From Zero Governance to Full Enforcement: A 90-Day Rollout Plan
A practical 90-day Keeptrusts rollout starts with visibility in days 1-30, adds targeted controls in days 31-60, and moves to hard enforcement in days 61-90. The point is not to enable every policy at once. The point is to follow the documented config-first loop: author, lint, test, run, observe, refine, and only then enforce what the team understands and is prepared to operate.
Use this page when
- You are adopting Keeptrusts from scratch and need a rollout sequence that will survive real operations.
- You want a plan that uses the documented user-docs workflow instead of a generic governance checklist.
- You need to align engineering, security, and operations around a single adoption path.
Primary audience
- Primary: Technical Leaders
- Secondary: Technical Engineers, platform owners
The problem
Most governance rollouts fail in one of two ways.
The first failure mode is over-enforcement too early. A team discovers the policy catalog, enables several controls at once, and creates a wave of false positives before anyone has ownership, baselines, or rollback habits.
The second failure mode is permanent pilot mode. Traffic is routed through the gateway, but nothing meaningful is enforced. Teams collect a few events, promise to tighten controls later, and never build the operational loop needed to move from observation to policy.
Both failures come from skipping the middle. Governance is not just a config file and it is not just an event stream. It is a managed operating model around that config.
The user-docs already describe the pieces: onboarding ownership, config-first authoring, lint and policy tests, managed rollout, event review, and evidence export. The rollout plan works when those pieces are sequenced, not when they are treated as unrelated pages.
The solution
Use a three-phase rollout with explicit goals.
Days 1-30 are about visibility and ownership.
Days 31-60 are about targeted controls and measured review.
Days 61-90 are about enforced policy, change discipline, and evidence workflows.
That sounds simple, but the sequencing matters.
You should not enforce what you have not measured.
You should not measure what nobody owns.
And you should not claim a control is live if the team cannot roll it back safely.
Implementation
Start the rollout with the documented minimal config-first loop:
pack:
name: first-rollout
version: 0.1.0
enabled: true
providers:
targets:
- id: openai-primary
provider: openai
model: gpt-5.4-mini-mini
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- prompt-injection
- audit-logger
policy:
prompt-injection:
response:
action: block
audit-logger: {}
Validate and run it the same way the config-first workflow documents:
kt init
kt policy lint --file policy-config.yaml
kt policy test --json
kt gateway run --listen 0.0.0.0:41002 --policy-config policy-config.yaml
Then follow the 90-day sequence.
Days 1-30: visibility and ownership
Assign named owners using the Onboarding Teams checklist. Decide who approves policy changes, who monitors escalations, who investigates blocked traffic, and who owns rollback.
Route a real workload through the gateway. Do not try to enforce every policy yet. The goal is to create a baseline in Events and to verify that at least one end-to-end governed request is visible.
Use Config-First Workflow as the operating model and kt events as the evidence surface. At the end of day 30, you should know what normal traffic looks like and who is accountable for the platform.
Days 31-60: targeted controls and measured review
Add the controls that address the clearest risks first. For many teams that means prompt-injection defenses, PII redaction, per-team consumer groups, rate limits, and wallet-based budgets.
This is the phase where Set Up Team-Based AI Governance at Scale, Tutorial: Isolating Teams with Consumer Groups, and Tutorial: Setting Up Cost Tracking & Budgets become operationally important.
Do not skip review. The Managing Policy Changes guidance is clear: validate in non-production where possible, review recent events that would have been affected, roll out in a monitored window, and compare the new decision mix with the baseline afterward.
By the end of day 60, you should have targeted controls protecting the highest-risk traffic and a predictable change process around them.
Days 61-90: enforcement and evidence
This is where the rollout becomes real. Tighten warn paths to block where the evidence supports it. Use hot reload or controlled config rollout instead of ad hoc restarts. Make the team live inside the normal loop of author, lint, test, deploy, observe, and export evidence when needed.
At this stage, the platform should also have a review story. Use Tutorial: Policy Testing in CI/CD for pre-merge validation, Tutorial: Hot-Reloading Configuration Without Downtime for managed updates, and Tutorial: Exporting Compliance Evidence for audit or incident handoff.
At the end of 90 days, you are not trying to say every possible control is enabled. You are trying to say the active controls are understood, owned, tested, and observable.
Results and impact
The first result is fewer rollout surprises. Teams do not jump from zero governance to aggressive blocking in one change window.
The second result is better trust in the controls. When engineers can see the baseline, the policy tests, the monitored rollout, and the event evidence, enforcement looks like a managed system instead of an arbitrary restriction.
The third result is real operational readiness. Ownership, rollback, monitoring, and export are all part of the product surface by the time enforcement becomes firm.
There is also a leadership benefit. A 90-day sequence creates a narrative that leaders can defend: first establish visibility, then add targeted controls, then enforce with evidence. That is much easier to govern than a one-step “turn everything on” plan.
Key takeaways
- A solid Keeptrusts rollout moves from visibility to targeted controls to enforcement.
- Ownership has to exist before enforcement becomes meaningful.
- The config-first loop is the backbone of rollout: author, lint, test, run, observe, refine.
- Days 31-60 are the critical middle; skipping them leads to either false positives or permanent pilot mode.
- Full enforcement means controlled change, evidence, and rollback, not just more policies.