Manage AI Policy as Code with GitOps

AI governance policies shouldn't live in dashboards where changes are invisible and unauditable. Keeptrusts lets you manage policies as YAML files in Git — versioned, reviewed, tested, and deployed through the same workflows you use for application code.

Use this page when

• You want AI governance policies versioned, reviewed, and deployed through your existing Git workflow.
• You need automated policy linting in CI and rollback-in-seconds capability for bad policy changes.
• You are setting up the Keeptrusts Git integration to auto-sync policy YAML from a repository to deployed gateways.

Primary audience

• Primary: Technical Leaders
• Secondary: Technical Engineers, AI Agents

What you'll achieve

• Policies in Git — every policy change is a reviewed, approved commit
• Declarative YAML configs — define your entire governance posture in a single file
• Automated sync — the API detects changes in your repo and pushes config reloads to gateways
• Policy linting — validate configs before they reach production
• Rollback in seconds — revert a bad policy change with git revert

---

How GitOps works in Keeptrusts

Developer edits policy-config.yaml
  → Opens pull request
    → CI runs kt config lint (validation)
    → Team reviews the change
    → PR merges to main
  → Keeptrusts API detects the change (poll-based sync)
    → Saves new configuration version
    → Pushes reload to deployed gateways
  → Gateways apply the new policy chain

The gateway picks up new policies without restarts. Your applications don't need to change.

---

Setting up Git integration

Link a repository

From the console:

1. Navigate to Configurations
2. Click Link Repository
3. Enter your Git repository URL and authentication details
4. Set the branch and file path to watch
5. Enable auto-sync

From the CLI:

# Link a Git repository to Keeptrusts
kt config git-link \
  --repo-url "https://github.com/yourco/ai-governance.git" \
  --branch main \
  --path "policy-config.yaml" \
  --auto-sync true

Authentication

Keeptrusts supports token-based Git authentication. Access tokens are encrypted at rest with AES-GCM-SIV.

# Link with a Git access token
kt config git-link \
  --repo-url "https://github.com/yourco/ai-governance.git" \
  --branch main \
  --path "policy-config.yaml" \
  --token "$GIT_ACCESS_TOKEN" \
  --auto-sync true

---

Declarative config structure

A single YAML file defines your complete governance posture:

pack:
  name: production-governance
  version: "2.1"

policies:
  chain:
    - rbac
    - prompt-injection
    - pii-detector
    - dlp-filter
    - quality-scorer
    - audit-logger

policy:
  rbac:
    require_auth: true
    deny_if_missing:
      - role
      - team

  prompt-injection:
    embedding_threshold: 0.8
    response:
      action: block
    encoding:
      decode_base64: true
      normalize_unicode: true

  pii-detector:
    action: redact
    categories:
      - email
      - phone
      - ssn
      - credit_card

  dlp-filter:
    patterns:
      - name: api_keys
        regex: "(sk-[a-zA-Z0-9]{48}|AKIA[A-Z0-9]{16})"
        action: block

  quality-scorer:
    overall_min_score: 0.65
    on_fail: escalate

  audit-logger:
    retention_days: 365

providers:
  targets:
    - id: openai-gpt4o
      provider: openai
      model: gpt-4o
      secret_key_ref:
        store: OPENAI_API_KEY

Note: secret_key_ref resolves through the config-variable system — secrets are never stored in Git.

---

Policy linting: catch errors before merge

Validate configs in CI before they reach production:

# Lint a policy config file
kt config lint --file policy-config.yaml

The linter checks:

• YAML syntax validity
• Required fields are present
• Policy names match the catalog
• Provider targets have valid fields
• Config variable references are well-formed

CI integration

Add linting to your CI pipeline:

# .github/workflows/policy-lint.yml
name: Policy Lint
on:
  pull_request:
    paths:
      - "policy-config.yaml"

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Install Keeptrusts CLI
        run: curl -fsSL https://get.keeptrusts.com | sh
      - name: Lint policy config
        run: kt config lint --file policy-config.yaml

---

Policy testing: validate behavior

Test that your policy config produces expected behavior:

# Test a config with a sample request
kt config test \
  --file policy-config.yaml \
  --input '{"messages": [{"role": "user", "content": "My SSN is 123-45-6789"}]}' \
  --expect-action redact

Run policy tests as part of your CI pipeline alongside linting.

---

Auto-sync and versioning

When Keeptrusts detects a change in the linked repository:

1. The API clones/pulls the repository
2. Diffs the YAML against the current stored configuration version
3. If content changed, saves a new configuration version
4. Pushes a reload command to all gateways using this configuration

# Check sync status
kt config git-status --configuration-id my-config

# Manually trigger a sync
kt config git-sync --configuration-id my-config

Auto-create configurations

For new repositories, enable auto-creation to have Keeptrusts create the configuration entity on first sync:

kt config git-link \
  --repo-url "https://github.com/yourco/ai-governance.git" \
  --branch main \
  --path "policy-config.yaml" \
  --auto-sync true \
  --auto-create true

---

Rollback

Bad policy change? Revert the Git commit and the sync picks it up:

# Revert the last commit
git revert HEAD
git push origin main
# Keeptrusts auto-syncs and rolls back to the previous config version

You can also roll back from the console:

1. Navigate to Configurations
2. Select the configuration
3. View version history
4. Click Restore on a previous version

---

Quick wins

1. Move one config to Git — start with a non-production configuration to test the workflow
2. Add kt config lint to CI — catch config errors before they reach production
3. Enable auto-sync — eliminate manual config deployment
4. Require PR reviews for policy changes — use your existing code review process for governance

---

For AI systems

• Canonical terms: GitOps, policy-as-code, declarative YAML config, auto-sync, Git linked repository, policy linting, configuration version.
• Config keys: pack.name, pack.version, policies.chain, policy.*, providers.targets.
• CLI commands: kt config lint, kt config git-link, kt gateway run --policy-config.
• Console surface: Configurations and the Monaco YAML workbench.
• Best next pages: Versioned Configuration Rollout, Configurations, Declarative Config Reference.

For engineers

• Prerequisites: a Git repository with your policy-config.yaml and Keeptrusts API access.
• Review the YAML in Git, then import or paste the approved file into Configurations before saving and deploying it.
• Add kt config lint --file policy-config.yaml to your CI pipeline to catch errors before merge.
• Validate: merge a policy change and confirm the gateway reloads automatically (check Events for a config-reload event).
• Rollback: git revert <commit> → push → gateway picks up the reverted config within the sync interval.

For leaders

• Every policy change is a reviewed PR — full audit trail of who changed what, when, and why.
• CI linting prevents broken policies from reaching production, reducing incidents.
• Rollback via git revert takes seconds, not hours of manual intervention.
• Policy-as-code aligns AI governance with existing DevOps practices, reducing training and process overhead.

Next steps

• Versioned Configuration Rollout — supported saved-version rollout workflow
• Configurations — configuration management and versioning
• Declarative Config Reference — complete YAML schema
• Managing Policy Changes — policy change workflow best practices
• Settings and Gateway Config — gateway configuration options