-
Notifications
You must be signed in to change notification settings - Fork 1
Policy Engine
Krishna Kishor Tirupati edited this page May 11, 2026
·
1 revision
The policy engine is deny-by-default. Requests must match an explicit allow rule before model execution, unless a deny or approval rule takes precedence.
-
allow: request may execute. -
conditional_allow: request may execute after a transform such as redaction. -
require_approval: request must be sent to an approval workflow. -
deny: request is blocked.
| Area | Examples |
|---|---|
| User prompts | PII, PHI, secrets, sensitive text |
| Request context | role, tenant, region, risk, domain, task type |
| Data findings | contains PII, contains PHI, contains secrets |
| Risk | tier, score, factors |
| Tools | requested connectors and actions |
id: regulated_rag_policy
default: deny
rules:
- name: deny_secrets
effect: deny
when:
data.contains_secrets: true
- name: allow_healthcare_rag_in_us
effect: allow
when:
user.role_in: ["clinician", "compliance_officer"]
request.region: "us"
request.task_type: "rag_answer"
risk.tier_in: ["low", "medium"]
- name: redact_pii_for_standard_users
effect: transform
action: redact
when:
data.contains_pii: true
user.role_not_in: ["privacy_admin", "compliance_officer"]
- name: require_approval_for_critical
effect: require_approval
when:
risk.tier: "critical"policyaware policy explain examples/policies/basic.yaml --prompt "Email jane@example.com"Typical output includes:
- decision result
- matched policy rules
- reason codes
- risk tier
- remediation suggestions
Reason codes make policy decisions reviewable by developers, security teams, and compliance teams.
Examples:
DATA.PII_DETECTED
DATA.PHI_DETECTED
DATA.SECRET_DETECTED
RISK.MEDIUM
POLICY.ALLOW_MATCHED
POLICY.DENY_MATCHED
POLICY.TRANSFORM_APPLIED
POLICY.APPROVAL_REQUIRED
- Home
- Capabilities
- Copy-Paste Examples
- Comparison
- SEO And Distribution
- Ready-To-Use YAML
- Data Protection
- Policy Enforcement
- Gateway Orchestration
- Risk Classification
- Model Routing and Providers
- Tool Governance
- Evaluation
- Audit and Observability
- ML-Assisted Signals
- Installation
- Quick Start
- Architecture
- CLI Reference
- ML Integrations
- Provider Adapter Examples
- YAML Policy Templates