Skip to main content

Policy Controls Catalog

Keeptrusts supports a broad set of policy controls across request, tool, output, routing, and audit paths. This catalog gives customers a practical view of what major controls are for and how to start composing them.

Request, tool, and routing controls

  • data-routing-policy: filter which configured providers may receive traffic.
  • prompt-injection: detect jailbreak and prompt-injection signals before upstream calls.
  • pii-detector: redact or block sensitive identifiers and power buffered response redaction.
  • hipaa-phi-detector: add HIPAA-style PHI heuristics on top of the shared redaction pipeline.
  • rbac: enforce role, identity, and sensitivity-based access rules.
  • agent-firewall: allow or deny tool use and enforce per-request action or transaction limits.
  • cjis-mode: enforce CJIS-style request constraints.
  • dlp-filter: apply broader data-loss-prevention pattern controls.
  • safety-filter: block or escalate unsafe content patterns.
  • student-privacy: protect student-data scenarios.
  • case-privacy: protect case-sensitive justice and legal data.
  • itar-ear-filter: block export-control reference terms.
  • entity-list-filter: match restricted or watch-listed entities.
  • dual-use-filter: detect dual-use and sensitive capability signals.
  • embedding-detector: semantic detector that can be declared directly in config.

Output controls

  • quality-scorer: compute and act on quality thresholds.
  • human-oversight: return an escalated result instead of delivering assistant content.
  • citation-verifier: evaluate groundedness against provided context.
  • mnpi-filter: block generated output containing configured MNPI phrases.
  • financial-compliance: add finance-oriented compliance behavior.
  • legal-privilege: block generated output containing privilege markers.
  • upl-filter: apply unauthorized-practice-of-law controls.
  • bias-monitor: escalate the built-in HR-oriented bias signal when it reaches the configured threshold.
  • response-rewriter: apply deterministic response transformations after the upstream model returns.
  • healthcare-compliance: enforce medical blocked patterns and disclaimers.

Audit and evidence

  • audit-logger: emit an allow-only marker showing that audit logging is part of the active chain; storage and retention are configured separately.

Starter configurations

Below are valid starter YAML snippets for common combinations.

PII redaction with audit logging

policies:
chain:
- pii-detector
- audit-logger

policy:
pii-detector:
action: redact
redaction:
marker_format: label
include_metadata: true
audit-logger: {}

Prompt-injection protection

policies:
chain:
- prompt-injection
- audit-logger

policy:
prompt-injection:
attack_patterns:
- "ignore.*previous.*instructions"
- "forget.*system.*prompt"
encoding:
decode_base64: true
normalize_unicode: true
detect_homoglyphs: true
boundaries:
enforce_delimiters: true
reject_fake_boundaries: true

Agent firewall with role-based tool access

policies:
chain:
- agent-firewall
- rbac
- audit-logger

policy:
agent-firewall:
tools:
roles:
analyst:
allowed:
- search
- summarize
denied:
- execute_code
- shell_command

rbac:
require_auth: true
deny_if_missing:
- X-User-ID
- X-User-Role
roles:
analyst:
allowed_tools:
- search
- summarize
denied_tools:
- execute_code
- shell_command

Healthcare redaction stack

policies:
chain:
- data-routing-policy
- pii-detector
- hipaa-phi-detector
- healthcare-compliance
- audit-logger

policy:
data-routing-policy:
require_zero_data_retention: true
on_no_compliant_provider: block

pii-detector:
action: redact
healthcare_mode: true
pci_mode: false
redaction:
marker_format: label
include_metadata: true

hipaa-phi-detector:
action: redact
mode: hipaa_18
safe_harbor_method: true

healthcare-compliance: {}

audit-logger: {}

Finance output controls

policies:
chain:
- mnpi-filter
- financial-compliance
- quality-scorer
- audit-logger

policy:
mnpi-filter:
detect_patterns:
- "earnings before announcement"
- "merger not public"

financial-compliance: {}

quality-scorer:
min_output_chars: 100
min_sentences: 2

audit-logger: {}

Testing a policy config

After authoring, validate with the CLI and send a test request.

kt policy lint --file policy-config.yaml
curl http://localhost:41002/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $REQUEST_TOKEN" \
-d '{
"model": "gpt-5.4-mini",
"messages": [
{"role": "user", "content": "My SSN is 123-45-6789. Summarize the report."}
]
}'

Important limitations

  • The catalog describes major controls, but some behaviors are runtime-managed. For example, human-oversight currently acts only on action: escalate, and language-validator currently enforces input checks only.
  • Some controls are building blocks rather than complete compliance guarantees. Customers still own legal review, operating process, and provider governance.
  • Use the declarative config reference as the source of truth for exact accepted shapes.

Next steps