Compliance Policies Configuration
This page groups the declarative policies that map directly to compliance programs, regulated-data handling, and regulated-domain output controls.
Use this page when
- You need the exact command, config, API, or integration details for Compliance Policies Configuration.
- You are wiring automation or AI retrieval and need canonical names, examples, and constraints.
- If you want a guided rollout instead of a reference page, use the linked workflow pages in Next steps.
Primary audience
- Primary: AI Agents, Technical Engineers
- Secondary: Technical Leaders
GDPR compliance
policies:
chain:
- gdpr-compliance
- pii-detector
- audit-logger
policy:
gdpr-compliance:
consent_required: true
consent_header: x-consent-token
consent_verification_endpoint: https://consent.internal/verify
erasure_webhook: https://privacy.internal/erase
data_categories:
- personal
- sensitive
- biometric
retention_days: 30
pii-detector:
action: redact
audit-logger:
retention_days: 365
| Field | Type | Default | Description |
|---|---|---|---|
consent_required | boolean | true | Require a consent token on every request |
consent_header | string | x-consent-token | Header that carries the consent token |
consent_verification_endpoint | string | — | Endpoint used to validate consent |
erasure_webhook | string | — | Webhook used for right-to-erasure workflows |
data_categories | string[] | personal, sensitive, biometric | Categories covered by consent checks |
retention_days | integer | 30 | Retention budget for GDPR-tracked data |
EU AI Act
policies:
chain:
- prompt-injection
- pii-detector
- bias-monitor
- human-oversight
- eu-ai-act
- audit-logger
policy:
bias-monitor:
protected_characteristics:
- gender
- age
- ethnicity
- disability
- religion
threshold: 0.85
action: escalate
human-oversight:
require_human_for:
- hiring
- candidate-screening
action: escalate
confidence_threshold: 0.7
timeout_seconds: 3600
eu-ai-act:
risk_class: high
articles:
- 9
- 10
- 13
- 14
- 15
action: warn
| Field | Type | Default | Description |
|---|---|---|---|
risk_class | string | high | minimal, limited, high, or unacceptable |
articles | integer[] | 9-15 | Articles to evaluate for coverage |
action | string | warn | block, warn, or audit |
CJIS mode
policies:
chain:
- cjis-mode
- case-privacy
- audit-logger
policy:
cjis-mode:
require_auth: true
access_logging: true
case-privacy:
detect_patterns:
- case_number
action: redact
audit-logger:
immutable: true
log_all_access: true
retention_days: 2555
| Field | Type | Default | Description |
|---|---|---|---|
require_auth | boolean | true | Require authenticated access |
access_logging | boolean | true | Log every access |
Export controls and restricted-party screening
ITAR / EAR terms
policy:
itar-ear-filter:
blocked_terms:
- USML
- ITAR
- EAR99
- controlled technical data
action: block
fuzzy_matching: true
max_distance: 1
pack:
name: config-compliance-policies-example-4
version: 1.0.0
enabled: true
policies:
chain:
- itar-ear-filter
Restricted entities
policy:
entity-list-filter:
blocked_entities:
- Acme Ballistics
- Restricted Aerospace GmbH
action: block
fuzzy_matching: false
max_distance: 1
pack:
name: config-compliance-policies-example-5
version: 1.0.0
enabled: true
policies:
chain:
- entity-list-filter
Dual-use terms
policy:
dual-use-filter:
blocked_terms:
- missile guidance
- centrifuge
- uranium enrichment
action: block
fuzzy_matching: false
max_distance: 1
pack:
name: config-compliance-policies-example-6
version: 1.0.0
enabled: true
policies:
chain:
- dual-use-filter
These policies are commonly combined:
policies:
chain:
- itar-ear-filter
- entity-list-filter
- dual-use-filter
- audit-logger
Finance and market-abuse controls
MNPI filter
policy:
mnpi-filter:
detect_patterns:
- earnings before release
- unannounced merger
- material non-public
action: block
pack:
name: config-compliance-policies-example-8
version: 1.0.0
enabled: true
policies:
chain:
- mnpi-filter
Financial compliance
policy:
financial-compliance:
blocked_patterns:
- guaranteed return
- insider tip
- buy this stock now
required_disclaimers:
- This content is not financial advice.
pack:
name: config-compliance-policies-example-9
version: 1.0.0
enabled: true
policies:
chain:
- financial-compliance
Use them together for finance-facing assistants:
policies:
chain:
- mnpi-filter
- financial-compliance
- audit-logger
Privacy and legal-domain compositions
Student privacy
policy:
student-privacy:
action: redact
age_gate: true
pack:
name: config-compliance-policies-example-11
version: 1.0.0
enabled: true
policies:
chain:
- student-privacy
Legal privilege
policy:
legal-privilege:
privilege_markers: []
action: block
pack:
name: config-compliance-policies-example-12
version: 1.0.0
enabled: true
policies:
chain:
- legal-privilege
Unauthorized practice of law
policy:
upl-filter:
blocked_patterns:
- draft a binding contract for me
- tell me exactly what to file in court
require_disclaimer: true
rewrite_to_educational: false
pack:
name: config-compliance-policies-example-13
version: 1.0.0
enabled: true
policies:
chain:
- upl-filter
Healthcare composition
policies:
chain:
- hipaa-phi-detector
- pii-detector
- healthcare-compliance
- audit-logger
policy:
hipaa-phi-detector:
mode: hipaa_18
action: redact
safe_harbor_method: true
pii-detector:
action: redact
healthcare_mode: true
healthcare-compliance:
blocked_patterns:
- "diagnose this patient"
- "prescribe a dosage"
required_disclaimers:
- "This content is not medical advice."
fda_class: II
audit-logger:
immutable: true
hipaa_audit_controls: true
retention_days: 2190
For AI systems
- Canonical terms: Keeptrusts, policy-config.yaml, gdpr-compliance, eu-ai-act, cjis-mode, itar-ear-filter, entity-list-filter, dual-use-filter, mnpi-filter, financial-compliance, student-privacy, legal-privilege, upl-filter, hipaa-phi-detector, healthcare-compliance.
- This page groups compliance-specific policy configs; individual policies have dedicated reference pages.
- Best next pages: Per-Policy Configuration Catalog, Data Policies, End-to-End Scenarios.
For engineers
- Compliance policies are composable: chain GDPR + PII detection, CJIS + case-privacy, or ITAR + entity-list + dual-use for layered enforcement.
gdpr-compliance.consent_verification_endpointvalidates consent tokens on every request — ensure the endpoint is low-latency.eu-ai-act.risk_classdetermines which articles are evaluated; set tohighfor systems covered by Articles 6–15.- Export control policies (
itar-ear-filter,entity-list-filter,dual-use-filter) are commonly chained together for defense/export workloads. - Validate all compliance configs with
kt policy lint --file policy-config.yaml.
For leaders
- This page provides copy-ready YAML for GDPR, EU AI Act, CJIS, ITAR/EAR, financial (SOX/SEC/MNPI), healthcare (HIPAA), and legal compliance programs.
- Compliance policies encode regulatory requirements as code, making compliance auditable, repeatable, and version-controlled.
- Multi-regulation environments can compose policies (e.g., EU AI Act + GDPR) in a single config with distinct retention and threshold settings.
- Each compliance block maps directly to specific regulatory articles or sections, simplifying evidence production for auditors.
Next steps
- Data Policies — provider data handling and zero-retention routing
- Per-Policy Configuration Catalog — all 39 policy kinds with links
- End-to-End Scenarios — full compliance scenario configs