Currently the request is allowed to proceed if it doesn't match any of the configured rules. We need to be able to configure the policy to invert that decision.