Policies¶
Policies are the rules Trust3 evaluates against every agent in your inventory. They define what "governed" means for your organization — required ownership, approved models, data scope, and compliance framework requirements.
Policy types¶
Trust3 organizes policies into two types:
| Type | What it governs |
|---|---|
| Data Access | Which data resources an agent is allowed to access, and under what conditions |
| Compliance | Framework-specific requirements: field completeness, documentation, approval records |
Framework scope¶
Policies are organized by compliance framework. The Policies page shows policies for your active framework, selected in Settings → General → Framework.
Switch the active framework to see the corresponding policy pack. Available frameworks:
- NERC CIP / Utility
- EU AI Act
- FERC
- Internal AI Governance
Out-of-box policy library¶
Trust3 ships with policies pre-configured for each framework. For NERC CIP / Utility, the default active policies include:
| Policy | Standard | What it checks |
|---|---|---|
| BES Cyber System Categorization | CIP-002 | Agent assets are classified by BES impact level |
| Personnel & Training | CIP-004 | Agent owners have appropriate access authorization |
| System Security Management | CIP-007 | Agents meet system security configuration requirements |
| Information Protection | CIP-011 | Agents handling BES Cyber System Information meet documentation requirements |
| Supply Chain Risk Management | CIP-013 | Third-party model and platform dependencies are documented |
Each policy in the sidebar shows a gap count — the number of assets currently failing that policy's rules.
Creating a policy¶
From the Policies page, click + New Policy. Choose one of two paths:
Import from document or URL¶
Upload a compliance PDF or paste a URL. GIA reads the document and proposes enforceable policy rules mapped to Trust3's rule schema. You review each proposed rule, adjust if needed, and activate. No manual rule-building required.
Best for: moving from a written regulatory requirement or internal AI policy document to an enforced rule. See GIA — Import policies from documents.
Create a Trust3 AI asset policy¶
Define a policy manually. Specify which AI assets are affected, the purpose, data scope, approved platforms, and conditions. All policies are subject to review before activation.
Best for: custom rules specific to your organization that don't map to an existing framework document.
Violation lifecycle¶
When a policy rule fails against an agent:
- A violation is recorded with severity, the affected agent, the rule that failed, and suggested remediation
- The agent's Trust Score drops — see Trust Score
- The violation appears in the agent's detail panel under the Policies tab
- When the underlying issue is fixed and the agent is re-evaluated, the violation closes and the Trust Score recovers
Violations can be waived with an approver and reason recorded, for cases where the risk is accepted rather than remediated.
Who can create policies¶
| Role | Can view | Can create |
|---|---|---|
| Admin | ✓ | ✓ |
| Compliance | ✓ | ✓ |
| Legal | ✓ | ✗ |
| Developer | ✓ (read only) | ✗ |