Governance Policies
Governance policies control what your AI agents can do. Every LLM request passes through the 13-step governance chain — policies configure each step’s thresholds and behavior.
A default governance policy is created automatically when your organization is provisioned. You can customize it at any time from Settings → Governance in the dashboard.
Policy Structure
Each organization has one active governance policy. The policy is a collection of rules applied to every gateway request:
| Section | What It Controls |
|---|---|
| Rate Limits | Requests per minute per org and per API key |
| Budgets | Daily org budget, per-request cost limit, team/key budgets |
| PII Scanning | Which PII patterns to detect and whether to block or warn |
| Content Safety | Content categories to block (harmful, illegal, etc.) |
| Model Allowlist | Which LLM models the org is permitted to use |
| HITL Thresholds | When to pause for human approval (cost, confidence, content) |
| Security Scanner | Prompt injection and exfiltration detection sensitivity |
Editing Policies in the Dashboard
Navigate to Settings → Governance to open the policy editor.
Rate Limits
| Field | Description | Default |
|---|---|---|
| Org RPM | Max requests per minute for the entire org | 100 |
| Key RPM | Max requests per minute per API key | 60 |
| Burst allowance | Temporary burst above the limit (%) | 10% |
Rate limit headers (RateLimit-Limit, RateLimit-Remaining, RateLimit-Reset) are
included in every gateway response so clients can adapt.
Budget Controls
| Field | Description | Default |
|---|---|---|
| Daily org budget | Maximum daily LLM spend (USD) | $10.00 |
| Per-request limit | Maximum cost for a single request | $1.00 |
| Team budgets | Optional daily caps per team | Unlimited |
| Key budgets | Optional daily caps per API key | Unlimited |
| Runner session budget | Max spend per runner session | $5.00 |
Budgets are enforced hierarchically: org → team → key. A request is blocked if any level in the hierarchy is exceeded. See the Cost Attribution guide for tagging and querying.
PII Scanning
Toggle individual PII patterns on or off:
| Pattern | Examples | Default |
|---|---|---|
| API keys | sk-..., AKIA..., AIza... | Block |
| Passwords / bearer tokens | password=, Bearer ... | Block |
| Email addresses | user@example.com | Warn |
| SSNs | 123-45-6789 | Block |
| Credit card numbers | 4111-1111-1111-1111 | Block |
| Phone numbers | +1-555-123-4567 | Warn |
| JWT tokens | eyJ... | Block |
| Private keys | -----BEGIN RSA PRIVATE KEY----- | Block |
| IBAN numbers | DE89 3704 0044 0532 0130 00 | Block |
Actions: block (reject the request), warn (log but allow), redact (mask the value and forward).
Model Allowlist
Select which models your org can use. Requests for non-allowed models return 403.
The allowlist can be set to:
- All models — No restriction (default for Growth and Enterprise)
- Tier-based — Allow models up to a cost tier (e.g., allow GPT-4o but not GPT-5.1)
- Explicit list — Only specific model IDs are permitted
HITL Thresholds
| Gate | Trigger | Default |
|---|---|---|
| Cost gate | Estimated request cost exceeds threshold | $10.00 |
| Confidence gate | Model confidence below threshold | Disabled |
| Content gate | Sensitive content categories detected | Disabled |
When a request triggers HITL, it enters the Approval Queue. The request is held until a reviewer approves, rejects, or it auto-denies after the configured timeout (default: 24 hours).
Policy via API
Policies can also be managed programmatically:
# Get current policy
curl -X GET https://api.curate-me.ai/gateway/admin/governance/policy \
-H "Authorization: Bearer $JWT_TOKEN"
# Update policy
curl -X PUT https://api.curate-me.ai/gateway/admin/governance/policy \
-H "Authorization: Bearer $JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"rate_limit_rpm": 200,
"daily_budget_usd": 50.0,
"per_request_limit_usd": 2.0,
"pii_scanning_enabled": true,
"pii_action": "block",
"hitl_cost_threshold_usd": 10.0
}'Default Policy by Plan
When an org is created, the default policy matches the subscription plan:
| Setting | Free | Starter ($49) | Growth ($199) | Enterprise |
|---|---|---|---|---|
| Rate limit (RPM) | 20 | 100 | 500 | Custom |
| Daily budget | $1 | $10 | $100 | Custom |
| Per-request limit | $0.10 | $1.00 | $5.00 | Custom |
| PII scanning | On (block) | On (block) | On (block) | Custom |
| Model allowlist | GPT-4o-mini, Haiku | All standard | All | Custom |
| HITL threshold | $1.00 | $10.00 | $50.00 | Custom |
| Body size limit | 1 MB | 10 MB | 25 MB | 50 MB |
| Reasoning token cap | 1,024 | 16,384 | 32,768 | Unlimited |
One-Click Compliance Remediation
The EU AI Act Compliance dashboard can auto-apply governance policy changes to improve your compliance score. Each remediation maps to specific policy fields.
Further Reading
- Governance Chain — How the 13-step chain processes each request
- Cost Tracking — Real-time cost monitoring
- Approval Queues — Managing HITL review queues
- EU AI Act Compliance — Regulatory mapping