← back to docs

Policy Engine

Rules that fire on every AI decision.

Every AI Decision Event ingested into your Audit Vault is evaluated against your enabled policies. Matched policies attach a finding to the signed receipt and can optionally block the call at the gateway.

How it works

  1. Events arrive at /api/v1/audit/ingest.
  2. The evaluator runs every enabled built-in policy plus any custom policies registered for your org.
  3. Matched policies produce findings of kind policy_violation. These join the receipt before it's signed.
  4. The highest action across matches wins: block > alert > allow.
  5. Receipts surface in the Audit Vault dashboard color-coded by severity.

Try a policy without persisting

Use /api/v1/policies/evaluate to dry-run any event against the policy library. Useful from CI hooks before you ship a new prompt.

curl -X POST https://prova.cobound.dev/api/v1/policies/evaluate \
  -H 'Content-Type: application/json' \
  -d '{
    "kind": "model_call",
    "model": { "provider": "openai", "name": "gpt-4o" },
    "source": { "app_id": "support-bot", "environment": "production" },
    "payload": {
      "prompt": "Customer SSN is 123-45-6789, please draft a reply..."
    }
  }'

# {
#   "matched_policies": ["pii_in_prompt"],
#   "findings": [{
#     "detector": "policy:pii_in_prompt",
#     "verdict": "policy_violation",
#     "severity": "medium",
#     "summary": "Possible PII detected in event payload.",
#     ...
#   }],
#   "recommended_action": "alert"
# }

The built-in policy library

18 policies ship with Prova today, grouped by category. Each can be enabled or disabled per org in the policy dashboard.

Data protection

PHI in prompthigh · alert · on by default

Flags events whose payload appears to contain Protected Health Information sent to a model.

phi_in_prompt

PII in promptmedium · alert · on by default

Flags events whose payload contains personally identifiable information (SSN, credit card, passport, email, phone).

pii_in_prompt

API key or secret in promptcritical · block · on by default

Flags events whose payload contains what looks like an API key, token, or private key.

secret_in_prompt

Safety

Prompt-injection patternhigh · alert · on by default

Detects common prompt-injection phrasing in event inputs.

prompt_injection_pattern

Agent run exceeded step capmedium · alert · on by default

Flags agent_run events whose payload reports more than 50 steps -- often a sign of a runaway agent.

agent_run_step_cap

High-impact tool call without guardhigh · alert · on by default

Flags tool_call events for irreversible actions (delete, transfer, send) where no approval step is recorded in the payload.

tool_call_dangerous_action

Coordination loop detectedhigh · alert · on by default

Surface receipts where the coordination-loop detector already flagged a loop. This policy mirrors the detector finding into the policy stream so it surfaces on the policy dashboard alongside everything else.

cycle_detected

Compliance

Non-EU model used on EU-tagged datahigh · alert · off by default

Flags events whose payload metadata tags the data as EU but whose model provider routes through a non-EU region.

eu_data_residency

Medical-domain decision without human-in-the-loophigh · alert · off by default

Flags events tagged medical/clinical where no human-approval step is recorded.

medical_decision_no_hitl

Cost

High-cost invocationlow · alert · on by default

Flags model_call events whose recorded cost exceeds $5.

high_cost_invocation

Monthly budget caphigh · block · on by default

Blocks AI calls when the org has crossed its configured monthly spend cap. Reads the pre-fetched org_budget_state counter (incremented by an audit_events trigger) and compares against org_budget_config.monthly_cap_usd. No cap configured = policy is a no-op.

monthly_budget_cap

Operational

High-latency invocationlow · alert · off by default

Flags model_call events whose recorded latency exceeds 30 seconds.

high_latency_invocation

Empty completion returnedinfo · alert · off by default

Flags model_call events whose recorded completion is empty or whitespace-only.

empty_completion

Governance

Experimental model used in productionmedium · alert · on by default

Flags production events that use a model whose name contains "preview", "alpha", "beta", or "experimental".

experimental_model_in_prod

model_call without model identitylow · alert · on by default

Flags model_call events that are missing model.provider or model.name -- breaks audit trail.

no_model_recorded

Development model used in productionmedium · alert · off by default

Flags events whose source.environment is production but the model name looks like a dev/test model.

production_dev_environment_mismatch

Event from unregistered applow · alert · on by default

Flags events whose source.app_id is missing or "unknown".

unrecognized_source

Autonomy boundary violationhigh · block · on by default

Blocks events that violate the declared boundary manifest for the agent run (allowed_tools, max_steps, budget_usd_per_run, data_scopes). Manifests are registered via POST /api/v1/runs/start and signed as agent_run_manifest receipts.

boundary_violation

Custom policies (JSON DSL)

Customer-authored policies use a JSON predicate format. The visual editor is in preview; for now, send a custom policy to founders@prova.cobound.dev and we'll load it into your org.

Example policy that alerts when an agent run has more than 25 steps in production:

{
  "id": "long_agent_run_prod",
  "name": "Long agent run in production",
  "description": "Production agent took more than 25 steps.",
  "action": "alert",
  "severity": "medium",
  "category": "operational",
  "enabled": true,
  "schema_version": "1",
  "predicate": {
    "op": "and",
    "rules": [
      { "op": "eq",  "path": "kind",                "value": "agent_run" },
      { "op": "eq",  "path": "source.environment",  "value": "production" },
      { "op": "gt",  "path": "payload.step_count",  "value": 25 }
    ]
  }
}

Supported operators: and, or, not, eq, neq, gt, gte, lt, lte, contains, contains_ci, matches, matches_ci, in, exists, missing.

Open the policy dashboard →See how policies feed the Audit Vault