[EAAPL-GOV004] AI Policy Enforcement
Category: Governance / Runtime Control
Sub-category: Policy Decision & Enforcement
Version: 1.2
Maturity: Proven
Tags: PDP, PEP, OPA, policy-enforcement, runtime-governance, guardrails, acceptable-use, data-handling
Regulatory Relevance: APRA CPS234 §15–§17, EU AI Act Article 9, Privacy Act 1988 APP 3/APP 6, NIST AI RMF MANAGE 2.4
1. Executive Summary
The AI Policy Enforcement pattern implements runtime governance controls that ensure AI systems comply with organisational policies and regulatory requirements at the point of inference—not just at deployment time. Using the Policy Decision Point / Policy Enforcement Point (PDP/PEP) architectural pattern, it intercepts every AI request and response, evaluates applicable policies, and enforces decisions in real time.
This pattern addresses the critical governance gap that exists between pre-deployment approval and ongoing operational compliance. An AI system approved today will face different regulatory requirements, different data classifications, and different acceptable-use boundaries next year. Without runtime enforcement, policy changes require re-deployment to take effect—creating a window of non-compliance that regulators will not accept.
The pattern implements Open Policy Agent (OPA) as the policy decision engine, enabling policies to be expressed as code (Rego language), version-controlled alongside application code, tested independently, and updated without application redeployment. This "policy-as-code" approach is the enterprise standard for achieving both agility and auditability in runtime governance.
For CIOs and CTOs, the strategic outcome is clear: organisational AI policies become enforceable in real time, with auditable evidence of every policy evaluation. This transforms AI governance from a paper exercise into an operational control.
2. Problem Statement
Business Problem
AI policies (acceptable use, data handling, geographic restrictions, financial advice disclaimers) exist as documents but are not enforced at runtime. Business units implement interpretations inconsistently. Policy changes require application redeployment cycles of weeks. Compliance teams cannot prove policies are enforced.
Technical Problem
AI requests flow through application code with policy logic embedded inline as conditionals. Policy changes require code changes, testing, and deployment. There is no central visibility of policy decisions across AI systems. Different teams implement the same policy differently, creating inconsistency.
Symptoms
- Same AI policy producing different outcomes in different business unit implementations
- Policy violation discovered post-incident without runtime evidence of enforcement attempt
- Average time from policy change to enforced implementation measured in weeks due to deployment cycles
- Compliance teams relying on manual spot-checks because automated enforcement evidence does not exist
- Geographic data residency violations because routing logic in application code not updated with new regulatory requirements
Cost of Inaction
- Regulatory: Privacy Act APP 6 violations (purpose limitation breach by AI system); APRA CPS234 information security breach
- Legal: Unauthorised processing of personal information for AI purposes
- Operational: Policy inconsistency creating unpredictable AI behaviour affecting customer experience and liability
- Financial: Geographic restriction violations creating cross-border data transfer liability
3. Context
When to Apply
- Any AI system making decisions that are subject to policy constraints (acceptable use, data handling, geographic restriction)
- Organisations operating in multiple regulatory jurisdictions with different AI requirements
- Enterprises requiring real-time auditability of policy enforcement
- Organisations adopting "policy-as-code" practices for AI governance
- When policy change frequency requires decoupling policy from application deployment cycle
When NOT to Apply
- Simple, single-jurisdiction AI systems with static policies unlikely to change
- Proof-of-concept environments (overhead not justified)
- AI systems where the enforcement latency overhead (typically 5–20ms) is incompatible with real-time requirements (e.g., high-frequency trading — separate design required)
Prerequisites
- AI Policy framework documented and approved (AI Use Policy, Data Handling Policy)
- OPA or equivalent policy engine available in infrastructure
- API gateway or service mesh available as enforcement insertion point
- Policy authorship team with Rego or equivalent policy language competency
Industry Applicability
| Industry |
Applicability |
Key Policy Domains |
Primary Driver |
| Banking (AU) |
Critical |
Financial advice disclaimers, credit decisioning limits, data residency |
APRA CPS234, ASIC responsible lending |
| Insurance (AU) |
Critical |
Underwriting restrictions, pricing policy, data handling |
APRA CPS234, Insurance Act |
| Healthcare |
Critical |
Clinical decision limits, patient data handling, geographic restrictions |
Privacy Act, TGA |
| Government |
High |
Acceptable use, sensitive data handling, citizen rights |
APS AI Ethics, Privacy Act |
| Retail |
Medium |
Consumer data handling, geographic restrictions, profiling restrictions |
Consumer law, Privacy Act |
| Technology / SaaS |
Medium |
Multi-tenant policy isolation, data residency |
Customer contractual obligations |
4. Architecture Overview
The AI Policy Enforcement pattern implements the classic Policy Decision Point / Policy Enforcement Point architectural separation, adapted specifically for AI workloads. This separation is not merely organisational—it is a fundamental architectural principle that enables policy agility without application change.
