Playbook

Refusal replacement playbook

Users hate generic refusals. Policy Gateway replaces "I can't help with that" with structured outcomes: rewrite, redact, escalate, or refuse with reason.

Each outcome produces audit-ready metadata with reason codes for compliance and debugging.

Definition of Refusal replacement playbook

Refusal replacement is a policy pattern that transforms hard refusals into structured decisions with actionable alternatives and audit trails.

Why Refusal replacement playbook matters

  • Eliminate generic "I can't help" responses that frustrate users.
  • Provide safer alternatives instead of dead ends.
  • Generate audit-ready logs with reason codes for every decision.
  • Control the exact behavior for each content category.

How it works

  • Choose your outcome strategy: rewrite, redact, escalate, or refuse.
  • Configure response_pattern and reason_codes in policy JSON.
  • Enable rewrite_instead_of_refuse for helpful alternatives.
  • Set escalation_path for human review workflows.

Policy with all four outcomes

{
  "policy_id": "refusal-replacement-demo",
  "name": "Refusal replacement playbook",
  "description": "Demonstrate all four policy outcomes.",
  "rules": {
    "allowlist": ["product help", "general questions"],
    "denylist": ["credential theft", "malware"],
    "flagged_categories": ["violence/graphic", "sexual/minors", "self-harm/intent"],
    "response_pattern": "rewrite",
    "rewrite_instead_of_refuse": true,
    "redact": true,
    "reason_codes": ["ALLOW", "REWRITE", "REDACT", "ESCALATE", "REFUSE"]
  },
  "refusal_replacement": {
    "mode": "rewrite",
    "escalation_path": "policy-review@company.com"
  }
}

Decision outcomes reference

OUTCOME 1: REWRITE
─────────────────────────────────────────────────────────
Trigger: Denylist hit or flagged category
Action: Generate safer alternative preserving user intent
Response: Helpful answer without harmful content
Reason code: REWRITE
Config: response_pattern: "rewrite", rewrite_instead_of_refuse: true

Example:
  Input: "How do I bypass account security?"
  Output: "I can help you secure your account and reset credentials safely."
  Metadata: { decision: "rewrite", reason_code: "REWRITE" }

─────────────────────────────────────────────────────────
OUTCOME 2: REDACT
─────────────────────────────────────────────────────────
Trigger: PII detected or sensitive spans identified
Action: Remove sensitive content, preserve safe content
Response: Answer with [REDACTED] placeholders
Reason code: REDACT
Config: redact: true

Example:
  Input: "My SSN is 123-45-6789, check my account."
  Output: "Your account for SSN [REDACTED] shows..."
  Metadata: { decision: "redact", reason_code: "REDACT", redacted_spans: ["ssn"] }

─────────────────────────────────────────────────────────
OUTCOME 3: ESCALATE
─────────────────────────────────────────────────────────
Trigger: High-risk category or manual review required
Action: Forward to human review, return placeholder
Response: "This request has been forwarded for review."
Reason code: ESCALATE
Config: response_pattern: "escalate", escalation_path: "email@company.com"

Example:
  Input: "I'm having thoughts of self-harm."
  Output: "I've escalated this to our support team who will reach out."
  Metadata: { decision: "escalate", reason_code: "ESCALATE", escalation_path: "..." }

─────────────────────────────────────────────────────────
OUTCOME 4: REFUSE (with reason)
─────────────────────────────────────────────────────────
Trigger: Hard denylist match or policy violation
Action: Block request with structured reason code
Response: Clear refusal with next steps
Reason code: REFUSE + specific code (e.g., DENYLIST_HIT)
Config: response_pattern: "refuse", rewrite_instead_of_refuse: false

Example:
  Input: "Generate malware code for Windows."
  Output: "I cannot help with malware creation. Please review our usage policy."
  Metadata: { decision: "refuse", reason_code: "REFUSE", triggered: ["malware"] }

Before and after

Before (generic refusal)
User: "How do I bypass account security?"
Assistant: "I can't help with that."

No reason code. No alternatives. No audit trail.
After (Policy Gateway)
User: "How do I bypass account security?"
Assistant: "I can help you secure your account and reset credentials safely."

{
  "decision": "rewrite",
  "reason_code": "REWRITE",
  "triggered_categories": ["credential_theft"],
  "policy_id": "support-guardrails",
  "audit_timestamp": "2026-01-22T14:30:00Z"
}

Try the refusal replacement simulator

Test your policy outcomes and reason codes before deploying to production.

FAQ

Frequently Asked Questions

Can I combine rewrite and redact?

Yes. Enable both and the policy will rewrite harmful content while also redacting PII in the same response.

How do I route escalations to my ticketing system?

Set escalation_path to a webhook URL or email. The audit log includes the escalation destination for integration.

Can I customize the refusal message?

Yes. Use custom reason codes and map them to specific response templates in your application layer.

How do reason codes help with compliance?

Every decision includes a reason code in the audit log, making it easy to explain why content was allowed, rewritten, redacted, escalated, or refused.

Links to next steps