identity Provider

PortEden integrates with leading identity management platforms to import users and groups automatically. Map your existing directory structure to Policy Groups without manual setup. When team membership changes in your IdP, PortEden policies update to match.

Microsoft Entra IDMicrosoft Entra ID
Google WorkspaceGoogle Workspace

Get Started in 3 Steps

1

Set Account Policy

Define org-wide permission ceilings: blocked domains, disabled services, maximum visibility levels, and action restrictions.

2

Create Policy Groups

Organize tokens into groups by team or role. Assign each group a policy that inherits the account ceiling with additional restrictions.

3

Assign and Enforce

Add tokens to groups. Every request is filtered through the account policy, then the group policy, then the token's own rules. The strictest setting wins.

Without vs. With PortEden

Without PortEden

  • Each token configured independently with no shared baseline
  • No way to block a domain or service across all tokens at once
  • Teams set their own access levels with no organizational oversight
  • Policy changes require updating every token one by one
  • No visibility into which tokens exceed the intended permission level

With PortEden

  • Account Policy sets permission ceilings enforced on every token
  • Block domains, disable services, or cap visibility org-wide in one step
  • Policy Groups assign standardized permission profiles per team
  • Changes propagate instantly to all tokens in the group
  • Centralized dashboard shows policy inheritance and compliance

Related Solutions

Frequently Asked Questions

What is an Account Policy in PortEden?
An Account Policy is a set of permission ceilings defined by an account admin that apply to every token in the organization. No individual token can exceed these limits. For example, you can block a competitor domain, disable email access, or cap calendar visibility at free/busy for all tokens at once.
How do Policy Groups work?
Policy Groups let you create subsets of tokens with their own policy overrides. Each group inherits the account-wide ceiling but can apply stricter limits. You can assign tokens to groups by team, role, or use case, giving the sales team one permission profile and the engineering team another.
Can I block a specific domain across all AI tokens in my organization?
Yes. Account Policies let you block specific domains, email addresses, or contact patterns across every token in the org. If you add @competitor.com to the account-level block list, no token can access data from that domain regardless of its individual settings.
How do org policies interact with per-token access rules?
Org policies act as ceilings. Per-token rules can be equal to or stricter than the org policy, but never more permissive. If the account policy caps calendar at free/busy, no token can set its calendar visibility to full details, even if its individual rules allow it.
Does PortEden sync with Microsoft Entra ID or Google Workspace?
Yes. PortEden integrates with Microsoft Entra ID and Google Workspace to import users and groups automatically. Your existing directory structure maps directly to Policy Groups, so when team membership changes in your identity provider, PortEden policies update to match.
Do I need an Enterprise plan to use org-wide policies?
Org-wide policies, including Account Policies and Policy Groups, are available on the Enterprise plan. This plan includes custom resource limits, dedicated support, and centralized governance features designed for organizations managing multiple tokens and teams.

Ready to secure your data?

Set up PortEden in under 5 minutes. Free tier available.

Read the Docs