Use Cases

Governance for every AI deployment

From regulated fintech to internal ops — governance-sdk adapts to your risk profile with the same in-process, zero-dependency enforcement engine.

◈

Fintech

Payment Agent Governance

Regulated

Challenge

AI payment agents can authorize wire transfers, bulk exports, and credential reads — any of which can cause irreversible financial damage.

Solution

Block high-risk tools by default. Require L3+ score for any payment action. Gate wire transfers behind human approval. Enforce time windows.

blockTools(['wire_transfer', 'bulk_export'])requireLevel(3)requireApproval(['payment'])timeWindow(9, 17)

import { createGovernance } from "governance-sdk";

const gov = createGovernance({
  rules: [
    { id: "block-risky", condition: { type: "tool_blocked", params: { tools: ["wire_transfer", "bulk_export", "secret_read"] } }, outcome: "block", priority: 999 },
    { id: "payment-level", condition: { type: "agent_level", params: { minLevel: 3 } }, outcome: "allow" },
    { id: "approval-gate", condition: { type: "action_type", params: { actions: ["payment_send"] } }, outcome: "require_approval" },
  ]
});

◉

Healthcare

Clinical Data Agent

HIPAA

Challenge

Agents accessing patient records must comply with HIPAA, log every decision, and never exfiltrate PHI — even in error cases.

Solution

Append-only HMAC audit trail. Token budget controls to prevent bulk record reads. Injection detection on all user inputs. EU AI Act alignment.

tokenBudget(10000)detectInjection()requireAuditLogging()blockTools(['bulk_export', 'fs_write'])

const gov = createGovernance({
  storage: postgresStorage({ connectionString: env.DATABASE_URL }),
  rules: [
    { id: "phi-budget", condition: { type: "token_limit", params: { maxTokens: 10000 } }, outcome: "block", reason: "PHI token limit exceeded" },
    { id: "no-bulk", condition: { type: "tool_blocked", params: { tools: ["bulk_export", "fs_write"] } }, outcome: "block" },
  ],
});
// HMAC-chained audit on every enforce()

◆

DevOps Automation

Infrastructure Agent

Critical Infra

Challenge

DevOps agents run shell commands, write config files, and manage cloud resources. A single policy mistake can take down production.

Solution

Block destructive shell patterns. Require verified-identity for infra changes. Sequence checks: plan before apply. Kill switch for runaway agents.

blockTools(['shell_exec', 'db_drop'])requireSequence('tf_apply', ['tf_plan'])requireLevel(4)killSwitch(priority=999)

const gov = createGovernance({ rules: [
  { id: "no-shell", condition: { type: "tool_blocked", params: { tools: ["shell_exec", "db_drop", "rm_rf"] } }, outcome: "block" },
  { id: "plan-first", condition: { type: "tool_sequence", params: { tool: "tf_apply", requiredPrior: ["tf_plan"] } }, outcome: "block", reason: "Must plan before apply" },
  { id: "infra-level", condition: { type: "agent_level", params: { minLevel: 4 } }, outcome: "allow" },
]});

const ks = createKillSwitch(gov);
ks.kill("infra-agent-001", "Runaway apply loop detected");

◎

Customer Support

Support Bot Fleet

High Volume

Challenge

Support agents handle thousands of tickets per hour. Prompt injection attacks, off-script responses, and data leaks are constant risks.

Solution

64+-pattern injection detection. Rate limits per agent. Block CRM writes from injected payloads. Score agents and auto-demote bad actors.

detectInjection()rateLimit(100, 3600000)blockTools(['crm_delete', 'bulk_export'])requireLevel(2)

import { detectInjection } from "governance-sdk";

// On every user message before agent sees it:
const scan = detectInjection(userMessage);
if (scan.detected) {
  return { blocked: true, pattern: scan.pattern, category: scan.category };
}

// Enforce on each tool call:
const result = await gov.enforce("support-bot-7", {
  tool: "crm_update", params: { ticketId, note }
});

◫

SaaS Platform

Multi-Tenant AI Features

Enterprise

Challenge

SaaS platforms ship AI features to hundreds of customers. Each tenant needs isolated policies, separate audit logs, and custom governance rules.

Solution

Enterprise multi-tenancy with namespace isolation. Per-tenant policy overrides. Org-level analytics. RBAC so tenant admins can't escape their sandbox.

namespace(tenantId)rbac(['admin', 'operator', 'viewer'])policyTemplates.saasfleetReport()

import { bootstrapEnterpriseTenant } from "@lua-ai-global/governance-enterprise";

const enterprise = await bootstrapEnterpriseTenant({
  name: customer.name,
  slug: tenantId,
  plan: "enterprise",
  ownerId: ownerId,
  frameworks: ["soc2"],
});

const metrics = await enterprise.analytics.computeTenantMetrics("month");
// → { agents: 12, blockRate: 0.03, topBlocked: [...] }

◐

Internal Ops

Internal Agent Fleet

EU AI Act

Challenge

Internal agents have access to everything: Slack, calendars, databases, email. Without governance, one compromised agent can exfiltrate the whole org.

Solution

EU AI Act Article 9 risk management. Time-window enforcement for business hours. Approval gates on external sends. Full audit trail exportable for legal.

assessCompliance()timeWindow(9, 18)requireApproval(['message_send'])auditExport()

import { assessCompliance } from "governance-sdk/compliance";

const status = assessCompliance(gov);
// → { covered: 5, gaps: 1, score: 83, articles: [...] }

// Export audit trail for legal review:
const trail = await chain.export();
// → { events: [...], verified: true, chain: "HMAC-SHA256" }

Ready to govern your agents?

One SDK. Every use case. Zero runtime dependencies.

npm install governance-sdkRead the docs →