The PDP/PEP Separation. The Policy Decision Point (PDP) is responsible for evaluating policies against context and returning a decision (allow/deny/allow-with-modification). The Policy Enforcement Point (PEP) is responsible for intercepting requests, assembling context for the PDP, and enforcing the PDP decision. They are deployed as separate components, enabling the PDP to be updated (new policies, policy changes) without touching the PEP, and enabling the same PEP to enforce policies from different PDPs.
Open Policy Agent as the PDP. OPA provides a general-purpose policy engine with Rego as its policy language. For AI governance, OPA is configured with a set of AI-specific policy bundles: acceptable use policies, data handling policies, geographic restriction policies, financial services-specific policies, and model-specific policy overrides. Policies are stored as Rego files in version control, peer-reviewed before deployment to OPA, and tested with automated Rego unit tests. Policy deployment to OPA is decoupled from application deployment—a policy change can be live within minutes of approval.
Enforcement Topology. The PEP operates at three insertion points: (1) API Gateway level for coarse-grained enforcement (request blocking before reaching AI infrastructure), (2) AI Middleware Proxy for fine-grained enforcement (request transformation, response filtering, output guardrails), and (3) Application-level SDK for deep context enforcement (user-specific policies, feature-level controls). This layered topology provides defence in depth: a request must pass all three layers, and a policy that cannot be enforced at the API Gateway level will be caught at the middleware level.
Policy Bundle Architecture. Policies are organised into bundles by domain: acceptable_use (what users can ask), data_handling (what data can flow), geographic_restriction (what data can be processed where), output_guardrails (what responses can be returned), and financial_advice (disclaimers and prohibited recommendations). Bundles are versioned and can be independently updated and rolled back. Each bundle references external data (policy data, user attributes, geographic lookup) via OPA's external data mechanism.
Context Assembly for AI. AI policy evaluation requires richer context than typical API policies. The PEP assembles a context payload for each PDP call that includes: user identity and roles, tenant/organisation context, request content metadata (not full content at PDP layer — privacy-preserving), data classification tags, geographic context (user location, data location), model MRID and risk tier, and session history metadata. This context enables policies to make nuanced decisions: the same prompt may be allowed for a verified professional user and blocked for an anonymous user.
Response Transformation. Beyond allow/deny, the PDP can return transformation directives: append a financial advice disclaimer to the response, redact named individuals from model output, route to a higher-oversight model, or require human review before response delivery. This "allow-with-modification" capability transforms the PEP from a binary gate into an active governance participant.
Policy Change Governance. Policy-as-code integrates with the AI approval workflow (GOV003). Material policy changes (not cosmetic) require approval before deployment to the production OPA bundle. A lightweight policy change workflow with Security and Compliance review (30-minute turnaround for urgent changes) is defined alongside the full model approval workflow. This prevents policy governance becoming a bottleneck while maintaining integrity for significant changes.
