End-to-End Configuration Scenarios
These scenarios are schema-backed examples you can adapt directly into policy-config.yaml.
Use this page when
- You need complete, copy-paste-ready policy configurations for common industry scenarios.
- You are building a new gateway config and want a proven starting point for finance, healthcare, defense, or enterprise use cases.
- You want to see how multiple policies, providers, and rate limits compose into a working deployment.
Primary audience
- Primary: AI Agents, Technical Engineers
- Secondary: Technical Leaders
1. Finance assistant with DLP and compliance disclaimers
pack:
name: finance-assistant
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-prod
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
- id: openai-mini
provider: openai
model: gpt-4o-mini
secret_key_ref:
env: OPENAI_API_KEY
routing:
strategy: ordered
fallback:
triggers:
- rate_limit
- server_error
- timeout
max_fallback_attempts: 2
global_rate_limit:
max_requests: 500
window_seconds: 60
user_rate_limit:
max_requests: 50
window_seconds: 60
header_names:
- X-User-Id
policies:
chain:
- prompt-injection
- pii-detector
- dlp-filter
- financial-compliance
- audit-logger
policy:
pii-detector:
action: redact
pci_mode: true
dlp-filter:
blocked_terms:
- "wire transfer instructions"
- "raw customer export"
action: block
sensitivity_level: restricted
financial-compliance:
blocked_patterns:
- "guaranteed return"
- "buy this stock now"
required_disclaimers:
- "This content is not financial advice."
audit-logger:
immutable: true
retention_days: 365
2. HIPAA-aware healthcare assistant
pack:
name: healthcare-hipaa
version: 1.0.0
enabled: true
providers:
targets:
- id: azure-health
provider: azure-openai
model: gpt-4o
base_url: https://health-resource.openai.azure.com
secret_key_ref:
env: AZURE_OPENAI_KEY
history:
enabled: true
mode: metadata_only
include_blocked: true
fail_open: true
policies:
chain:
- prompt-injection
- hipaa-phi-detector
- pii-detector
- healthcare-compliance
- audit-logger
policy:
hipaa-phi-detector:
mode: hipaa_18
action: redact
safe_harbor_method: true
pii-detector:
action: redact
healthcare_mode: true
healthcare-compliance:
blocked_patterns:
- diagnose this patient
- prescribe a dosage
required_disclaimers:
- This content is not medical advice.
fda_class: II
audit-logger:
immutable: true
hipaa_audit_controls: true
retention_days: 2190
3. Defense and export-control gateway
pack:
name: defense-controls
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-gov
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
ip_allowlist:
enabled: true
cidrs:
- 10.100.0.0/16
- 10.101.0.0/16
policies:
chain:
- prompt-injection
- itar-ear-filter
- entity-list-filter
- dual-use-filter
- audit-logger
policy:
itar-ear-filter:
blocked_terms:
- ITAR
- EAR99
- "controlled technical data"
action: block
entity-list-filter:
blocked_entities:
- "Restricted Aerospace GmbH"
- "Acme Ballistics"
action: block
dual-use-filter:
blocked_terms:
- "missile guidance"
- "centrifuge design"
action: block
audit-logger:
immutable: true
retention_days: 3650
4. EU AI Act recruitment workflow
pack:
name: eu-ai-act-recruitment
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-eu
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- prompt-injection
- pii-detector
- bias-monitor
- human-oversight
- eu-ai-act
- audit-logger
policy:
pii-detector:
action: redact
bias-monitor:
protected_characteristics:
- gender
- age
- ethnicity
- disability
threshold: 0.85
action: escalate
human-oversight:
require_human_for:
- hiring
- candidate-screening
action: escalate
confidence_threshold: 0.7
timeout_seconds: 3600
eu-ai-act:
risk_class: high
articles:
- 9
- 10
- 13
- 14
- 15
action: warn
audit-logger:
retention_days: 730
5. Zero-data-retention routing
pack:
name: zero-retention-routing
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-zdr
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
- id: anthropic-zdr
provider: anthropic
model: claude-sonnet-4-20250514
secret_key_ref:
env: ANTHROPIC_API_KEY
- id: openai-standard
provider: openai
model: gpt-4o-mini
secret_key_ref:
env: OPENAI_API_KEY
routing:
strategy: ordered
fallback:
triggers:
- rate_limit
- server_error
- timeout
max_fallback_attempts: 2
logging:
redact_message_bodies: true
redact_api_keys: true
history:
enabled: false
cache:
enabled: false
policies:
chain:
- data-routing-policy
- audit-logger
policy:
