Governance

Governance in Kla Digital is achieved through Policy-as-Code. We use Cerbos to define fine-grained access control and operational policies for your agents.

Policy Definition

Policies are defined in YAML and stored in your tenant's policy repository. They control:

  1. Access Control: Who can start which agent?
  2. Operational Limits: What tools can an agent use? What is the maximum budget?
  3. Data Residency: Can this agent process data outside the EU?

Example Policy

apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: "default"
  resource: "agent"
  rules:
    - actions: ["execute"]
      effect: EFFECT_ALLOW
      roles: ["admin"]

    - actions: ["execute"]
      effect: EFFECT_ALLOW
      roles: ["user"]
      condition:
        match:
          expr: request.resource.attr.riskLevel == "low"

Policy Enforcement

Policies are enforced automatically by the Execution Worker. Before any tool execution or API call, the worker queries the Policy Engine.

  • Allowed: The action proceeds.
  • Denied: The action is blocked, and a policy_violation error is returned.
  • Manual Approval: The policy can trigger a "human-in-the-loop" requirement.

Policy Versioning

All policies are versioned. You can draft new policies, test them in a "dry-run" mode, and then promote them to active status.

  • Draft: Only affects executions explicitly requesting the draft version.
  • Active: The default version for all executions.
  • Archived: Kept for historical audit purposes.

Rollbacks

If a bad policy is deployed, you can instantly rollback to the previous active version via the Console or API.

Decision Logging

Every policy decision (Allow/Deny) is logged to the Audit Trail. This includes:

  • The input context (who, what, where).
  • The policy version used.
  • The exact rule that matched.
  • The decision result.

This ensures you can answer "Why was this action allowed?" years after the fact.

Policy API

You can manage policies programmatically using the Governance API.

List Policies

GET /v1/policies

Returns a paginated list of policies.

Parameters:

  • limit (optional): Number of items to return (default: 20).
  • offset (optional): Pagination offset.
  • resourceType (optional): Filter by resource type.
  • enabled (optional): Filter by enabled status.

Get Policy

GET /v1/policies/:id

Returns the full details of a specific policy.

Create Policy

POST /v1/policies

Creates a new policy.

Request Body:

{
  "name": "Restrict High Risk Agents",
  "description": "Prevent execution of high risk agents by non-admins",
  "resourceType": "agent",
  "rules": [
    {
      "name": "Deny High Risk",
      "effect": "deny",
      "actions": ["execute"],
      "resources": ["*"],
      "conditions": [
        {
          "field": "resource.attr.riskLevel",
          "operator": "equals",
          "value": "high"
        }
      ]
    }
  ]
}

Delete Policy

DELETE /v1/policies/:id

Deletes a policy.