Policy-as-Code for AI: Stop Treating Governance as a Confluence Page
Why this matters this week
Most teams have now moved past “should we try LLMs?” and into “how do we put this in production without getting fired or failing our next audit?”
In the last 2–3 months, the conversations have shifted:
- Security and compliance are no longer satisfied with “we promise we don’t train on your data.”
- Legal is asking about:
- Where prompts and outputs are stored
- How long logs live
- Who can see what
- How to prove what the model did when something goes wrong
- Customers (especially B2B) are starting to add AI-specific questions to security questionnaires and DPAs:
- “Do you retain prompts?”
- “Which subprocessors see our data?”
- “Can we get an audit trail for AI decisions?”
If you’re shipping AI features and can’t answer those concretely, you now have:
– Commercial risk (slower deals, redlined contracts)
– Compliance risk (SOC2/ISO scope gaps)
– Operational risk (you can’t debug or forensically analyze incidents)
The common thread: you likely need policy-as-code for AI privacy & governance, not another written “AI usage policy” that lives in a wiki and is ignored by your systems.
What’s actually changed (not the press release)
Three material shifts are driving this:
-
AI is touching more sensitive data than your old analytics stack.
LLMs are now:- Reading support tickets with PII/PHI
- Drafting contracts and processing legal docs
- Summarizing internal Slack channels
The blast radius of a misconfigured retention policy or leaky log sink is now much larger.
-
Auditors and enterprise security teams are getting specific about AI.
Early SOC2 and ISO audits mostly hand-waved AI. That’s changing:- Auditors are asking for:
- System diagrams showing AI components
- Data flow mappings for prompts and outputs
- Evidence of access controls and retention enforcement
- Enterprise customers are asking about:
- Model risk management
- Third-party LLM providers as subprocessors
- Data localization for AI workloads
- Auditors are asking for:
-
Vendors’ defaults are not aligned with your risk posture.
- Many LLM APIs and hosted tools:
- Log prompts and outputs for 30–90 days
- Use broad internal access for “quality monitoring”
- Mix telemetry and application data
- Some now offer:
- “No training on your data” flags
- Configurable log retention
- Data residency options
But none of that helps if:
- You don’t consistently set those flags from your code
- You don’t have tests that fail when a risky default creeps in
- You can’t prove what your system actually did last month
- Many LLM APIs and hosted tools:
The delta from 6–12 months ago: AI is no longer a pilot on a sidecar domain; it’s in the core product and thus squarely in scope for governance.
How it works (simple mental model)
A workable mental model for AI privacy & governance in production systems:
1. Classify data → 2. Control flows → 3. Govern models → 4. Prove behavior
1. Classify data (what is sensitive, to whom, and where)
You don’t need a perfect catalog, but you do need enough:
- Define 3–4 sensitivity levels (e.g., Public, Internal, Confidential, Restricted).
- Map key sources that feed your AI features:
- CRM, tickets, logs, Slack, docs, databases
- Decide, explicitly:
- Which levels are allowed into which model endpoints
- Which must be redacted or transformed pre-prompt
Minimal viable artifact: a short table that says:
– “Support tickets: may include PII, treated as Confidential”
– “Production DB: Restricted; only derived features can go to models”
2. Control flows (enforce policies at runtime)
Stop hoping engineers remember the policy. Make it executable:
- Policy-as-code for AI = express constraints that gate:
- Which data can go to which model/provider
- Whether data can leave your region/VPC
- Retention and logging behavior for prompts/outputs
- Mechanically, this often means:
- A shared gateway or SDK for model calls (no raw
fetchto LLM APIs) - Policies written in a machine-readable language (e.g., OPA/Rego, custom JSON/YAML) validated in CI
- “Dumb pipes” from application code into the gateway, where decisions are made
- A shared gateway or SDK for model calls (no raw
Key: application teams cannot bypass the gateway without an explicit exception.
3. Govern models (separate model choice from business logic)
Treat model selection as configuration, not code:
- For each task (e.g., summarization, code assist, PII detection), define:
- Approved models (internal or vendor)
- Allowed data classes
- Regions and providers
- Store this alongside policies, not hard-coded in app services.
This lets you:
– Swap a model that can’t meet data residency requirements
– Route Restricted data only to self-hosted or in-VPC models
– Prove that “this class of data never hits that external API”
4. Prove behavior (observability + audit trail)
Two distinct needs:
- Operational debugging
- “Why did the model produce this hallucinated answer?”
- “Which inputs led to this bad decision?”
