Policy Configuration Guide

Assistant governance policies define what AI assistants can and cannot do. Each policy has a type, an enforcement mode, and a scope (which assistants it applies to).

Enforcement Modes

observe

Log violations but take no action. Use for initial rollout.

warn

Log + flag to admin. No automated enforcement.

require_review

Create approval request before the assistant can continue.

restrict

Auto-restrict the assistant (narrow scope, block tools).

suspend

Auto-suspend the assistant pending manual review.

Policy Types

Approved Providers

Only allow assistants from specific AI providers.

Example policy_config:

{"allowed": ["github", "microsoft", "azure_openai", "anthropic", "internal"]}

Approved Models

Restrict which model families assistants may use.

Example policy_config:

{"allowed": ["gpt-4", "claude-3", "gemini-pro"]}

Data Class Restriction

Restrict which departments can access sensitive data classes.

Example policy_config:

{"restricted_classes": ["finance", "pii"], "allowed_departments": ["Finance", "Legal"]}

Tool Allowlist

Only approved MCP servers and tools may be connected.

Example policy_config:

{"allowed_tools": ["netallion-mcp", "trivy-mcp-server"]}

Owner Required

All high/critical assistants must have an assigned owner.

Example policy_config:

{"min_criticality": "high"}

Evidence Required

Critical assistants need approval evidence before production.

Example policy_config:

{"required_for": "production_approval"}

Risk Threshold

Auto-restrict assistants above a risk score.

Example policy_config:

{"max_score": 75}

Review Required

Critical assistants must be reviewed before activation.

Example policy_config:

{}

Rotation Required

NHI-backed assistants must rotate credentials on schedule.

Example policy_config:

{"max_days": 90}

Scope (applies_to)

Control which assistants a policy applies to:

// All assistants
{"scope": "all"}

// By criticality
{"criticality": ["high", "critical"]}

// By type and department
{"assistant_type": ["copilot", "m365_copilot"], "department": ["Engineering"]}

// By data class
{"data_classes": ["finance", "pii"]}