Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Investigate a Blocked RequestRoll Out a New TemplateResolve an EscalationExport Evidence for a ReviewReview Alerts and EvidenceTroubleshooting
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

How To: Roll Out a New Template

Use this guide when your team wants to start from a Keeptrusts industry template and move it into a verified runtime workflow.

Use this page when

  • You want to bootstrap a new policy config from a Keeptrusts industry template (healthcare, finance, defense, etc.).
  • You need the end-to-end workflow from template selection through runtime verification in Events and Escalations.
  • You are deploying a template for the first time and want a checklist to avoid skipping validation steps.

Primary audience

  • Primary: Technical Engineers
  • Secondary: AI Agents, Technical Leaders

Outcome

By the end of this workflow, you should have:

  • Chosen the right template.
  • Initialized and edited a local declarative config.
  • Validated the config locally.
  • Applied it to a running gateway.
  • Verified runtime behavior in the console.

Workflow diagram

Step 1: Pick the closest template

Open Templates and compare:

  • Regulations.
  • Region coverage.
  • Policy chain.
  • Template description.

Choose the template that is closest to your operating domain, even if you expect to tune it later.

Step 2: Read the template detail page carefully

Do not skip the template detail page. It gives you:

  • The source directory.
  • The starter config path.
  • The supported kt workflow.
  • Links to the schema page and verification surfaces.

Step 3: Initialize and edit locally

Follow the template’s CLI sequence:

  1. Initialize the template locally.
  2. Edit policy-config.yaml for your environment.
  3. Add the correct upstream details and secrets.
  4. Review the schema page if you need field-level validation help.

Step 4: Validate before traffic

Run lint and tests before you expose representative traffic to the new config. This is where you catch schema, policy, and obvious fixture issues before runtime.

If your team uses the console to manage saved versions and rollout scope, open Configurations after local validation so you can review history, save a version with change detail, and choose the rollout targets explicitly.

Step 5: Verify what the gateway is actually running

After you start or update the gateway, open Gateways, then open the target gateway's Actions page and confirm:

  • Drift status.
  • Local source-of-truth version.
  • Running version.
  • SHA-256 digest.
  • Whether the page shows Current gateway config or Last active gateway config.
  • Policy chain.
  • Upstream and tracing context.

If the gateway Actions page does not show the config you expect, stop there. Do not treat the rollout as complete yet.

Step 6: Validate with real traffic

Send representative traffic through the gateway and then inspect:

  • Events for verdict distribution and reason codes.
  • Event detail views for policy results.
  • Escalations if the new chain triggers human review.

Step 7: Decide whether to continue or tune

  • If the runtime behavior matches intent, document the rollout and its owners.
  • If false positives or unexpected escalations appear, narrow the policy scope and repeat the cycle.

Rollout checklist

  • Template chosen.
  • Local config initialized.
  • Schema reviewed if needed.
  • Lint and tests passed.
  • Running config verified in Gateways.
  • Representative traffic reviewed in Events.
  • Escalations checked.

For AI systems

  • Canonical terms: Keeptrusts, industry template, template rollout, kt init, policy-config.yaml, policy chain, gateway actions, drift status, config version.
  • Feature and config names: Templates page, template detail page, kt init, kt policy lint, kt policy test, kt gateway run, Gateways → Actions, Configurations.
  • Console surfaces: Templates list, template detail, Gateways → Actions (drift, digest, running config), Events, Escalations.
  • Best next pages: Templates and Policy Workflows, Configurations, Gateways and Actions, Managing Policy Changes.

For engineers

  • Always run kt policy lint --file policy-config.yaml and kt policy test --json before exposing traffic to a new template-derived config.
  • After starting the gateway, verify the running config via Gateways → Actions — confirm the SHA-256 digest matches your local file.
  • If the Actions page shows "Last active gateway config" instead of "Current gateway config", the gateway is not running the expected version.
  • Send representative traffic (including edge cases your template’s controls should catch) and verify verdicts in Events before declaring the rollout complete.

For leaders

  • Industry templates accelerate compliance readiness by providing pre-built policy chains for regulated domains (HIPAA, CJIS, EU AI Act, ITAR).
  • A template is a starting point, not a turnkey compliance solution — teams must validate against their own traffic and regulatory obligations before declaring production readiness.
  • Track template rollouts as configuration change events in your governance process; each rollout should have an identifiable owner and documented verification.
  • False positives from overly broad templates create operational noise; budget time for tuning after the initial rollout.

Next steps