data-routing-policy:
require_zero_data_retention: true
require_no_training: true
on_no_compliant_provider: block
log_provider_selection: true
audit-logger:
retention_days: 365
6. Multi-tenant routes and consumer groups
pack:
name: multi-tenant-gateway
version: 1.0.0
enabled: true
providers:
targets:
- id: chat-upstream
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
- id: embed-upstream
provider: openai
model: text-embedding-3-small
secret_key_ref:
env: OPENAI_API_KEY
routes:
- name: chat-route
path: "/v1/chat/completions"
upstream: chat-upstream
chain:
- prompt-injection
- pii-detector
- audit-logger
- name: embedding-route
path: "/v1/embeddings"
upstream: embed-upstream
chain:
- audit-logger
consumer_groups:
key_header: Authorization
groups:
- name: enterprise
api_keys:
- sha256:enterprise_key_hash_here
rate_limit:
max_requests: 1000
max_tokens: 500000
window_seconds: 3600
upstream: chat-upstream
- name: starter
api_keys:
- sha256:starter_key_hash_here
rate_limit:
max_requests: 50
max_tokens: 25000
window_seconds: 3600
upstream: chat-upstream
global_rate_limit:
max_requests: 2000
window_seconds: 60
policies:
chain:
- prompt-injection
- pii-detector
- audit-logger
policy:
prompt-injection: {}
pii-detector:
action: redact
audit-logger:
immutable: true
retention_days: 365
log_all_access: true
7. Execution-target agent workflow
pack:
name: claude-agent-gateway
version: 1.0.0
enabled: true
providers:
targets:
- id: claude-agent
provider: claude-agent-sdk
model: claude-sonnet-4-20250514
secret_key_ref:
env: ANTHROPIC_API_KEY
policies:
chain:
- agent-firewall
- prompt-injection
- tool-validation
- tool-budget
- audit-logger
policy:
agent-firewall:
allowed_tools:
- Read
- Write
blocked_tools:
- WebFetch
max_actions_per_session: 100
tool-validation:
declared_tools:
- Read
- Write
allow_undeclared: false
tool-budget:
budgets:
Read:
max_tokens: 5000
max_cost_usd: 0.5
Write:
max_tokens: 10000
max_cost_usd: 1.0
8. Quality benchmarking with review fallback
pack:
name: quality-benchmarking
version: 1.0.0
enabled: true
providers:
targets:
- id: openai-prod
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
policies:
chain:
- citation-verifier
- quality-scorer
- flagged-review
- audit-logger
policy:
citation-verifier:
require_sources: true
min_confidence: 0.8
quality-scorer:
benchmarks:
ragas_faithfulness: true
ragas_relevancy: true
bleu_score: true
assertions:
- type: contains
value: source
- type: llm-rubric
config:
rubric: "The answer should be grounded and easy to verify."
threshold: 0.8
thresholds:
min_aggregate: 0.8
min_faithfulness: 0.8
failure_action:
action: block
flagged-review:
mode: review_and_return
provider:
name: review-llm
endpoint: https://api.openai.com/v1/chat/completions
model: gpt-4o-mini
secret_key_ref:
env: OPENAI_API_KEY
timeout_ms: 5000
For AI systems
- Canonical terms: Keeptrusts, policy-config.yaml, pack, policies.chain, providers.targets, finance, healthcare, HIPAA, defense, ITAR, enterprise
- Config/command names: Complete
policy-config.yamlexamples combining:pack,providers,global_rate_limit,user_rate_limit,policies.chain,policy.*blocks - Best next pages: Declarative Config Reference, Policy Controls Catalog, Config Testing
For engineers
- Prerequisites: Environment variables for provider API keys referenced in each scenario. A running gateway to validate configs.
- Validation: Copy a scenario into
policy-config.yaml, runkt policy lint --file policy-config.yaml, then start withkt gateway run --policy-config policy-config.yaml. Runkt policy testif the scenario includes atesting:section. - Key commands:
kt policy lint,kt gateway run,kt policy test
For leaders
- Governance: Each scenario represents a compliance posture — review which policies are included and at what action levels (block vs redact vs audit) to ensure alignment with your risk appetite.
- Cost: Longer policy chains add per-request latency. Finance and healthcare scenarios with multiple compliance policies may add 50–200ms per request depending on embedding backends.
- Rollout: Start with a scenario closest to your requirements. Remove policies you don't need rather than building from scratch. Promote from audit to enforce mode gradually.
Next steps
- Declarative Config Reference — Schema details for each section
- Policy Controls Catalog — All available policies
- Config Testing — Add test suites to validate scenarios
- Providers Configuration — Provider target setup