- Governance/audit
- “Who accessed or processed this user’s data?”
- “Were policies in place at the time?”
Mechanisms:
– Structured logging (with redaction where needed)
– Immutable audit log of:
– Policy versions
– Model configurations
– Changes and approvers
– Ability to replay:
– A given request with the same model/policy snapshot
– Or demonstrate that replay is impossible by design (and why)
You don’t need full-blown “explainable AI,” but you do need to track inputs, outputs, and policy decisions in a way auditors can understand.
Where teams get burned (failure modes + anti-patterns)
Failure mode 1: “We’ll figure out governance after the pilot”
Pattern:
– Hacky prototype becomes core feature.
– Logs and prompts live in random S3 buckets and vendor dashboards.
– Six months later, a customer asks for a data deletion report.
What breaks:
– You can’t answer “Where is customer X’s data in your AI system?”
– No retention enforcement; logs live “forever” by default.
– Retroactive cleanup is manual and error-prone.
Anti-pattern: shipping an AI feature without:
– A data flow diagram including AI components
– A retention decision for prompts/outputs
Failure mode 2: “Our vendor handles privacy”
Pattern:
– Rely on vendor terms and a toggle labeled “no training.”
– Assume that means:
– No internal access
– Minimal logging
– Right retention
Reality:
– Vendor may:
– Retain for 30 days for abuse monitoring
– Store in a different region than your main data
– Use separate internal tooling with broader access
Anti-pattern: treating a vendor flag as a complete governance strategy, without:
– A contract / DPA that specifies retention, purpose limitation, and subprocessors
– Monitoring that the right flags are always set from your code
Failure mode 3: “Central policy, decentralized behavior”
Pattern:
– Company publishes an “AI usage policy” in Confluence.
– App teams integrate models directly, each in their own way.
– No central enforcement; everyone interprets the policy differently.
What happens:
– One team sends full tickets (with PII) to a general-purpose external LLM.
– Another redacts aggressively and self-hosts.
– You now have inconsistent risk exposure you can’t even see clearly.
Anti-pattern: believing a written policy equals governance, without:
– A central SDK/gateway for AI calls
– Tests or CI checks that enforce policy-as-code
Failure mode 4: “Zero logs in the name of privacy”
Pattern:
– In response to privacy concerns, team disables most logging for AI requests.
– No prompts or outputs are retained.
Consequence:
– You can’t debug failures or abuse.
– You can’t prove to customers what happened.
– Incident response is guesswork.
Anti-pattern: equating “no logs” with “good privacy,” instead of:
– Minimal, structured logs with redaction
– Tight retention
– Clear separation between telemetry and content
Practical playbook (what to do in the next 7 days)
Assuming you already have at least one AI feature in production.
Day 1–2: Map reality, not intentions
-
Inventory your AI touchpoints
- List services that:
- Call LLM APIs
- Use embeddings/search with customer data
- Run internal models over production data
- For each, capture:
- Inputs (which systems/data)
- Outputs (where they go)
- Model/provider
- Current logging/retention
- List services that:
-
Sketch data flows
- Whiteboard-level diagrams are enough:
- User → Service → Gateway/API → Model → Result
- Note data classifications if you have them.
- Identify any direct calls to external AI providers from app code.
- Whiteboard-level diagrams are enough:
Day 3: Decide minimum viable policies
Answer these explicitly (with security/legal if you have them):
- Which classifications of data:
- May never leave your core infrastructure?
- Are allowed to external model providers?
- For prompts and model outputs:
- Default retention for:
- Application logs
- Model telemetry
- Who is allowed to see raw content?
- Default retention for:
- For third-party AI providers:
- Required:
- “No training” toggles
- Maximum retention
- Region constraints (if applicable)
- Required:
Write this as short, concrete rules (no more than a page). Avoid vague phrasing like “minimize data.”
Day 4–5: Implement a basic AI gateway/SDK
Goal: central choke point for model calls.
-
If you already have:
- An API gateway or service mesh:
- Start by routing AI traffic through a dedicated service.
- Internal SDKs:
- Add an
ai_clientlibrary that:- Encapsulates provider calls
- Enforces required flags (no-training, region)
- Tags data classifications when known
- Add an
- An API gateway or service mesh:
-
At this stage:
- Block new direct calls to providers in code review.
- Log:
- Caller service
- Model used
- Data classification (if known)
- Policy decisions (e.g., “redacted PII”, “blocked external call”)
Day 6: Translate one or two rules into code
Turn your document into policy-as-code for a narrow slice:
Examples:
– “Restricted data must not be
