Governance
Enterprise-grade governance framework for enforcing compliance, security, and quality standards across all Strongly AI platform resources. Define policies, track compliance through solutions and snapshots, configure AI guardrails, control resource promotion between environments, and maintain a complete audit trail for regulatory requirements.
Core Capabilities
| Capability | Description |
|---|---|
| Policy Management | Define, version, and enforce compliance policies with custom stages, validators, and enforcement rules |
| Policy Catalog | Share and discover reusable policy templates with ratings and reviews |
| Stages & Approval Workflows | Multi-stage approval workflows with user, role, and group validators |
| Solutions | Group related platform components for unified governance and compliance tracking |
| Compliance Snapshots | Capture point-in-time compliance state for audit evidence, releases, and regulatory review |
| Attestations | Digital compliance statements with expiration tracking and revocation support |
| AI Guardrails | Content filtering, PII detection, prompt injection prevention, and rate limiting for AI models |
| Enforcement Engine | Pre-deployment compliance checks with hard blocks, soft blocks, warnings, and override management |
| Environment Promotion | Controlled promotion workflow with policy compliance gating |
| Audit Trail | Immutable record of every governance action with full before/after state capture |
| Notifications | In-app notifications for approval requests, decisions, escalations, and compliance alerts |
Governable Resource Types
Governance policies can target the following platform resource types:
| Resource Type | Key | Guardrails | Promotion | Description |
|---|---|---|---|---|
| Applications | app | - | Yes | Deployed marketplace and custom applications |
| Add-ons | addon | - | Yes | Managed database and infrastructure services |
| Workflows | workflow | - | Yes | Automation and AI agent workflows |
| Data Sources | dataSource | - | - | External database and API connections |
| ML Models | mlModel | - | Yes | ML Registry models and experiments |
| AI Gateway Models | aiGatewayModel | Yes | - | LLM and generative AI models |
| Workspaces | workspace | - | - | Collaborative team workspaces |
| Projects | project | - | - | Project containers for resources |
Each resource type has specific policy fields. For example, AI Gateway Models support guardrail requirements, content filtering levels, rate limits, and cost budgets. Applications support security scan requirements, code review, and deployment approval. See Enforcement for details on resource-specific policy fields.
Getting Started
1. Create Your First Policy
Navigate to Governance in the sidebar and click Create Policy. The Policy Builder wizard guides you through defining the policy name, category, severity, stages, validators, and enforcement rules. See Policies for step-by-step instructions.
2. Apply a Policy to a Resource
- Open any resource detail page (Application, Workflow, AI Model, etc.)
- Click the Governance tab
- Click Apply Policy
- Select a policy from the dropdown (filtered to applicable resource types)
- A policy instance is created with status
not_started
3. Complete Policy Stages
- Open the policy instance from the Governance > Validation page
- Complete each stage sequentially:
- Fill out all required fields
- Upload any required artifacts or evidence
- Submit the stage for validator approval
- Assigned validators receive notifications and can:
- Approve — Stage completes, workflow advances to the next stage
- Deny — Stage is rejected, the requestor must revise and resubmit
- Conditional Approval — Approve with documented conditions
- Once all stages are approved, the policy instance status becomes
completed
4. Group Resources into Solutions
Solutions group related platform components (apps, workflows, data sources, models) for unified compliance tracking. Navigate to Governance > Solutions and click Create Solution to define a solution with explicit component selection, tag-based selection, or query-based selection. See Compliance for details.
5. Take Compliance Snapshots
Snapshots capture a point-in-time view of a solution's compliance state. Create snapshots for baseline assessments, periodic reviews, release approvals, or formal audits. Frozen snapshots serve as immutable audit evidence. See Compliance.
6. Configure AI Guardrails
For AI Gateway models, configure guardrails to enforce content filtering, PII detection, prompt injection prevention, rate limiting, and cost controls. Guardrails are applied on every API request to the model. See Guardrails for the complete configuration guide.
