Skip to main content

Governance Gateway — Policy-as-Code

A pre-execution policy engine that evaluates rules before an agent operation is permitted. Every request passes through the gateway, which checks it against the tenant's active policies and either allows, denies, or escalates to a human-in-the-loop (HITL) gate.

Policy types

TypeDescriptionExample Config
rate_limitMax operations per time window{"max_requests": 600, "window_seconds": 60}
model_allowlistRestrict which LLM models can be used{"models": ["gpt-4o", "claude-3.5-sonnet"]}
content_filterBlock queries/outputs matching regex patterns{"patterns": ["password", "secret"], "check_fields": ["query", "output"]}
data_scopeRestrict which stores can be accessed{"allowed_stores": ["default", "production"]}
token_budgetCap tokens per request{"max_tokens_per_request": 10000}
hitl_requiredRequire human approval for operations{"operations": ["delete", "inference"]}
pii_guardDetect PII patterns in outputs{"patterns": ["\\b\\d{3}-\\d{2}-\\d{4}\\b"]}

Actions

ActionBehavior
denyBlock the request. Return 403.
escalatePause for human-in-the-loop approval.
log_onlyAllow the request but log a warning.
allowExplicitly allow (overrides lower-priority denials).

Evaluation flow

  1. Request arrives with operation (e.g. write, retrieve, inference) and context
  2. All enabled policies are loaded, ordered by priority (lower number = higher priority)
  3. Each policy is evaluated against the context
  4. Per-policy result is logged to governance_evaluation_log
  5. If any policy returns denied or escalated, the request is blocked
# Evaluate policies against a simulated request
curl -X POST https://cloud.grafomem.com/v1/governance/evaluate \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{
"operation": "inference",
"context": {
"model_id": "gpt-3.5-turbo",
"query": "What is the password?",
"tokens": 500
}
}'

Response:

{
"allowed": false,
"evaluations": [
{"policy_name": "Model Allowlist", "result": "denied", "detail": "Model 'gpt-3.5-turbo' not in allowlist"},
{"policy_name": "Content Filter", "result": "denied", "detail": "Content filter match in 'query': pattern 'password'"}
],
"summary": {"total": 3, "allowed": 1, "denied": 2, "escalated": 0, "logged": 0}
}

API reference

Policy CRUD

MethodPathDescription
POST/v1/governance/policiesCreate a new policy
GET/v1/governance/policiesList all policies
GET/v1/governance/policies/{id}Get a single policy
PUT/v1/governance/policies/{id}Update a policy
DELETE/v1/governance/policies/{id}Delete a policy

Evaluation & Monitoring

MethodPathDescription
POST/v1/governance/evaluateEvaluate all policies against a request
POST/v1/governance/seed-defaultsSeed default policies (rate limit + PII guard)
GET/v1/governance/statsSummary statistics
GET/v1/governance/policy-typesList available policy types with config schemas
GET/v1/governance/logsEvaluation log (filterable by policy_id, result)

Default policies

When you call POST /v1/governance/seed-defaults, two policies are created:

  1. Default Rate Limit — 600 requests per minute, action: deny
  2. PII Output Guard — Detects SSN, credit card, and IBAN patterns in outputs, action: log_only

Portal UI

The Governance tab in the Cloud Portal provides:

  • Stats dashboard — active policies, total evaluations, denied, escalated
  • Create policy form — name, type picker, action selector, JSON config editor
  • Policy table — with ✓ON/✕OFF toggles and delete buttons
  • Test evaluation panel — simulate requests and see which policies fire, color-coded results
  • Evaluation logs — time, policy, operation, result, detail