5. Architecture Diagram
flowchart TD
subgraph Request["Request Layer"]
A[Client AI Request]
B[API Gateway PEP]
end
subgraph Enforcement["Enforcement Layer"]
C[AI Governance Proxy PEP]
D{OPA Policy Engine}
E[Output Validator PEP]
end
subgraph Outcome["Outcome Layer"]
F[Deliver Response]
G[Block or Transform]
H[(Policy Audit Log)]
end
A --> B
B -->|context| D
D -->|deny| G
D -->|allow| C
C --> E
E -->|pass| F
E -->|block or transform| G
F --> H
G --> H
style A fill:#dbeafe,stroke:#3b82f6
style B fill:#dbeafe,stroke:#3b82f6
style C fill:#f0fdf4,stroke:#22c55e
style D fill:#f3e8ff,stroke:#a855f7
style E fill:#f0fdf4,stroke:#22c55e
style F fill:#d1fae5,stroke:#10b981
style G fill:#fee2e2,stroke:#ef4444
style H fill:#fef9c3,stroke:#eab308
6. Components
| Component |
Type |
Responsibility |
Technology Options |
Criticality |
| API Gateway PEP |
Enforcement Layer 1 |
Coarse-grained request blocking; JWT validation; rate limiting |
Kong, AWS API GW, Azure APIM, nginx |
Critical |
| AI Governance Proxy (PEP Layer 2) |
Enforcement Layer 2 |
Fine-grained policy enforcement; request/response transformation; context assembly |
Envoy sidecar, custom FastAPI proxy, Azure API Management policy |
Critical |
| Output Validator (PEP Layer 3) |
Enforcement Layer 3 |
Post-inference output policy enforcement; PII redaction; disclaimer injection |
Custom Python service, Presidio (PII), NeMo Guardrails |
Critical |
| OPA Policy Engine (PDP) |
Policy Decision |
Evaluates Rego policies against context; returns decisions with reasons |
Open Policy Agent, AWS Cedar, custom rules engine |
Critical |
| Policy Bundle Store |
Policy Storage |
Stores versioned policy bundles; serves bundles to OPA |
OPA bundle server, S3 + OPA pull mechanism |
Critical |
| External Data Service |
Data Provider |
Provides OPA with runtime data: user attributes, geo lookup, model MRID metadata |
REST service + Redis cache; LDAP/AD query |
High |
| Policy Audit Log |
Compliance |
Records every policy decision with context, decision, reason |
Time-series DB (InfluxDB, CloudWatch); WORM export to GOV007 |
Critical |
| Policy Version Control |
Development |
Git-based policy authoring with peer review and automated testing |
GitHub/GitLab + Rego testing framework (OPA test) |
High |
| Policy CI/CD |
Deployment |
Tests policies, builds bundles, deploys to OPA without application redeploy |
GitHub Actions, Azure DevOps, Jenkins |
High |
| Policy Metrics Dashboard |
Observability |
Visualises policy decisions, violation rates, enforcement latency |
Grafana + Prometheus, Datadog |
Medium |
7. Data Flow
Primary Policy Enforcement Flow
| Step |
Actor |
Action |
Output |
| 1 |
Client |
Sends AI request to API Gateway with bearer token |
HTTP request |
| 2 |
API GW PEP (Layer 1) |
Validates JWT; assembles coarse context (user identity, endpoint); calls OPA |
Allow/Deny from OPA on coarse policy |
| 3 |
AI Governance Proxy (Layer 2) |
Assembles full context (user attrs, data classification, model MRID, geographic context); calls OPA with full context |
Allow/Allow+Transform/Deny decision with reason |
| 4a |
If Transform |
Proxy modifies request per transformation directive (redact, enrich, reroute) |
Modified request forwarded to AI engine |
| 4b |
If Allow |
Proxy forwards request to AI engine unmodified |
