In one embodiment, a network device enforces entitlement rules based on call control traffic received. The call control traffic is received at the network device from an application associated with a first user for a second user. The network device determines identification information for the first user and/or the second user. The network device then determines an action to take based on an entitlement policy associated with the first user or the second user. The action is then performed. The network device enforces the entitlement policy without any modification to the application to cause the call control traffic to be routed through the network device. The network device is in the call control path but does not appear to be a participant in the call to the first application.