7. Monitor Compliance
The Governance Dashboard provides real-time metrics:
| Metric | Description |
|---|---|
| Active Policies | Number of enforced policy definitions |
| Compliance Rate | Percentage of policy instances that are completed |
| Pending Approvals | Instances awaiting validator action |
| Total Resources | Resources currently under governance |
Quick actions on the dashboard provide one-click access to create policies, create solutions, create snapshots, review pending approvals, and view compliance reports.
Access Control
Governance enforces strict access control at every level:
| Action | Who Can Do It |
|---|---|
| Create policies | Any authenticated user |
| Modify/delete policies | Policy creator or administrator |
| Share policies | Policy owner or administrator |
| Apply policy to resource | Users with resource access |
| Submit stage for approval | Instance creator or administrator |
| Approve/deny stages | Authorized validators (user, role, or group) or administrator |
| Create deployment overrides | Administrators only |
| Delete completed instances | Not allowed (audit trail preservation) |
Validator Types
Stage validators can be assigned by three mechanisms:
| Type | Format | Best For |
|---|---|---|
| User | Specific user ID | Designated reviewers, compliance officers |
| Role | Role name (e.g., admin) | Flexible team assignments |
| Group | org:<orgId>:role:<role> or organization ID | Cross-team approvals, committee reviews |
Compliance Frameworks
Tag policies and templates with industry compliance frameworks for easy discovery and mapping:
- SOC 2 — Security, availability, and confidentiality controls
- HIPAA — Healthcare data privacy and security
- GDPR — EU data protection requirements
- ISO 27001 — Information security management
- ISO 42001 — AI management system standard
- PCI DSS — Payment card industry standards
- NIST AI RMF — AI risk management framework
- EU AI Act — European AI regulation
Architecture Overview
┌─────────────────────────────────────────────────────────────┐
│ Governance Dashboard │
│ Metrics · Quick Actions · Policy Distribution · Activity │
├──────────┬──────────┬──────────┬──────────┬────────────────┤
│ Policies │Solutions │Snapshots │Guardrails│ Enforcement │
│ │ │ │ │ │
│ Define │ Group │ Capture │ AI model │ Pre-deployment │
│ stages & │ platform │ point-in │ content │ compliance │
│ rules │ resources│ -time │ safety │ checks │
│ │ │ state │ controls │ │
├──────────┴──────────┴──────────┴──────────┴────────────────┤
│ Enforcement Engine │
│ hard_block · soft_block · warning · override management │
├─────────────────────────────────────────────────────────────┤
│ Audit Trail │
│ Every action logged · Before/after state · Immutable │
├─────────────────────────────────────────────────────────────┤
│ Notification System │
│ Approvals · Escalations · Deadlines · Attestation expiry │
└─────────────────────────────────────────────────────────────┘
Navigation
All governance features are accessible from the Governance section in the platform sidebar:
| Page | Path | Description |
|---|---|---|
| Dashboard | /governance | Overview metrics and quick actions |
| Policies | /governance/policies | Browse and manage policy definitions |
| Create Policy | /governance/policies/new | Policy Builder wizard |
| Policy Catalog | /governance/catalog | Browse and use policy templates |
| Solutions | /governance/solutions | Manage solutions |
| Create Solution | /governance/solutions/new | Solution Builder |
| Snapshots | /governance/snapshots | Browse compliance snapshots |
| Create Snapshot | /governance/snapshots/create | Snapshot creation wizard |
| Compliance Monitor | /governance/compliance | Real-time compliance across all resources |
| Validation | /governance/validation | Review and approve pending instances |
| Promotions | /governance/promotions | Environment promotion control |
| Audit Log | /governance/audit | Complete audit trail viewer |
Apply policies early in the development lifecycle. Use warning enforcement in Development, soft_block in Staging, and hard_block in Production to catch issues progressively before they reach production.