Test Before You Enforce: Using the Access Simulator
Deploying access policies to production is high-stakes. An overly restrictive policy could block legitimate AI use cases. An overly permissive one defeats the purpose. The Access Simulator (available on Pro and Enterprise plans) lets you test policies without affecting real retrievals.
The simulator takes a principal ID and optionally a connector ID, then evaluates all active policies to show what the principal can and cannot access. The response includes matched resource count, allowed count, denied count, and a full trace of policy decisions with reasons.
For example: result = client.simulator.run(principal_id="user_123", connector_id="conn_abc"). The traces show each resource, the decision (allowed/denied), and which policy rule matched or why access was denied. This lets you iterate on policies in a safe environment.
A common workflow is: create policies in Draft state, run the simulator to verify behavior, adjust rules based on the traces, then activate. This is especially important for ABAC policies with complex attribute conditions — the simulator shows you exactly which conditions matched or failed.
The simulator is also valuable for onboarding new team members or auditing existing access. Run a simulation for a new hire's principal ID to verify they have appropriate access from day one, or periodically simulate access for service accounts to catch permission drift.
Related reading
- From Zero to Secured Retrieval in 5 Minutes4 min read
- Setting Up Gateco with Your Identity Provider7 min read
- When to Use Which Search Mode: Vector, Keyword, Hybrid, or Grep6 min read
- Gateco DocumentationFull reference
← Previous
Building a Compliance-Ready AI System with Audit Trails
Next →
From Zero to Secured Retrieval in 5 Minutes
Ready to secure your AI retrieval?
Start with the free tier — 100 retrievals/month, no credit card required.