Request forwarded |
| 4c |
If Deny |
Proxy returns policy refusal message to client; logs audit event |
HTTP 403 or policy-specific refusal |
| 5 |
AI Engine |
Processes request; returns raw response |
Raw AI output |
| 6 |
Output Validator (Layer 3) |
Calls OPA with output context (content metadata, PII flags, model output metadata) |
Output allow/transform/block decision |
| 7a |
If Output Transform |
Appends disclaimers, redacts PII, queues for human review |
Modified response delivered to client |
| 7b |
If Block |
Blocks response; returns safe message; logs incident via GOV008 |
Incident logged; safe message returned |
| 8 |
Audit Log |
All decisions (allow/deny/transform) written to policy audit log |
Audit record with decision hash |
Error Flow
| Condition |
Detection |
Response |
Recovery |
| OPA unavailable |
PEP health check |
Fail-open or fail-closed based on policy configuration; alert immediately |
OPA HA cluster; local cached last-known bundle for read-only evaluation |
| Policy bundle update fails |
CI/CD pipeline |
Rollback to previous bundle version; alert policy team |
Automated rollback; prior bundle remains active |
| Context assembly timeout |
PEP timeout monitor |
Fail-closed (deny) for Critical policies; fail-open (allow+log) for non-critical |
Increase context service timeout; cache user attributes |
| Rego policy evaluation error |
OPA runtime |
Return error decision code to PEP; PEP applies safe default |
Policy developer notified; hotfix deployment |
8. Security Considerations
OPA Security Hardening
- OPA management API (bundle upload, query API) accessible only from policy CI/CD system via mTLS
- OPA query API accessible from PEP services only; no general access
- Rego policies peer-reviewed before merge; automated policy test coverage enforced (>80% statement coverage)
- Policy bundle integrity verified via signature on bundle pull
Context Data Protection
- User attributes in OPA context do not include personal information (use opaque user ID + role set)
- Full request content does not reach OPA; only derived metadata (content classification, entity detection results)
- OPA decision logs do not include full request content; include only context keys and decision
OWASP LLM Top 10 Mapping
| OWASP LLM Risk |
Policy Enforcement Coverage |
Rego Policy Type |
| LLM01 Prompt Injection |
Layer 2 input policy |
input_contains_injection_pattern |
| LLM02 Insecure Output Handling |
Layer 3 output policy |
output_contains_unsafe_content |
| LLM06 Sensitive Information Disclosure |
Layer 3 PII policy |
output_contains_pii |
| LLM10 Model Theft |
API Gateway rate/quota policy |
request_exceeds_bulk_extraction_threshold |
| LLM08 Excessive Agency |
Layer 2 action scope policy |
requested_action_within_approved_scope |
9. Governance Considerations
Policy-as-Code Governance
All policies are in version-controlled Git repositories, peer-reviewed, and CI/CD-tested before deployment. Policy history is fully reconstructable. Any policy active at any point in time can be retrieved from the version control system.
Policy Change Control
Material policy changes require lightweight approval (Security + Compliance sign-off within 4 hours for urgent; standard 2-day process for planned). Policy change log is maintained as a GOV001 model register reference.
