Enforcement
The enforcement engine evaluates policy compliance before deployments and promotions. It checks all applicable policies, verifies guardrail requirements, and returns a clear verdict on whether a resource can proceed.
How Enforcement Works
When a resource is about to be deployed or promoted, the enforcement engine runs a comprehensive compliance check:
Deployment/Promotion Request
↓
┌──────────────────────────────────────┐
│ 1. Find applicable policies │
│ (by resource type + active) │
├──────────────────────────────────────┤
│ 2. Check each policy instance │
│ - Missing? → violation │
│ - Incomplete? → violation │
│ - Denied? → violation │
│ - Expired? → violation │
│ - Completed? → pass │
├──────────────────────────────────────┤
│ 3. Check guardrails (AI models) │
│ - Required guardrails enabled? │
│ - Configuration correct? │
├──────────────────────────────────────┤
│ 4. Apply enforcement rules │
│ per environment │
│ (hard_block / soft_block / │
│ warning / post_review) │
├──────────────────────────────────────┤
│ 5. Check active overrides │
│ - Valid override? → bypass block │
│ - Expired? → enforce │
├──────────────────────────────────────┤
│ 6. Return enforcement result │
└──────────────────────────────────────┘
↓
Allowed / Blocked / Requires Override / Warning
Enforcement Result
The enforcement check returns a structured result:
| Field | Type | Description |
|---|---|---|
allowed | Boolean | Whether deployment can proceed |
requiresOverride | Boolean | Whether an admin override is needed |
overallStatus | String | allowed, blocked, requires-override, or warning |
hardBlocks | Array | Policy violations that block deployment — cannot be bypassed |
softBlocks | Array | Policy violations that block deployment — can be overridden with justification |
warnings | Array | Informational warnings — deployment proceeds |
message | String | Human-readable status summary |
Status Meanings
| Status | Deployment | Action Required |
|---|---|---|
allowed | Proceeds | None |
warning | Proceeds | Review warnings for potential issues |
requires-override | Blocked until override | Admin must provide justification to proceed |
blocked | Cannot proceed | Must resolve hard-block violations |
Block Detail Structure
Each item in hardBlocks, softBlocks, or warnings includes:
| Field | Description |
|---|---|
policyId | The policy that generated this result |
policyName | Human-readable policy name |
category | Policy category (Security, Compliance, Quality, Operational) |
severity | Violation severity (Critical, High, Medium, Low, Info) |
issue | Description of what is non-compliant |
canOverride | Whether an admin can override (false for hard blocks) |
Enforcement Actions
Policies define enforcement rules per environment. Each rule maps an environment to an action:
| Action | Behavior | Override Allowed |
|---|---|---|
hard_block | Deployment completely blocked until all policy stages complete | No (admin override only via deployment override) |
soft_block | Deployment blocked but can be overridden by authorized roles with written justification | Yes |
warning | Warning logged, deployment proceeds normally | N/A |
post_review | Deployment blocked until manual post-deployment review is completed | Yes |
Environment-Specific Enforcement
Different environments typically have different enforcement levels:
| Environment | Recommended Action | Rationale |
|---|---|---|
| Development | warning | Track compliance without blocking developer velocity |
| Staging | soft_block | Require compliance but allow overrides for testing |
| Production | hard_block | Strict enforcement to protect production workloads |
Resource-Specific Policy Fields
Each resource type has specific policy fields that the enforcement engine evaluates:
Applications (app)
| Field | Description |
|---|---|
securityScanRequired | Security vulnerability scan must pass |
codeReviewRequired | Code review must be completed and approved |
deploymentApproval | Explicit deployment approval required |
resourceLimitsRequired | CPU/memory limits must be configured |
Add-ons (addon)
| Field | Description |
|---|---|
backupRequired | Automated backup must be configured |
encryptionRequired | Encryption at rest must be enabled |
networkIsolation | Network isolation must be configured |
accessControlRequired | Access control policies must be in place |
Workflows (workflow)
| Field | Description |
|---|---|
approvalGatesRequired | Workflow must include approval gates |
errorHandlingRequired | Error handling must be configured |
loggingRequired | Logging must be enabled |
timeoutRequired | Execution timeout must be set |
Data Sources (dataSource)
| Field | Description |
|---|---|
dataClassification | Data sensitivity must be classified |
encryptionInTransit | TLS/SSL must be configured |
accessLoggingRequired | Access logging must be enabled |
piiHandling | PII handling procedures must be documented |
AI Gateway Models (aiGatewayModel)
| Field | Description |
|---|---|
guardrailsRequired | Specific guardrails must be enabled |
contentFilteringLevel | Minimum content filtering level |
rateLimitRequired | Rate limiting must be configured |
costBudgetRequired | Cost budget must be set |
Guardrail Compliance Checks
For AI Gateway Models, the enforcement engine performs additional guardrail verification:
- Check required guardrails — Verify that each guardrail specified in the policy is enabled on the model
- Check configuration — Verify guardrail settings meet policy requirements (e.g., content filter level is at least
medium) - Report results — Each guardrail check produces:
| Field | Description |
|---|---|
guardrailId | Which guardrail was checked |
guardrailName | Human-readable name |
required | Whether the policy requires this guardrail |
applied | Whether the guardrail is currently enabled |
configured | Whether the configuration meets requirements |
issue | Description of any non-compliance |
Missing required guardrails result in hard blocks or soft blocks depending on the policy's enforcement rules.
