Policy Library
Production-grade governance policies covering major regulatory frameworks and AI safety controls.
GaaS ships with 60 pre-built policies organized into 11 categories — including 4 enforcement tiers, AP2 payment governance, EU AI Act, and federal compliance frameworks (NIST, FedRAMP, CMMC). Each policy evaluates agent actions against compliance requirements, risk thresholds, and organizational rules — returning a binding verdict (approve, modify, escalate, or block) with full reasoning.
🔐 Complete Policy Catalog Available to Active Clients
Sign up to access the full policy library with implementation guides, configuration options, and regulatory mappings.
Start Free TrialCoverage Overview
Tier 1: Critical Compliance 12 POLICIES
Fast-fail policies that block violations of fundamental requirements. These run first in the evaluation pipeline and immediately block actions that violate critical rules — no deliberation required.
- Unauthorized access prevention
- Required approval verification
- Encryption requirement enforcement
- Sensitive data handling controls
- Resource isolation validation
- Session trust decay enforcement (pol_t1_015 — blocks when trust budget ≤ 0.10)
- Behavioral anomaly detection (pol_t1_016)
Tier 2: Regulatory Frameworks 8 POLICIES
Industry-specific compliance policies covering healthcare, finance, privacy, communications, and education. Each policy implements the specific requirements of its regulatory framework.
HIPAA
Healthcare privacy & patient access rights
PCI-DSS
Payment card data protection
GDPR
EU data protection & privacy
TCPA
Telemarketing consent verification
CCPA
California consumer privacy
FERPA
Education records protection
SOX
Financial reporting controls
EU AI Act
High-risk AI system oversight
Tier 3: Custom Policies 3 POLICIES
Organization-specific policies with configurable thresholds, routing rules, and approval workflows. These allow you to define custom governance logic tailored to your business requirements.
- Clinical AI decision validation with model performance thresholds
- Transaction approval workflows with dynamic routing
- Multi-tenant data isolation with namespace verification
Tier 4: Experimental 5 POLICIES
Cutting-edge governance for advanced AI systems. These policies address emerging challenges in AI safety, transparency, and coordination. Tier 4 policies are defined but not yet registered in the production pipeline — they are available for testing and preview via custom policy activation.
- Hallucination detection for LLM outputs
- Synthetic data provenance tracking
- Reasoning transparency requirements
- Multi-agent coordination protocols
- EU AI Act high-risk system compliance
AP2: Agentic Payment Governance 7 POLICIES
Specialized policies for autonomous agent payments, implementing the Agentic Payment Protocol (AP2). These policies govern the full lifecycle of agent-initiated transactions — from mandate validation through regulatory compliance and fraud detection.
Mandate Validity
Verifies a valid payment mandate exists before any transaction proceeds
Mandate Conditions
Enforces merchant category, geographic scope, and validity window
HNP Threshold
High Net Payment check — routes large transactions to human review
Cumulative Spend
Tracks rolling spend against daily and monthly mandate limits
PCI-DSS
Payment card data protection and channel compliance
PSD2 SCA
EU Strong Customer Authentication with exemption logic
AML Velocity
Anti-money laundering pattern detection across rolling windows
See the A2A & Agent Networks page for mandate management and the AP2 governance model.
EU AI Act 5 POLICIES
Enforcement policies covering Articles 9–15 of the EU AI Act for high-risk AI systems. Policy IDs: pol_euaia_001 through pol_euaia_005. Enforcement date: August 2, 2026. Maximum fine: €30M.
- Risk management system requirements (Art. 9)
- Data governance and training data quality (Art. 10)
- Technical documentation obligations (Art. 11)
- Record-keeping and traceability (Art. 12)
- Transparency and human oversight (Art. 13–15)
NIST CSF 2.0 5 POLICIES
Cybersecurity framework policies aligned to the NIST Cybersecurity Framework 2.0. Policy IDs: pol_nist_001 through pol_nist_005.
NIST SP 800-53 Rev. 5 5 POLICIES
Moderate baseline security and privacy controls from NIST SP 800-53 Rev. 5. Covers 4 control families: Access Control (AC), Audit (AU), System & Information Integrity (SI), and Incident Response (IR). Policy IDs: pol_nist800_001 through pol_nist800_005.
FedRAMP Moderate Baseline 5 POLICIES
Federal Risk and Authorization Management Program controls for cloud services selling to US federal agencies. 5 of 325 FedRAMP Moderate controls are in scope. Includes 3PAO-ready evidence packages with NIST SP 800-53A assessment procedures. Policy IDs: pol_fedramp_001 through pol_fedramp_005.
