Define rate limit policies: - At least three consumer tiers (external partner, portal/mobile, internal service) - Requests per minute and burst limits for each tier - 429 response format with Retry-After header - Dynamic rate limiting triggers (if implementing the mainframe utilization-based approac