diff --git a/lib/config/index.js b/lib/config/index.js
index 7bcdff7753..ffff5510a0 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -31,6 +31,17 @@ var CONFIG_FILE_LOCATIONS = [
   process.env.HOME,
   path.join(__dirname, '../../../..') // above node_modules
 ]
+var LASP_MAP = {
+  record_sql: 'record_sql',
+  attributes_include: 'attributes.include_enabled',
+  // TODO: rename config key
+  allow_raw_exception_messages: 'strip_exception_messages.enabled',
+  custom_events: 'api.custom_events_enabled',
+  custom_parameters: 'api.custom_attributes_enabled',
+  live_instrumentation: null,
+  message_parameters: null,
+  job_arguments: null
+}
 
 // the REPL has no main module
 if (process.mainModule && process.mainModule.filename) {
@@ -1230,29 +1241,35 @@ Config.prototype._applyHighSecurity = function _applyHighSecurity() {
   }
 }
 
-var LASP_MAP = {
-  record_sql: 'record_sql',
-  attributes_include: 'attributes.include_enabled',
-  // TODO: rename config key
-  allow_raw_exception_messages: 'strip_exception_messages.enabled',
-  custom_events: 'api.custom_events_enabled',
-  custom_parameters: 'api.custom_attributes_enabled',
-  live_instrumentation: null,
-  message_parameters: null,
-  job_arguments: null
-}
-
+/**
+ * Checks policies received from preconnect against those expected
+ * by the agent, if LASP-enabled. Responds with an error to shut down
+ * the agent if necessary.
+ *
+ * @param {object} policies
+ * @param {function} callback
+ *
+ * @returns {object} known policies
+ */
 Config.prototype.applyLasp = function applyLasp(policies, callback) {
   var config = this
+  var error = null
+  var keys = Object.keys(policies)
 
   if (!config.security_policies_token) {
-    return callback(null, null)
+    if (keys.length) {
+      error = new Error(
+        'The agent received one or more unexpected security policies and will shut down.'
+      )
+      logger.error(error)
+    }
+    return callback(error, null)
   }
 
   var missingLASP = []
   var missingRequired = []
 
-  var res = Object.keys(policies).reduce(function applyPolicy(obj, name) {
+  var res = keys.reduce(function applyPolicy(obj, name) {
     var policy = policies[name]
 
     if (!LASP_MAP[name]) {
@@ -1277,11 +1294,10 @@ Config.prototype.applyLasp = function applyLasp(policies, callback) {
     }
   })
 
-  var error = null
   if (missingLASP.length) {
     error = new Error(
       'The agent did not receive one or more security policies that it ' +
-      'expected and will down: ' + missingLASP.join(', ') + '.'
+      'expected and will shut down: ' + missingLASP.join(', ') + '.'
     )
   } else if (missingRequired.length) {
     error = new Error(
@@ -1292,6 +1308,10 @@ Config.prototype.applyLasp = function applyLasp(policies, callback) {
     )
   }
 
+  if (error) {
+    logger.error(error)
+  }
+
   callback(error, res)
 }
 
diff --git a/test/unit/config/config.test.js b/test/unit/config/config.test.js
index ee124257bd..44357f0d9a 100644
--- a/test/unit/config/config.test.js
+++ b/test/unit/config/config.test.js
@@ -1411,12 +1411,13 @@ describe('the agent configuration', function() {
       config.applyLasp({}, cb)
     })
 
-    it('returns error if required policy is not implemented', function(done) {
+    it('returns error if required policy is not implemented or unknown', function(done) {
       var cb = function(err) {
         expect(err.message).to.contain('received one or more required security policies')
         done()
       }
 
+      policies.job_arguments = { enabled: true, required: true }
       policies.test = { enabled: true, required: true }
 
       config.applyLasp(policies, cb)