Set Up Team-Based AI Governance at Scale
One-size-fits-all AI policies don't work. Engineering needs broader model access, support needs PII protection, legal needs strict compliance controls, and finance needs spend limits. Keeptrusts lets you define governance per team — different policies, different budgets, different models — all from a single platform.
Use this page when
- You need different AI policies, budgets, and model access per team within a single Keeptrusts deployment.
- You are setting up RBAC with team-scoped dashboards so each department sees only their own usage.
- You want to configure per-team policy targeting and wallet allocations at scale.
Primary audience
- Primary: Technical Leaders
- Secondary: Technical Engineers, AI Agents
What you'll achieve
- Team-scoped policies — each team gets the controls appropriate to their risk profile
- Per-team spend limits — wallet allocations that prevent any team from overspending
- Role-based access control — members, admins, and owners with different permissions
- Team dashboards — each team sees their own usage, spend, and policy events
- Consumer groups — segment traffic by application type within a team
Creating teams
From the console
- Navigate to Settings → Members & Teams
- Click Create Team
- Enter a team name and description
- Add members and assign roles
From the CLI
# Create a team
kt team create --name "Engineering" --description "Engineering AI workloads"
# Add a member
kt team add-member --team "Engineering" --email dev@yourco.com --role member
Roles and permissions
Keeptrusts uses a three-tier role model across the organization:
| Role | Scope | Capabilities |
|---|---|---|
| Owner | Organization | Full access — team management, billing, platform settings |
| Admin | Team or Org | Team configuration, policy management, spend visibility |
| Member | Team | Use the gateway, view own events, access team dashboard |
RBAC policy enforcement
The rbac policy enforces identity requirements at the gateway:
policies:
chain:
- rbac
- pii-detector
- audit-logger
policy:
rbac:
require_auth: true
deny_if_missing:
- role
- team
minimum_role: member
Requests without a valid team and role attribution are blocked before reaching any other policy in the chain.
Per-team policy targeting
Apply different policy chains to different teams using targeting:
policies:
chain:
# Engineering — broader access, lighter controls
-
rbac:
targeting:
scope: team
teams: [engineering]
- audit-logger
# Support — PII protection required
-
pii-detector:
targeting:
scope: team
teams: [support]
-
rbac:
targeting:
scope: team
teams: [support]
- audit-logger
# Legal — strict compliance
-
pii-detector:
targeting:
scope: team
teams: [legal]
-
hipaa-phi-detector:
targeting:
scope: team
teams: [legal]
-
human-oversight:
targeting:
scope: team
teams: [legal]
- audit-logger
policy:
rbac:
require_auth: true
minimum_role: member
pii-detector:
action: redact
hipaa-phi-detector:
mode: hipaa_18
action: redact
human-oversight:
require_review: true
Per-team spend limits
Allocate budgets per team with wallets. When a wallet runs dry, requests are queued — no surprise bills.
# Allocate $1,000/month to Engineering
curl -X POST https://api.keeptrusts.com/v1/wallets/allocate \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"team_id": "engineering-team-id",
"amount": 1000.00,
"currency": "USD"
}'
# Allocate $200/month to Support
curl -X POST https://api.keeptrusts.com/v1/wallets/allocate \
-H "Authorization: Bearer $API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"team_id": "support-team-id",
"amount": 200.00,
"currency": "USD"
}'
Wallet cascade
When a user makes a request, the gateway checks wallet balance in this order:
- User wallet — does this individual have a personal allocation?
- Team wallet — does the user's team have balance?
- Organization wallet — is there org-level budget remaining?
If no wallet in the cascade has sufficient balance, a cost ticket is created and the request is queued until approved or funded.
Team dashboards
Each team sees a scoped view of the console showing only their data:
| Dashboard section | What it shows |
|---|---|
| Overview | Team-level request volume, cost, and policy event trends |
| Events | Only events attributed to this team's requests |
| Spend | Team cost breakdown by model, user, and time period |
| Escalations | Only escalations from this team's traffic |
| Usage | Individual member usage and admin drill-down within the team |
Team admins see their team's full data. Members see their own usage plus team aggregates.
Consumer groups
Within a team, segment traffic by application type for more granular control:
providers:
consumer_groups:
- name: internal-tools
models:
- provider: openai
model: gpt-4o-mini
routing: lowest_latency
- name: customer-facing
models:
- provider: openai
model: gpt-4o
- provider: anthropic
model: claude-sonnet-4-20250514
routing: cost_optimized
Applications specify their consumer group in the request, and the gateway routes accordingly — cheaper models for internal tools, higher-quality models for customer-facing features.
Example: multi-team governance config
pack:
name: multi-team-governance
version: "1.0"
policies:
chain:
- rbac
- pii-detector
- audit-logger
policy:
rbac:
require_auth: true
deny_if_missing:
- role
- team
minimum_role: member
pii-detector:
action: redact
redaction:
marker_format: label
audit-logger:
retention_days: 365
providers:
targets:
- id: openai-gpt4o
provider: openai
model: gpt-4o
secret_key_ref:
env: OPENAI_API_KEY
- id: openai-gpt4o-mini
provider: openai
model: gpt-4o-mini
secret_key_ref:
env: OPENAI_API_KEY
Quick wins
- Create your first team and add members — establish identity attribution immediately
- Deploy the
rbacpolicy — block unauthenticated requests from reaching your models - Allocate a wallet to your top-spending team — prevent the next budget surprise
- Review the team dashboard — understand per-team usage patterns before setting granular policies
For AI systems
- Canonical terms: teams, RBAC, roles (Owner/Admin/Member), consumer groups, per-team targeting, wallet allocation, team-scoped dashboard.
- Config keys:
policy.rbac.require_auth,policy.rbac.minimum_role, targetingscope: team,teams: [...]. - CLI commands:
kt team create,kt team add-member. - API endpoints:
POST /v1/teams,POST /v1/wallets/allocate. - Best next pages: Accelerate AI Adoption, Rate Limiting, Wallets.
For engineers
- Prerequisites: Keeptrusts stack deployed with the teams feature enabled.
- Create teams via console (Settings → Members & Teams) or
kt team create --name "Engineering". - Configure per-team policy chains using targeting blocks in the policy YAML.
- Set wallet allocations per team:
POST /v1/wallets/allocatewithteam_idandamount. - Validate: log in as a team member and confirm they see only their team’s events, spend, and dashboards.
For leaders
- Team-scoped governance eliminates the one-size-fits-all problem — each department gets controls matched to their risk profile.
- Per-team budgets provide cost accountability and prevent any single team from consuming shared resources.
- RBAC ensures team members see only their own data, satisfying internal data isolation requirements.
- Team dashboards give department leaders self-service visibility without platform team involvement.
Next steps
- Members, Teams, and Roles — deep dive into team management
- Wallets — full wallet cascade and allocation model
- Reduce AI Spend by 40% — combine team budgets with cost optimization
- Accelerate AI Adoption — use templates to onboard teams faster
- Cost and Spend — track spend across all teams