Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
OverviewFinanceHealthcare HIPAAEU AI ActDefensePrompt InjectionAgent FirewallCitation VerificationQuality BenchmarkingZero Data Retention
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
FAQ

Defense Template

Policy configuration for defense and national security applications with export control enforcement.

Use this page when

  • You are building an AI application for defense, intelligence, or national security that must comply with ITAR/EAR export controls.
  • You need a starting config that screens against OFAC SDN and BIS Entity Lists, blocks classified markings, and restricts access to cleared personnel.
  • You want to go from zero to a running defense-compliant gateway with the defense-us starter (kt init --template defense-us).

Primary audience

  • Primary: Technical Engineers
  • Secondary: AI Agents, Technical Leaders

Policy Config

pack:
  name: "defense-us"
  version: "0.1.0"
  enabled: true
  description: "US defense and export control compliance"

policies:
  chain:
    - prompt-injection
    - itar-ear-filter
    - entity-list-filter
    - dlp-filter
    - rbac
    - audit-logger

policy:
  prompt-injection:
    threshold: 0.9
    action: "block"

  itar-ear-filter:
    action: "block"
    categories:
      - "usml"
      - "ccl"
      - "nuclear"
      - "missile_technology"

  entity-list-filter:
    action: "block"
    lists:
      - "sdn"
      - "entity_list"
      - "denied_persons"

  dlp-filter:
    action: "block"
    patterns:
      - name: "classification_markings"
        regex: "(SECRET|TOP SECRET|CONFIDENTIAL)//[A-Z]+"
      - name: "cui_markings"
        regex: "CUI//(SP-)?[A-Z]+"

  rbac:
    default_action: "deny"
    roles:
      cleared_analyst:
        allowed_models: ["gpt-4o"]
        allowed_tools: ["search", "document_retrieval"]

  audit-logger:
    retention_days: 2555

What It Enforces

PolicyPurpose
prompt-injectionHigh-threshold (0.9) adversarial detection
itar-ear-filterBlock ITAR/EAR export-controlled content
entity-list-filterMatch against OFAC SDN, BIS Entity List
dlp-filterPrevent classified/CUI markings from leaking
rbacRestrict access to cleared personnel only
audit-logger7-year retention for compliance

Quick Start

# Save the Policy Config example on this page as policy-config.yaml
export OPENAI_API_KEY="sk-your-openai-key"
kt policy lint --file policy-config.yaml
kt gateway run \
  --listen 0.0.0.0:41002 \
  --policy-config policy-config.yaml

Keep provider credentials outside the file and let the config resolve OPENAI_API_KEY via secret_key_ref.

If you prefer the seeded starter, run kt init --template defense-us first and then add the provider block shown in the example config before linting and running.

Customization Ideas

  • Add cjis-mode for law enforcement crossover use cases
  • Add data-routing-policy to restrict to US-only providers
  • Add human-oversight for high-sensitivity queries
  • Adjust rbac.roles to match your organization's clearance levels

For AI systems

  • Canonical terms: Keeptrusts, defense-us, policy-config.yaml, kt init --template defense-us, itar-ear-filter, entity-list-filter, dlp-filter, rbac, classification markings, CUI.
  • Related policy kinds: prompt-injection, itar-ear-filter, entity-list-filter, dlp-filter, rbac, audit-logger.
  • Best next pages: Compliance Policies Configuration, CJIS Mode policy, Templates overview.

For engineers

  • Prerequisites: kt CLI installed, OPENAI_API_KEY set, familiarity with your organization's USML/CCL categories.
  • Validate: kt policy lint --file policy-config.yaml must pass. Then test with a prompt containing a known classification marking (e.g., SECRET//NOFORN) and confirm it is blocked.
  • Customize: add CJIS mode for law enforcement crossover, adjust rbac.roles to match your clearance levels, and add data-routing-policy to restrict to US-only providers.
  • Retention: 2,555 days (7 years) meets most DoD record-keeping mandates.

For leaders

  • This template implements ITAR/EAR controls, entity-list screening, and classified-data DLP as automated policy — reducing reliance on manual review for export compliance.
  • RBAC restricts AI access to cleared analysts only, satisfying personnel-security requirements without separate access-control infrastructure.
  • The 7-year immutable audit trail supports Inspector General reviews and compliance audits.
  • Customize the entity-list-filter.lists to match the specific denied-party lists your program requires.

Next steps