Policy
Decide what reaches a model, before it does. Policy is enforced at the gateway, across every application, agent, and model.
6 of 7 rules active
Data egress
Redact PII before egressenforced
Names, emails, SSNs, and account numbers are masked before any prompt leaves the tenant.
Block customer records → external modelsenforced
Records classified ‘customer’ may only be sent to in-tenant model deployments.
Strip source documents from agent contextenforced
Agents receive retrieved spans, never whole source files.
Routing
Division 07 → in-tenant Azure OpenAI onlyenforced
Fire-rating workloads are pinned to the customer-owned deployment.
Low-complexity → gpt-5.4-minimonitor
Requests scoring below the complexity threshold route to the cheaper model.
Approvals
Require approval: financial actionsenforced
Any tool call that moves money pauses for human approval.
Flag prompts exceeding 16k tokensmonitor
Oversized context is flagged for compression review.
Data classes
Public
Any model
Internal
Approved providers
Customer
In-tenant only
Regulated (PII/PHI)
Masked before egress
Recent decisions
redactSUB-0712 · 3 PII fields12m ago
routeDivision 07 → in-tenant38m ago
blockcustomer record → external1h ago
approvefinancial action · held2h ago
flagcontext 18,402 tok3h ago