1. Overview
  2. Builder Guide
  3. Policies & Enforcement

Policies & Enforcement

Overview

Policies define how AI systems are allowed to operate in your environment. They control model access, data usage, integrations, and request behavior in real time.

In Peridot, policies are evaluated on every AI interaction—before any model call is executed—ensuring consistent, enforceable governance across all systems.

Why Policies Matter

Without centralized policies:

  • Developers choose models independently

  • Sensitive data may be exposed unintentionally

  • Governance is inconsistent across teams

  • Auditability is fragmented

With policies:

  • All AI usage is governed centrally

  • Data exposure risks are reduced

  • Behavior is consistent across environments

  • Every decision is traceable and auditable

How Policies Work

Policies are evaluated at request time using context from:

  • User identity and role

  • Application or system

  • Data classification

  • Model and provider

  • Environment (dev, staging, production)

Each request is checked against active policies before execution.

Policy Structure

Every policy includes three core components:

1. Conditions

Define when the policy applies.

Examples:

  • User role = “External contractor”

  • Data classification = “Sensitive”

  • Environment = “Production”

2. Rules

Define what is allowed or restricted.

Examples:

  • Allow only approved models

  • Block external providers

  • Require structured output

3. Actions

Define what happens when rules are triggered.

Examples:

  • Block request

  • Reroute to approved model

  • Require approval

  • Create incident

Example Policy

Name: Restrict Sensitive Data to Approved Models

  • Condition: Sensitive data detected

  • Rule: External models not allowed

  • Action: Reroute to internal model + log event

How Policies Are Evaluated

Policy evaluation happens in milliseconds at runtime:

  1. Request is received

  2. Context is extracted (user, data, system)

  3. Matching policies are identified

  4. Rules are evaluated

  5. Enforcement actions are applied

  6. Request proceeds or is blocked

No request bypasses this process.

In Production

In production environments:

  • Policies are applied consistently across all systems

  • Updates propagate without requiring code changes

  • Enforcement is centralized and auditable

  • All decisions are logged for compliance and investigation

Best Practices

  • Start with monitoring (log-only policies) before blocking

  • Scope policies by environment and role

  • Avoid overly broad restrictions initially

  • Pair policies with incident workflows

Next Steps

Was this article helpful?