Governance Artefacts
| Artefact |
Owner |
Frequency |
Regulatory Linkage |
| Policy Decision Audit Report |
AI Governance |
Monthly |
Privacy Act APP 6; APRA CPS234 §17 |
| Policy Violation Trend Report |
CISO |
Monthly |
CPS234 incident reporting |
| Policy Coverage Map |
AI Governance |
Quarterly |
EU AI Act Article 9; NIST MANAGE 2.4 |
| Policy Test Coverage Report |
Engineering |
Per deployment |
ISO 42001 §8.4 operational control |
10. Operational Considerations
SLOs
| SLO |
Target |
Measurement |
| PDP evaluation latency p99 |
<15ms |
Per request (OPA local evaluation) |
| PEP proxy overhead p99 |
<25ms |
End-to-end enforcement overhead |
| OPA availability |
99.99% |
30-day rolling (HA cluster) |
| Policy bundle deployment time |
<5 minutes |
Policy change to enforcement |
Monitoring
| Metric |
Target |
Alert |
| Policy deny rate |
Track baseline |
>2x baseline in 1h — alert |
| OPA evaluation errors |
0 |
Any error |
| PEP enforcement latency degradation |
<25ms p99 |
>50ms p99 |
| Policy bundle staleness |
<5 minutes |
>15 minutes |
Disaster Recovery
| Scenario |
RTO |
RPO |
Recovery |
| OPA cluster failure |
<1 minute |
0 |
Auto-failover to standby OPA replica with same bundle |
| Policy bundle corruption |
<5 minutes |
Prior bundle version |
Automatic rollback via bundle versioning |
11. Cost Considerations
Cost Drivers
| Driver |
Cost Type |
Notes |
| OPA cluster compute |
Fixed infrastructure |
3-node HA; t3.medium equivalent per node; low CPU/memory footprint |
| PEP proxy compute |
Fixed per AI endpoint |
Sidecar pattern; minimal overhead |
| Policy authorship & review |
Variable FTE |
0.1–0.25 FTE for ongoing policy maintenance |
| Audit log storage |
Variable |
High-volume decisions; use sampling for low-risk policies |
Indicative Cost Range
| Deployment Scale |
OPA Infrastructure |
Proxy Infrastructure |
Total Annual |
| Small (<10 AI endpoints) |
AUD $3,000 |
AUD $2,000 |
~AUD $5,000 + FTE |
| Medium (10–50 endpoints) |
AUD $8,000 |
AUD $12,000 |
~AUD $20,000 + FTE |
| Large (50+ endpoints) |
AUD $15,000 |
AUD $35,000 |
~AUD $50,000 + FTE |
12. Trade-Off Analysis
Option Comparison
| Option |
Description |
Pros |
Cons |
Recommended For |
| A: OPA PDP/PEP (this pattern) |
Centralised OPA; distributed PEP insertion |
Policy-as-code; decoupled from app deployment; auditable; battle-tested |
OPA learning curve (Rego); latency overhead |
Regulated enterprises; multiple AI endpoints |
| B: Inline application logic |
Policy embedded in application code |
No infrastructure overhead; low latency |
Policy scattered; no centralised view; update requires redeployment |
Simple single-AI deployments |
| C: AI Provider Guardrails only |
Rely on provider content filters (OpenAI moderation, Claude's built-in controls) |
Zero infrastructure |
Provider-controlled; not auditable; doesn't cover enterprise-specific policies |
Consumer apps; not acceptable for regulated industries |
| D: Service Mesh Policy (Istio/Linkerd) |
Policy at service mesh layer using Wasm plugins |
Unified networking and policy |
Complex to maintain; policy expressiveness limited vs. OPA |
Organisations with mature Istio/Linkerd deployment |
Architectural Tensions
| Tension |
Stance |
Mitigation |
| Security vs. Latency |
Security wins; target <25ms overhead |
OPA local evaluation (no network round-trip); context caching |
| Centralised policy vs. Local decision |
Centralised policy bundle; local OPA evaluation |
OPA bundle pull model: central policy source, local execution |
| Fail-open vs. Fail-closed |
Per-policy configuration |
Critical policies: fail-closed; non-critical: fail-open with logging |
13. Failure Modes
| Failure |
Likelihood |
Impact |
Detection |
Recovery |
| OPA cluster overload under traffic spike |
Low |
High — enforcement latency SLA breach |
Latency monitoring; OPA active queue depth |
Horizontal scaling; request throttling |
| Rego policy bug causing incorrect denies |
Medium |
High — legitimate requests blocked |
Policy unit tests; canary policy deployment |
Immediate rollback to prior bundle |
| Context service outage causing policy evaluation with incomplete context |
Low |
Critical — policies evaluated without full context |
Context service health check in PEP |
Fail-closed on critical policies when context incomplete |
| Policy bypass via encoding or obfuscation |
Low |
High — policy not applied to malicious input |
Red team testing; anomaly detection on deny patterns |
Input normalisation before policy evaluation |
14. Regulatory Considerations
APRA CPS234
- §15: Information classification and handling. Policy bundles enforce data handling policies aligned to information classification scheme.