Deployment Overrides
When enforcement blocks a deployment, administrators can create temporary overrides to bypass specific policy blocks.
Creating an Override
- Navigate to the enforcement check result (shown on the resource detail page or during promotion)
- Click Request Override on a blocked policy
- Provide:
- Justification — Written explanation of why the override is necessary
- Expiration — When the override should expire (optional, recommended)
- Blocked Policies — Which specific policy blocks to override
- An administrator must approve the override
- Once approved, the enforcement check treats the overridden policies as passing
Override Lifecycle
| Status | Description |
|---|---|
active | Override is in effect — enforcement blocks are bypassed |
revoked | Override manually revoked by an administrator |
expired | Override has passed its expiration date |
Managing Overrides
| Operation | Who Can Do It | Description |
|---|---|---|
| Create override | Administrators | Bypass specific policy blocks with justification |
| Revoke override | Administrators | Deactivate an override immediately with a reason |
| View overrides | Administrators | List all active overrides for a resource |
| Auto-expiration | System | Overrides with an expiration date are automatically expired |
Override expiry is checked daily at 2 AM by the governance scheduled tasks.
Override Audit Trail
Every override action is logged in the audit trail:
- Override created — Records justification, approver, affected policies
- Override revoked — Records reason, revoker, timestamp
- Override expired — Records automatic expiration timestamp
Scheduled Enforcement Tasks
The governance system runs automated tasks on a schedule:
Hourly: Deadline Checker
Checks all policy instances for SLA violations:
- Identifies stages that have exceeded their
slaHours - Sends escalation notifications to validators, creators, and admins
- Updates instance metadata with escalation status
Daily (2 AM): Maintenance Tasks
- Attestation Expiry Checker — Sends notifications at 30, 14, 7, 3, and 1 days before attestation expiration
- Compliance Score Storage — Records daily compliance scores to the history collection for trend analysis
- Override Expiry — Expires deployment overrides that have passed their expiration date
Using Enforcement in Workflows
Pre-Deployment Check
Before deploying a resource, call the enforcement check to evaluate compliance:
- The system identifies all active policies applicable to the resource type
- For each policy, it finds the corresponding policy instance
- Each instance is evaluated:
- Missing instance — Policy has not been applied to this resource
- Incomplete instance — Required stages are not completed
- Denied instance — A stage was denied by a reviewer
- Expired instance — Instance has passed its expiration
- For AI Gateway models, guardrail requirements are additionally checked
- Results are categorized into hard blocks, soft blocks, and warnings based on enforcement rules
- Active deployment overrides are checked — valid overrides bypass blocks
Integration Points
Enforcement checks are triggered at these points:
| Trigger | Context |
|---|---|
| Resource deployment | Before deploying an app, workflow, or model to an environment |
| Environment promotion | Before promoting a resource from one environment to another |
| Compliance dashboard | On-demand compliance evaluation for solutions |
| Snapshot creation | Policy evaluation when creating compliance snapshots |
Best Practices
Progressive Enforcement
- Start with
warningenforcement for new policies to measure impact - Review warning logs to identify false positives and adjust policy rules
- Graduate to
soft_blockonce teams are comfortable with the policy - Use
hard_blockonly for production environments and critical security policies
Override Discipline
- Always set an expiration on overrides — open-ended overrides become security risks
- Review override frequency per policy — frequent overrides suggest the policy needs adjustment
- Require detailed justifications — vague overrides undermine governance accountability
- Revoke overrides proactively when the original blocking issue is resolved
Monitor Enforcement Health
- Track compliance rate over time — it should trend upward as teams adopt governance
- Review blocked deployment frequency — spikes may indicate new policy issues
- Monitor override trends — increasing overrides may signal unrealistic policies
- Check SLA compliance — frequent escalations suggest SLA hours need adjustment
Important
hard_block enforcement cannot be overridden through the standard override mechanism. The only way to proceed past a hard block is to resolve the underlying compliance violation (complete the policy stages) or have an administrator create a deployment override. Use hard blocks judiciously.