CMMC 2.0 Level 1–2 4 POLICIES
Cybersecurity Maturity Model Certification for Defense Industrial Base contractors. Covers Level 1 (basic safeguarding) and Level 2 (advanced, aligned to NIST SP 800-171 Rev. 2). Policy IDs: pol_cmmc_001 through pol_cmmc_004.
Security 1 POLICY
Additional security enforcement policy (pol_security_001) for prompt injection detection and security boundary enforcement.
How Policies Work
Evaluation Pipeline
Every agent action passes through the policy evaluation stage:
- Scope Matching: Policies check if they apply to this action (based on agent, action type, data sensitivity, jurisdiction)
- Condition Checking: Applicable policies evaluate their specific requirements against enriched context
- Verdict Assignment: Each policy returns PASS, FAIL, CONDITIONAL, or WARN
- Conflict Resolution: If multiple policies fire, the most restrictive verdict wins
- Risk Scoring: Policies contribute to a 6-dimensional risk score (privacy, security, compliance, ethical, operational, financial)
Verdict Types
- PASS: Policy requirements are satisfied — action may proceed
- FAIL: Critical policy violation — action is immediately blocked (Tier 1 policies only)
- CONDITIONAL: Policy requires human judgment — escalate to deliberation panel
- WARN: Policy flags a concern but doesn't block — recorded in audit trail
Configuration Options
Tier 3 custom policies support organization-specific configuration:
- Thresholds: Adjust risk tolerance, approval limits, performance minimums
- Routing Rules: Define which reviewers handle which types of escalations
- Approval Workflows: Configure multi-step approval chains
- Namespace Mappings: Define data isolation boundaries
Ready to explore the full policy library?
Active clients get access to complete policy documentation including implementation guides, configuration schemas, regulatory references, and example use cases.
Start Free TrialBook a demo to discuss custom policy development
Policy Registry
The Policy Registry is the discovery and installation layer for policy packs — curated bundles of policies grouped by vertical or regulatory framework. Install a pack with a single API call to activate all included policies for your organization.
Seed Packs (built in)
gaas-core-v1
10 Tier 1 universal governance policies — applies to all agents
gaas-eu-ai-act-v1
5 EU AI Act Articles 9–15 enforcement policies (pol_euaia_001–005)
gaas-financial-v1
SOX + AP2 payment governance + SR 11-7 model risk controls
gaas-healthcare-v1
HIPAA patient access, minimum necessary, emergency access
gaas-privacy-v1
GDPR, CCPA, FERPA privacy and data subject rights
gaas-nist-csf-v1
NIST Cybersecurity Framework 2.0 (pol_nist_001–005)
gaas-nist-800-53-v1
NIST SP 800-53 Rev. 5 Moderate Baseline controls (pol_nist800_001–005)
gaas-fedramp-moderate-v1
FedRAMP Moderate Baseline with 3PAO evidence packages (pol_fedramp_001–005)
gaas-cmmc-v1
CMMC 2.0 Level 1–2 for Defense Industrial Base (pol_cmmc_001–004)
Install a pack:
# Activate EU AI Act enforcement for your org POST /v1/policy-registry/gaas-eu-ai-act-v1/install Authorization: X-API-Key gsk_your_key # Browse available packs GET /v1/policy-registry?vertical=healthcare GET /v1/policy-registry?regulation=eu-ai-act
EU AI Act Compliance
GaaS ships with built-in enforcement for EU AI Act Articles 9–15 (enforcement date: August 2, 2026). Five dedicated policies block or escalate high-risk AI actions that violate mandatory obligations.
- pol_euaia_001 — Art. 9 Risk Management: blocks high-risk AI without a documented risk management system
- pol_euaia_002 — Art. 10 Data Governance: requires training data lineage for regulated data categories
- pol_euaia_003 — Art. 13 Transparency: enforces explainability on all high-risk AI interactions
- pol_euaia_004 — Art. 14 Human Oversight: auto-escalates irreversible high-stakes decisions to human review
- pol_euaia_005 — Art. 15 Accuracy/Robustness: blocks safety-critical actions when context confidence < 0.6
Check your compliance posture: GET /v1/compliance/eu-ai-act
— Full compliance guide →
Integration
Policies are automatically evaluated as part of the 5-stage governance pipeline. You don't need to manually invoke policies — simply submit intents via the REST API and GaaS handles the rest.
Next steps:
- Getting Started — Set up your first governance pipeline
- Compliance — EU AI Act, SR 11-7 model inventory, Governance Proof Tokens
- Connectors — Data sources that feed policy evaluation
- A2A & Agent Networks — AP2 payment policies and multi-agent governance
- Shadow Mode — Test policies without enforcement
- Dashboard — Monitor policy decisions and configure rules
- Sign up — Access the complete policy catalog