Try it
Policy GatewayDocsPricing
Log inGet API key
PlaybookUpdated 2026-01-22

Refusal replacement playbook

Replace 'I can't help with that' with policy-driven rewrites, redactions, escalations, and structured refusals. Complete playbook with reason codes and examples.

Users hate generic refusals. Policy Gateway replaces "I can't help with that" with structured outcomes: rewrite, redact, escalate, or refuse with reason.

Each outcome produces audit-ready metadata with reason codes for compliance and debugging.

Definition

Refusal replacement playbook

Refusal replacement is a policy pattern that transforms hard refusals into structured decisions with actionable alternatives and audit trails.

Why it matters
  • Eliminate generic "I can't help" responses that frustrate users.
  • Provide safer alternatives instead of dead ends.
  • Generate audit-ready logs with reason codes for every decision.
  • Control the exact behavior for each content category.
How it works
  1. 01Choose your outcome strategy: rewrite, redact, escalate, or refuse.
  2. 02Configure response_pattern and reason_codes in policy JSON.
  3. 03Enable rewrite_instead_of_refuse for helpful alternatives.
  4. 04Set escalation_path for human review workflows.
Policy with all four outcomes
{
  "policy_id": "refusal-replacement-demo",
  "name": "Refusal replacement playbook",
  "description": "Demonstrate all four policy outcomes.",
  "rules": {
    "allowlist": ["product help", "general questions"],
    "denylist": ["credential theft", "malware"],
    "flagged_categories": ["violence/graphic", "sexual/minors", "self-harm/intent"],
    "response_pattern": "rewrite",
    "rewrite_instead_of_refuse": true,
    "redact": true,
    "reason_codes": ["ALLOW", "REWRITE", "REDACT", "ESCALATE", "REFUSE"]
  },
  "refusal_replacement": {
    "mode": "rewrite",
    "escalation_path": "policy-review@company.com"
  }
}
Decision outcomes reference
OUTCOME 1: REWRITE
─────────────────────────────────────────────────────────
Trigger: Denylist hit or flagged category
Action: Generate safer alternative preserving user intent
Response: Helpful answer without harmful content
Reason code: REWRITE
Config: response_pattern: "rewrite", rewrite_instead_of_refuse: true

Example:
  Input: "How do I bypass account security?"
  Output: "I can help you secure your account and reset credentials safely."
  Metadata: { decision: "rewrite", reason_code: "REWRITE" }

─────────────────────────────────────────────────────────
OUTCOME 2: REDACT
─────────────────────────────────────────────────────────
Trigger: PII detected or sensitive spans identified
Action: Remove sensitive content, preserve safe content
Response: Answer with [REDACTED] placeholders
Reason code: REDACT
Config: redact: true

Example:
  Input: "My SSN is 123-45-6789, check my account."
  Output: "Your account for SSN [REDACTED] shows..."
  Metadata: { decision: "redact", reason_code: "REDACT", redacted_spans: ["ssn"] }

─────────────────────────────────────────────────────────
OUTCOME 3: ESCALATE
─────────────────────────────────────────────────────────
Trigger: High-risk category or manual review required
Action: Forward to human review, return placeholder
Response: "This request has been forwarded for review."
Reason code: ESCALATE
Config: response_pattern: "escalate", escalation_path: "email@company.com"

Example:
  Input: "I'm having thoughts of self-harm."
  Output: "I've escalated this to our support team who will reach out."
  Metadata: { decision: "escalate", reason_code: "ESCALATE", escalation_path: "..." }

─────────────────────────────────────────────────────────
OUTCOME 4: REFUSE (with reason)
─────────────────────────────────────────────────────────
Trigger: Hard denylist match or policy violation
Action: Block request with structured reason code
Response: Clear refusal with next steps
Reason code: REFUSE + specific code (e.g., DENYLIST_HIT)
Config: response_pattern: "refuse", rewrite_instead_of_refuse: false

Example:
  Input: "Generate malware code for Windows."
  Output: "I cannot help with malware creation. Please review our usage policy."
  Metadata: { decision: "refuse", reason_code: "REFUSE", triggered: ["malware"] }
Before and after
Before (generic refusal)
User: "How do I bypass account security?"
Assistant: "I can't help with that."

No reason code. No alternatives. No audit trail.
After (Policy Gateway)
User: "How do I bypass account security?"
Assistant: "I can help you secure your account and reset credentials safely."

{
  "decision": "rewrite",
  "reason_code": "REWRITE",
  "triggered_categories": ["credential_theft"],
  "policy_id": "support-guardrails",
  "audit_timestamp": "2026-01-22T14:30:00Z"
}

Try the refusal replacement simulator

Test your policy outcomes and reason codes before deploying to production.

Run a simulation
FAQ

Frequently asked questions.

Can I combine rewrite and redact?

Yes. Enable both and the policy will rewrite harmful content while also redacting PII in the same response.

How do I route escalations to my ticketing system?

Set escalation_path to a webhook URL or email. The audit log includes the escalation destination for integration.

Can I customize the refusal message?

Yes. Use custom reason codes and map them to specific response templates in your application layer.

How do reason codes help with compliance?

Every decision includes a reason code in the audit log, making it easy to explain why content was allowed, rewritten, redacted, escalated, or refused.

Continue reading

Next steps.

Rewrite instead of refuse guidePolicy Gateway integration contractPolicy Gateway securitySplunk HEC exportDatadog Logs exportElastic audit log exportAmazon S3 exportAzure Monitor / Log Analytics exportRate limits and retriesAnthropic Pentagon case explainerAPI pricingPrivacy policy