Skip to main content
Model Access Controls let organization admins restrict which models team members can call. Use them to enforce compliance (only approved models), control costs (block expensive models), or limit usage to models that meet your security requirements. Access controls are configured from the Access Controls dashboard. Controls are enforced separately for two contexts. API Access controls whether a model can be called via the fal client SDKs or REST API. UI Access controls whether a model can be run from the Playground and Sandbox. This separation lets you allow models in the API for production use while blocking them from the Playground, or vice versa.

Access Statuses

Each model can be set to one of three statuses:
StatusBehavior
AllowedModel can be used in the given context
BlockedModel is blocked. API calls return an error; Playground shows an access control message.
InheritUses the parent organization’s setting (child teams only)
Blocked models still appear in the Model Gallery and API documentation. Access controls only affect execution.

Organization Inheritance

When access controls are enabled, rules set at the org level flow down to all child teams by default. Child teams default to Inherit and follow the org’s rules, but they can override specific models when they need different access. 
Organization: FLUX.1 = Allowed
  ├── Team A: FLUX.1 = Inherit (uses org setting: Allowed)
  ├── Team B: FLUX.1 = Blocked (overrides org)
  └── Team C: FLUX.1 = Inherit (uses org setting: Allowed)
The dashboard shows which rules are inherited vs set at the team level.

Enterprise Ready Models

fal designates certain models as “Enterprise Ready” based on licensing, compliance, and reliability criteria. By default, any model marked Enterprise Ready is automatically allowed and you only need to manage exceptions by blocking specific models you don’t want. For stricter control, you can switch to Require Explicit Approval mode where all models are blocked by default and must be individually approved, even Enterprise Ready ones.
Switching to explicit approval may disrupt existing usage. Models that were previously auto-allowed will be blocked until explicitly approved.
You can opt in to receive email notifications when new models are designated as Enterprise Ready, so you can review and approve them promptly.

What Happens When a Model Is Blocked

ContextBehavior
API callReturns an error indicating the model is restricted for your account
PlaygroundModel appears but execution is blocked with an access control message
SandboxModel appears but cannot be included in comparison runs
Model Access Controls are available on enterprise plans. Contact sales to enable this feature for your organization.

Managing Teams

Configure org-wide policies and member management