Defense / Government

    Control AI in public-sector workflows — with hard limits, policy, and NIST AI RMF-aligned tamper-evident audit on every decision, before it executes.

    An analyst workflow drafts a briefing passage that touches a CUI-marked section. A research workflow reaches for a commercial model when program policy mandates an in-boundary provider. An automation job floods shared capacity after hours, crowding out a mission-critical workload. No one stopped it before the audit.

    Keel evaluates a permit before each provider call, using the rules your team defines, and writes a tamper-evident record of every decision.

    Where Systems Break Down

    • An analyst workflow drafts a paragraph that quotes a CUI-marked passage; the routed provider isn't in the program's authorized boundary
    • A commercial-model upgrade rolls into a research workflow and spend on one program jumps 10× over a weekend
    • An after-hours automation job saturates shared provider capacity; a mission-critical workload fails during morning standup
    • A program security audit asks who authorized a specific AI call — and the answer is "we have logs"
    • Finance reconciles per-program AI spend from provider invoices and contract numbers for two weeks

    What Stops Before the Provider Call

    Every request is evaluated at the permit seam. Unsafe, unbudgeted, or unauthorized requests don't reach the model.

    • Policy gates — provider, model, and workflow choices are checked against authored rules before dispatch; mismatches never reach the model
    • Fail-closed enforcement — if policy cannot evaluate a request, it is denied — no silent passthrough
    • Throttle as a first-class outcome — HTTP 429 with Retry-After for lower-priority flows during constrained-capacity windows
    • External attestation gate — challenge sensitive-program workflows until an approved reviewer, an ISSO, an internal approval service, or an existing customer-operated upstream control attests that execution may proceed

    Example Rules You Can Enforce

    Plain English, backed by the policy engine today.

    • "Any CUI workflow is blocked the moment it would leave the authorized boundary." Deny when the workflow handles CUI and the provider's impact-level authorization — maintained by your security team — does not meet the workflow's requirement. No graceful degradation, no failover.
    • "Program workflows use only models your program has explicitly ATO'd." Deny when the workflow is tied to a program and the selected model is not in the ATO'd allowlist your program team maintains.
    • "Export-controlled research routes only to in-boundary infrastructure." Deny when the workflow references export-controlled content and the provider region is outside the approved boundary.
    • "Sensitive-program workflows require external attestation before execution." A challenge decision holds the request until an approved reviewer, ISSO, or upstream control attests the workflow may proceed.

    Where the Firewall Strengthens the Baseline

    The prompt firewall runs a platform-wide baseline every project inherits. Your team can add defense- and program-specific detectors on top — never weaken below the floor. Detectors are evaluated before provider dispatch; blocking matches precompute a deny outcome and are recorded in the decision details. This layer screens request content; the decision still happens at the permit.

    • CUI markings and control-marking patterns (ITAR, EAR, export-controlled)
    • Program code-names, operation names, and restricted-program lexicons
    • Personnel PII combined with mission-overlap signals
    • Embargoed- and sanctioned-jurisdiction references

    What the Decision Record Proves Later

    This is what your auditor will ask for. Every evaluated request produces a permit — the decision artifact that survives the conversation.

    • Permit — the unit of governance; decision, reason, rule basis, provider, model, budget state
    • Stable reason code — machine-readable codes that mean the same thing across every audit, replay, and SDK
    • Tamper-evident per-project chain — every governance event participates in a chain that makes modifications detectable on later review
    • Cryptographically signed export — Ed25519 signed, verifiable via included CLI, for FedRAMP audit cooperation, ATO review, or program security audit
    • Externally anchored checkpoint — signed chain snapshots published to storage outside the runtime, on a regular cadence
    • RFC 3161 timestamp receipt — external timestamp witness evidence from an authority Keel does not control

    Cost Now, Compliance Later

    Cost. Provider charges don't show up on the program dashboard until the bill arrives. Keel blocks unbudgeted and out-of-policy execution at the permit seam — before the provider call, not during month-end reconciliation. When estimated cost diverges from actual cost, the usage ledger supports correction, not just reporting.

    Compliance. FedRAMP audit, ATO review, and program security audit all ask the same question — who made this request, under what rule, using which provider and model, and why was it allowed? The permit answers it. The signed export produces it. The externally anchored checkpoints and independent timestamps let an auditor verify the record against a party Keel does not control.

    If it violates policy, it doesn't run.

    Next