Gemini CLI: Policy Engine & Enterprise Admin Controls

Policy Engine Gains Mode-Aware Rules and Enterprise Admin Controls in Gemini CLI v0.24.0

The v0.24.0 release of Gemini CLI (January 14, 2026) delivered the most significant expansion of the tool's security and governance capabilities since launch, introducing mode-aware policy evaluation, granular shell command allowlisting, and a remote admin settings infrastructure for enterprise deployments.

Mode-Aware Policy Evaluation

The Policy Engine can now evaluate rules dynamically based on the active execution mode — applying stricter restrictions in Plan Mode (read-only) versus standard interactive mode versus headless/non-interactive mode. Administrators can specify modes within user and admin policy definitions, allowing a single policy file to express different permission sets for different contexts without requiring separate configurations per environment.

This mode-awareness was a frequently requested capability for teams running Gemini CLI in CI/CD pipelines, where headless execution requires tighter constraints than interactive developer sessions.

Granular Shell Command Allowlisting

One of the most practically impactful additions is granular shell command allowlisting. Rather than a binary allow-all or deny-all for shell access, administrators can now define an explicit list of permitted shell commands — allowing git, npm install, and pytest while blocking rm -rf, curl, or arbitrary script execution.

The official security documentation explicitly recommends this allowlisting approach as the strictest available posture for sensitive environments. Combined with improved detection of shell commands with redirections and exponential backoff retry logic for shell command validation, the v0.24.0 release significantly hardens the attack surface available to the agent during autonomous execution.

Remote Admin Settings

The v0.24.0 release introduced a remote admin settings layer with two initial configuration options: secureModeEnabled and mcpEnabled. These allow administrators to push policy configuration to managed Gemini CLI deployments without requiring users to touch local files. The settings were refined in subsequent releases — secureModeEnabled was renamed to strictModeDisabled in v0.28.0 for naming clarity, and MCP server controls were expanded to include per-server trust and URL overriding.

The MCP server controls are particularly significant: administrators can define an explicit allowlist of approved MCP servers, ensuring users can only connect to organization-sanctioned integrations. The trust level, URL, and connection type are always taken from the admin allowlist and override any local user values — preventing accidental or intentional connections to unauthorized external services.

Folder Trust and Hook Visibility

The same release tightened folder trust defaults, marking all folders as untrusted by default. Gemini CLI now surfaces an authorization dialog the first time it opens a directory, requiring explicit user approval before loading workspace settings, skills, and context files from that location. Visual indicators for hook execution were added to the UI, giving users direct visibility into when hooks are active and what actions they are taking — an important transparency mechanism when autonomous hook execution modifies files or state without direct user initiation.

These changes collectively make Gemini CLI meaningfully more viable for enterprise environments where security teams need auditable, centrally-managed guardrails around an autonomous coding agent operating at scale.