Governance Policy Cascading Denials

Symptoms

Spike in 403/422/429 errors from the gateway
Users report “all requests are being blocked”
Dashboard shows high denial rate across all governance steps

Likely Causes

Overly strict PII scanner — new regex pattern has high false positive rate
Budget set too low — daily budget exhausted early in the day
Rate limit misconfiguration — RPM set too low for actual usage
Model allowlist too restrictive — common models not in allowlist
Security scanner false positives — legitimate prompts matching injection patterns

Triage Steps

1. Check which governance step is denying


./scripts/analytics snapshot today
# Look at: governance_denials_by_step

2. Check recent denial logs


./scripts/errors by-source gateway | grep "governance_denied"

3. Review org’s governance policy


# Check the org's active policy
curl https://api.curate-me.ai/gateway/admin/governance/policy \
  -H "Authorization: Bearer $JWT" -H "X-Org-ID: $ORG_ID"

Resolution

Emergency bypass (temporary)

For design partner emergencies, temporarily raise limits:


# Double the rate limit for 1 hour
curl -X PUT https://api.curate-me.ai/gateway/admin/governance/policy \
  -H "Authorization: Bearer $JWT" -H "X-Org-ID: $ORG_ID" \
  -d '{"rate_limit_rpm": 200, "daily_budget": 100}'

Fix false positive patterns

If the PII scanner or security scanner has false positives, add exclusion patterns in the governance policy YAML.

Escalation

If denials affect multiple orgs simultaneously, check for a global policy change or upstream provider outage.

Runbook: Gateway High Latency Runbook: PII Scan Blocking Requests