- §17: Information security controls must be implemented. Runtime policy enforcement is a documented information security control.
EU AI Act
- Article 9: AI risk management system must include measures to address identified risks. Policy enforcement implements risk controls at runtime.
- Article 13: Transparency — AI systems must be designed to allow operators to understand system operation. Policy decision logs provide this transparency.
Privacy Act 1988 / APPs
- APP 3.3: Personal information must not be collected unless reasonably necessary. Input policy enforces data minimisation at collection point.
- APP 6: Personal information must not be used or disclosed for a purpose other than the primary purpose of collection. Purpose limitation policy bundle enforces this at runtime.
NIST AI RMF
- MANAGE 2.4: AI risk responses include monitoring, testing, and adjustment. Policy enforcement with real-time decision logging implements this continuously.
15. Reference Implementations
AWS
| Component |
AWS Service |
| API Gateway PEP |
Amazon API Gateway |
| AI Proxy PEP |
AWS Lambda authoriser + ECS sidecar |
| OPA PDP |
OPA on ECS Fargate (HA cluster) |
| Policy Storage |
S3 bucket (OPA bundle server) |
| Audit Log |
CloudWatch Logs + S3 export |
Azure
| Component |
Azure Service |
| API Gateway PEP |
Azure API Management (APIM) with OPA policy plugin |
| AI Proxy |
Azure Container Apps sidecar |
| OPA PDP |
AKS-deployed OPA (HA) |
| Policy Storage |
Azure Blob (bundle storage) |
On-Premises
| Component |
Technology |
| API Gateway |
Kong OSS or Nginx |
| AI Proxy |
Envoy with OPA ext_authz |
| OPA PDP |
Kubernetes StatefulSet (3-node HA) |
| Policy Storage |
MinIO (S3-compatible) |
| Pattern |
Relationship |
Dependency Direction |
| EAAPL-GOV001 AI Model Register |
Input — model MRID and risk tier used in policy context |
GOV001 → GOV004 |
| EAAPL-GOV007 AI Audit Trail |
Consumer — policy decisions are audit trail inputs |
GOV004 → GOV007 |
| EAAPL-GOV010 Regulatory Compliance Gateway |
Complementary — gateway uses PDP for regulatory checks |
GOV004 ↔ GOV010 |
| EAAPL-CMP004 Privacy-Preserving AI |
Complementary — privacy policies enforced via this pattern |
CMP004 → GOV004 |
17. Maturity Assessment
Overall Maturity: Proven (Level 3)
| Dimension |
Score (1–5) |
Evidence |
| Policy coverage breadth |
4 |
Five policy bundle domains; gap is ML-specific policy primitives |
| OPA integration depth |
4 |
All three PEP layers defined; gap is unified Rego library for AI |
| Latency performance |
4 |
<15ms OPA; <25ms end-to-end; tested at scale |
| Policy governance process |
3 |
Version control + CI/CD defined; formal policy review board not yet standardised |
| Observability |
3 |
Decision logging defined; gap is real-time policy violation dashboarding |
18. Revision History
| Version |
Date |
Author |
Changes |
| 1.0 |
2024-04-01 |
EAAPL Working Group |
Initial publication |
| 1.1 |
2024-10-01 |
EAAPL Working Group |
Added output guardrail layer; financial services policy bundle |
| 1.2 |
2025-05-01 |
EAAPL Working Group |
OPA HA cluster architecture; fail-open/fail-closed configuration guidance |