Governance policies define which AI providers can handle your organization’s requests. Create policies based on trust tiers, compliance requirements, and enforcement rules.
Policy Schema interface GovernancePolicy { id : string ; // "gpol_xxx" - Auto-generated orgId : string ; // Organization ID name : string ; // Human-readable name description ?: string ; // Optional description tagSlot ?: number ; // 1-12, or null for default isDefault : boolean ; // Is this the default policy? isActive : boolean ; // Is policy active? rules : PolicyRules ; // Policy rules createdAt : string ; // ISO timestamp updatedAt : string ; // ISO timestamp } interface PolicyRules { // Trust tier requirements minimumTrustTier ?: "most_trusted" | "trusted" | "sketchy" ; // Compliance requirements blockChinaProviders : boolean ; // Block China-based providers requireZdr : boolean ; // Require Zero Data Retention requireBaa : boolean ; // Require BAA available requireHipaa : boolean ; // Require HIPAA compliance requireSoc2 : boolean ; // Require SOC 2 Type II // Provider lists providerAllowlist ?: string []; // Only allow these providers providerBlocklist ?: string []; // Block these providers // Enforcement enforcement : "hard_block" | "soft_block" | "warn" ; }
Create a Policy cURL
TypeScript
Python
Go
CLI
curl -X POST https://api.case.dev/governance \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "name": "Production - HIPAA Compliant", "description": "Only HIPAA-certified providers with BAA", "tagSlot": 1, "isDefault": true, "rules": { "minimumTrustTier": "most_trusted", "blockChinaProviders": true, "requireHipaa": true, "requireBaa": true, "enforcement": "hard_block" } }'
{ "id" : "gpol_abc123" , "orgId" : "org_xxx" , "name" : "Production - HIPAA Compliant" , "description" : "Only HIPAA-certified providers with BAA" , "tagSlot" : 1 , "isDefault" : true , "isActive" : true , "rules" : { "minimumTrustTier" : "most_trusted" , "blockChinaProviders" : true , "requireZdr" : false , "requireBaa" : true , "requireHipaa" : true , "requireSoc2" : false , "enforcement" : "hard_block" }, "createdAt" : "2025-01-10T14:30:00Z" , "updatedAt" : "2025-01-10T14:30:00Z" }
Policy Templates HIPAA-Compliant Production For healthcare and PHI handling:
{ "name" : "Production - HIPAA" , "rules" : { "minimumTrustTier" : "most_trusted" , "blockChinaProviders" : true , "requireHipaa" : true , "requireBaa" : true , "enforcement" : "hard_block" } }
Allowed providers: Anthropic, OpenAI, Azure, Google Vertex AI, AWS Bedrock, CohereSOC 2 Type II Only For enterprise security requirements:
{ "name" : "Enterprise - SOC 2" , "rules" : { "minimumTrustTier" : "trusted" , "blockChinaProviders" : true , "requireSoc2" : true , "enforcement" : "hard_block" } }
Allowed providers: All Most Trusted + Groq, DeepInfra, Fireworks, Together AI, Mistral, CohereEU Data Residency For GDPR and EU data sovereignty:
{ "name" : "EU Data Residency" , "rules" : { "blockChinaProviders" : true , "providerAllowlist" : [ "anthropic" , "mistral" , "deepinfra" , "azure" ], "enforcement" : "hard_block" } }
Note: Verify each provider’s EU region availability for your use case.Zero Data Retention For maximum data protection:
{ "name" : "Zero Data Retention" , "rules" : { "minimumTrustTier" : "most_trusted" , "blockChinaProviders" : true , "requireZdr" : true , "enforcement" : "hard_block" } }
Development / Permissive For testing and development environments:
{ "name" : "Development" , "rules" : { "minimumTrustTier" : "trusted" , "blockChinaProviders" : true , "enforcement" : "warn" } }
Development Only: Use warn enforcement only in development. Production should use hard_block.
Strict Allowlist Allow only specific approved providers:
{ "name" : "Approved Vendors Only" , "rules" : { "providerAllowlist" : [ "anthropic" , "openai" ], "blockChinaProviders" : true , "enforcement" : "hard_block" } }
Tag Slots Tag slots (1-12) allow you to assign policies to specific use cases and select them at request time.
┌─────────────────────────────────────────────────────────────┐ │ Organization Policies │ ├──────┬────────────────────────┬─────────────────────────────┤ │ Slot │ Policy Name │ Use Case │ ├──────┼────────────────────────┼─────────────────────────────┤ │ 1 │ Production - HIPAA │ PHI handling │ │ 2 │ Development │ Testing & dev │ │ 3 │ EU Data Residency │ European customers │ │ 4 │ Financial Services │ SOX compliance │ │ - │ (Default) │ All other requests │ └──────┴────────────────────────┴─────────────────────────────┘
Select Policy by Slot cURL
TypeScript
Python
C#
Java
PHP
Go
CLI
curl -X POST https://api.case.dev/llm/v1/chat/completions \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "model": "claude-sonnet-4-20250514", "messages": [{"role": "user", "content": "Analyze this patient record"}], "governance_policy": 1 }'
List Policies cURL
TypeScript
Python
Go
CLI
curl https://api.case.dev/governance \ -H "Authorization: Bearer sk_case_xxx"
{ "policies" : [ { "id" : "gpol_abc123" , "name" : "Production - HIPAA" , "tagSlot" : 1 , "isDefault" : true , "isActive" : true , "rules" : { "minimumTrustTier" : "most_trusted" , "requireHipaa" : true , "requireBaa" : true } }, { "id" : "gpol_def456" , "name" : "Development" , "tagSlot" : 2 , "isDefault" : false , "isActive" : true , "rules" : { "minimumTrustTier" : "trusted" , "enforcement" : "warn" } } ] }
Update a Policy cURL
TypeScript
Python
Go
CLI
curl -X PATCH https://api.case.dev/governance/gpol_abc123 \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "rules": { "requireSoc2": true } }'
Delete a Policy cURL
TypeScript
Python
Go
CLI
curl -X DELETE https://api.case.dev/governance/gpol_abc123 \ -H "Authorization: Bearer sk_case_xxx"
Cannot Delete Default: You cannot delete the default policy. Set another policy as default first.
Enforcement Modes Mode Behavior Use Case hard_blockRequest fails with 403 Production soft_blockRequest fails, logged as violation Staging warnRequest proceeds, violation logged Development
Hard Block Response { "error" : { "message" : "Request blocked by governance policy" , "type" : "governance_blocked" , "code" : "GOVERNANCE_BLOCKED" , "violations" : [ "Provider 'deepseek' is China-based and blocked by policy" , "Provider 'deepseek' does not meet minimum trust tier 'most_trusted'" ] } }
Warn Mode Response Request succeeds but includes violation header:
X-Governance-Violations : Provider 'groq' does not have BAA available
Validate a Policy Test which providers would be allowed before creating:
cURL
TypeScript
Python
Go
CLI
curl -X POST https://api.case.dev/governance/validate \ -H "Authorization: Bearer sk_case_xxx" \ -H "Content-Type: application/json" \ -d '{ "rules": { "minimumTrustTier": "most_trusted", "requireHipaa": true, "requireBaa": true } }'
{ "valid" : true , "allowedProviders" : [ "anthropic" , "openai" , "azure" , "google" , "bedrock" , "cohere" ], "blockedProviders" : [ { "slug" : "groq" , "reason" : "BAA not available" }, { "slug" : "deepseek" , "reason" : "China-based provider" } ], "warnings" : [] }
Next Steps 
