Control which AI providers handle your organization’s requests. Define policies based on trust tiers, compliance certifications, and data residency requirements. All decisions are logged for audit trails.
Shared Responsibility: AI governance is a shared responsibility between your organization and Case.dev. While we provide the tooling to enforce provider policies, your compliance team is responsible for validating that specific provider configurations meet your regulatory requirements.
Quick Start Get governance controls running in under 5 minutes.
1. View your policies
Response
curl https://api.case.dev/governance \ -H "Authorization: Bearer sk_case_xxx"
2. Create a policy
TypeScript
Python
curl -X POST https://api.case.dev/governance \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "name": "SOC 2 Compliant", "rules": { "minimumTrustTier": "most_trusted", "requireSoc2": true, "enforcement": "hard_block" } }'
3. Use in LLM request
TypeScript
Python
curl -X POST https://api.case.dev/llm/v1/chat/completions \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "model": "claude-sonnet-4-20250514", "messages": [{"role": "user", "content": "Analyze this contract"}], "governance_policy": 2 }'
How It Works ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ LLM Request │ ──▶ │ Policy Engine │ ──▶ │ Provider Router │ │ │ │ │ │ │ │ model: gpt-4o │ │ Check trust │ │ Allowed: ✓ │ │ policy: 1 │ │ Check compliance│ │ Route to OpenAI │ └─────────────────┘ └─────────────────┘ └─────────────────┘ │ ▼ ┌─────────────────┐ │ Audit Log │ │ │ │ timestamp, model│ │ policy, allowed │ └─────────────────┘
Every LLM request is evaluated against your active governance policy:
Policy Selection - Default policy or specified by governance_policy slotTrust Tier Check - Provider must meet minimum trust tierCompliance Check - Provider must have required certificationsEnforcement - Block, warn, or allow based on policy configurationAudit Logging - All decisions are logged for compliance reporting
Core Concepts Trust Tiers Providers are categorized into trust tiers based on their compliance posture:
Tier Description Use Case most_trustedFull enterprise compliance (SOC 2, HIPAA, BAA, ZDR) Healthcare, financial services trustedGood compliance, may lack some certifications General enterprise sketchyLimited compliance info available Development/testing only untrustworthyChina-based, subject to national security laws Always blocked
Compliance Certifications Certification Description SOC 2 Type II Security, availability, processing integrity controls HIPAA Protected health information handling BAA Business Associate Agreement available ZDR Zero Data Retention - no training on your data ISO 27001 Information security management GDPR EU data protection compliance
Enforcement Modes Mode Behavior hard_blockRequest fails with 403 error soft_blockRequest fails, but logged as violation warnRequest proceeds, violation logged
Shared Responsibility Model Responsibility Case.dev Customer Policy configuration Provides tools Configures policies Provider compliance verification Provides data Validates for your use case Audit log retention 30 days Export for longer retention Regulatory compliance determination - Your responsibility Provider BAA execution - Your responsibility Data handling by providers - Your responsibility
Provider Compliance Data: We aggregate compliance information from provider documentation, but you should verify certifications directly with providers for your specific regulatory requirements.
Next Steps 
