LLM Access Governance
Policy-based control over AI and LLM access with allowlists, data-aware policies, role-based access, and prompt auditing for regulatory compliance.
LLM Access Governance lets you define and enforce policies that control how your organisation uses AI and large language models. It goes beyond detection (covered in Shadow AI Detection) to active enforcement.
Policy Types
Allowlist / Blocklist
Control which AI providers and models your teams are permitted to use.
| Rule | Effect |
|---|---|
Allow gpt-4o via Azure OpenAI | Requests to the approved endpoint are logged and permitted |
Block api.openai.com (direct) | Requests to the public OpenAI API are blocked and alerted |
| Block all HuggingFace Inference endpoints | Prevents use of community-hosted models |
Data-Aware Policies
Inspect prompt and context payloads before they reach the LLM:
- PII gate -- block or redact prompts containing personally identifiable information
- PCI gate -- prevent card numbers and CVVs from being sent to any AI provider
- Code gate -- detect and block proprietary source code in prompts
When a policy triggers, the request can be blocked, the sensitive content can be redacted in-line, or an alert can be sent while the request proceeds (monitor-only mode).
Role-Based Access
Assign AI access tiers to users and service accounts:
| Role | Permissions |
|---|---|
| AI Admin | Full access to all approved models, policy configuration |
| AI Developer | Access to approved models, subject to data-aware policies |
| AI Viewer | Read-only access to AI dashboards and audit logs |
| No AI Access | All AI/LLM requests are blocked |
Roles integrate with your identity provider (Okta, Azure AD, Google Workspace) via SAML/OIDC.
Prompt Auditing
Every prompt sent through a governed channel is logged with:
- Caller identity and source service
- Full or redacted prompt text (configurable)
- Model and provider
- Policy evaluation result
- Sensitive data detections
Audit logs are retained according to your configured retention policy and can be exported for compliance reviews.
Regulatory Alignment
| Regulation | Relevant Controls |
|---|---|
| DPDPA | Consent-based processing, purpose limitation for AI-generated insights |
| RBI Guidelines | Data localisation, third-party risk management for AI vendors |
| SOC 2 | Logical access controls, monitoring of AI service usage |
| PCI-DSS | Prevention of cardholder data exposure to AI models |
Related Pages
- Shadow AI Detection -- discover unapproved AI usage
- AIOStack -- open-source instrumentation layer
- Compliance -- map AI controls to regulatory frameworks