Skip to main content
Governance policies define which AI providers can handle your organization’s requests. Create policies based on trust tiers, compliance requirements, and enforcement rules.

Policy Schema

Policy Structure
interface GovernancePolicy {
  id: string;                    // "gpol_xxx" - Auto-generated
  orgId: string;                 // Organization ID
  name: string;                  // Human-readable name
  description?: string;          // Optional description
  tagSlot?: number;              // 1-12, or null for default
  isDefault: boolean;            // Is this the default policy?
  isActive: boolean;             // Is policy active?
  rules: PolicyRules;            // Policy rules
  createdAt: string;             // ISO timestamp
  updatedAt: string;             // ISO timestamp
}

interface PolicyRules {
  // Trust tier requirements
  minimumTrustTier?: "most_trusted" | "trusted" | "sketchy";
  
  // Compliance requirements
  blockChinaProviders: boolean;  // Block China-based providers
  requireZdr: boolean;           // Require Zero Data Retention
  requireBaa: boolean;           // Require BAA available
  requireHipaa: boolean;         // Require HIPAA compliance
  requireSoc2: boolean;          // Require SOC 2 Type II
  
  // Provider lists
  providerAllowlist?: string[];  // Only allow these providers
  providerBlocklist?: string[];  // Block these providers
  
  // Enforcement
  enforcement: "hard_block" | "soft_block" | "warn";
}

Create a Policy

curl -X POST https://api.case.dev/governance \
  -H "Authorization: Bearer sk_case_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production - HIPAA Compliant",
    "description": "Only HIPAA-certified providers with BAA",
    "tagSlot": 1,
    "isDefault": true,
    "rules": {
      "minimumTrustTier": "most_trusted",
      "blockChinaProviders": true,
      "requireHipaa": true,
      "requireBaa": true,
      "enforcement": "hard_block"
    }
  }'
Response
{
  "id": "gpol_abc123",
  "orgId": "org_xxx",
  "name": "Production - HIPAA Compliant",
  "description": "Only HIPAA-certified providers with BAA",
  "tagSlot": 1,
  "isDefault": true,
  "isActive": true,
  "rules": {
    "minimumTrustTier": "most_trusted",
    "blockChinaProviders": true,
    "requireZdr": false,
    "requireBaa": true,
    "requireHipaa": true,
    "requireSoc2": false,
    "enforcement": "hard_block"
  },
  "createdAt": "2025-01-10T14:30:00Z",
  "updatedAt": "2025-01-10T14:30:00Z"
}

Policy Templates

HIPAA-Compliant Production

For healthcare and PHI handling:
HIPAA Policy
{
  "name": "Production - HIPAA",
  "rules": {
    "minimumTrustTier": "most_trusted",
    "blockChinaProviders": true,
    "requireHipaa": true,
    "requireBaa": true,
    "enforcement": "hard_block"
  }
}
Allowed providers: Anthropic, OpenAI, Azure, Google Vertex AI, AWS Bedrock, Cohere

SOC 2 Type II Only

For enterprise security requirements:
SOC 2 Policy
{
  "name": "Enterprise - SOC 2",
  "rules": {
    "minimumTrustTier": "trusted",
    "blockChinaProviders": true,
    "requireSoc2": true,
    "enforcement": "hard_block"
  }
}
Allowed providers: All Most Trusted + Groq, DeepInfra, Fireworks, Together AI, Mistral, Cohere

EU Data Residency

For GDPR and EU data sovereignty:
EU Data Residency Policy
{
  "name": "EU Data Residency",
  "rules": {
    "blockChinaProviders": true,
    "providerAllowlist": ["anthropic", "mistral", "deepinfra", "azure"],
    "enforcement": "hard_block"
  }
}
Note: Verify each provider’s EU region availability for your use case.

Zero Data Retention

For maximum data protection:
ZDR Policy
{
  "name": "Zero Data Retention",
  "rules": {
    "minimumTrustTier": "most_trusted",
    "blockChinaProviders": true,
    "requireZdr": true,
    "enforcement": "hard_block"
  }
}

Development / Permissive

For testing and development environments:
Development Policy
{
  "name": "Development",
  "rules": {
    "minimumTrustTier": "trusted",
    "blockChinaProviders": true,
    "enforcement": "warn"
  }
}
Development Only: Use warn enforcement only in development. Production should use hard_block.

Strict Allowlist

Allow only specific approved providers:
Strict Allowlist Policy
{
  "name": "Approved Vendors Only",
  "rules": {
    "providerAllowlist": ["anthropic", "openai"],
    "blockChinaProviders": true,
    "enforcement": "hard_block"
  }
}

Tag Slots

Tag slots (1-12) allow you to assign policies to specific use cases and select them at request time. 
┌─────────────────────────────────────────────────────────────┐
│                     Organization Policies                    │
├──────┬────────────────────────┬─────────────────────────────┤
│ Slot │ Policy Name            │ Use Case                    │
├──────┼────────────────────────┼─────────────────────────────┤
│ 1    │ Production - HIPAA     │ PHI handling                │
│ 2    │ Development            │ Testing & dev               │
│ 3    │ EU Data Residency      │ European customers          │
│ 4    │ Financial Services     │ SOX compliance              │
│ -    │ (Default)              │ All other requests          │
└──────┴────────────────────────┴─────────────────────────────┘

Select Policy by Slot

curl -X POST https://api.case.dev/llm/v1/chat/completions \
  -H "Authorization: Bearer sk_case_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "model": "claude-sonnet-4-20250514",
    "messages": [{"role": "user", "content": "Analyze this patient record"}],
    "governance_policy": 1
  }'

List Policies

curl https://api.case.dev/governance \
  -H "Authorization: Bearer sk_case_xxx"
Response
{
  "policies": [
    {
      "id": "gpol_abc123",
      "name": "Production - HIPAA",
      "tagSlot": 1,
      "isDefault": true,
      "isActive": true,
      "rules": {
        "minimumTrustTier": "most_trusted",
        "requireHipaa": true,
        "requireBaa": true
      }
    },
    {
      "id": "gpol_def456",
      "name": "Development",
      "tagSlot": 2,
      "isDefault": false,
      "isActive": true,
      "rules": {
        "minimumTrustTier": "trusted",
        "enforcement": "warn"
      }
    }
  ]
}

Update a Policy

curl -X PATCH https://api.case.dev/governance/gpol_abc123 \
  -H "Authorization: Bearer sk_case_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "rules": {
      "requireSoc2": true
    }
  }'

Delete a Policy

curl -X DELETE https://api.case.dev/governance/gpol_abc123 \
  -H "Authorization: Bearer sk_case_xxx"
Cannot Delete Default: You cannot delete the default policy. Set another policy as default first.

Enforcement Modes

ModeBehaviorUse Case
hard_blockRequest fails with 403Production
soft_blockRequest fails, logged as violationStaging
warnRequest proceeds, violation loggedDevelopment

Hard Block Response

403 Response
{
  "error": {
    "message": "Request blocked by governance policy",
    "type": "governance_blocked",
    "code": "GOVERNANCE_BLOCKED",
    "violations": [
      "Provider 'deepseek' is China-based and blocked by policy",
      "Provider 'deepseek' does not meet minimum trust tier 'most_trusted'"
    ]
  }
}

Warn Mode Response

Request succeeds but includes violation header: 
X-Governance-Violations: Provider 'groq' does not have BAA available

Validate a Policy

Test which providers would be allowed before creating: 
curl -X POST https://api.case.dev/governance/validate \
  -H "Authorization: Bearer sk_case_xxx" \
  -H "Content-Type: application/json" \
  -d '{
    "rules": {
      "minimumTrustTier": "most_trusted",
      "requireHipaa": true,
      "requireBaa": true
    }
  }'
Response
{
  "valid": true,
  "allowedProviders": ["anthropic", "openai", "azure", "google", "bedrock", "cohere"],
  "blockedProviders": [
    {
      "slug": "groq",
      "reason": "BAA not available"
    },
    {
      "slug": "deepseek",
      "reason": "China-based provider"
    }
  ],
  "warnings": []
}

Next Steps

Provider Registry

View all providers with compliance data.

Audit Logging

Track policy decisions and generate reports.