Policy Templates
Overview
Ascend provides a library of pre-built policy templates designed for common AI governance scenarios. These templates serve as starting points that can be customized to meet your organization's specific requirements. Each template follows enterprise security best practices and includes recommended configurations.
Key Capabilities
- Quick Start: Deploy governance policies in minutes
- Best Practices: Templates based on enterprise security standards
- Customizable: Modify any template to fit your needs
- Compliance Ready: Pre-mapped to SOC 2, PCI-DSS, HIPAA, GDPR
- Categorized: Organized by use case and risk area
Template Categories
Security Templates
Templates focused on protecting critical infrastructure and preventing unauthorized access.
Data Protection Templates
Templates for protecting sensitive data including PII, PHI, and financial information.
Compliance Templates
Templates designed to meet specific regulatory requirements.
Operational Templates
Templates for managing day-to-day AI operations and workflows.
Security Templates
SEC-001: Production Environment Protection
Protects production environments from unauthorized modifications.
Template: SEC-001
Name: production-environment-protection
Category: Security
Compliance: SOC 2 CC6.1, NIST AC-3
Match Criteria:
- Resource patterns: ["production.*", "prod.*", "*-prod-*"]
- Verb patterns: ["write", "update", "delete", "modify", "alter", "drop"]
Conditions:
- Environment: production
Action: REQUIRE_APPROVAL
Approval Level: 3
Timeout: 60 minutes
Notifications: [security-team, infrastructure-leads]
Description: |
Requires manager-level approval for any write, update, or delete
operations targeting production resources. Prevents accidental or
unauthorized changes to production systems.
Customization Options:
- Adjust resource patterns for your naming conventions
- Modify approval level based on organizational hierarchy
- Add/remove specific verbs
SEC-002: Admin Privilege Escalation Control
Controls administrative operations and privilege escalation.
Template: SEC-002
Name: admin-privilege-control
Category: Security
Compliance: SOC 2 CC6.2, PCI-DSS 7.1, NIST AC-6
Match Criteria:
- Verb patterns: ["grant", "revoke", "chmod", "chown", "sudo", "admin_*"]
- Resource patterns: ["*permission*", "*role*", "*privilege*", "*access*"]
Conditions:
- Risk Score: >= 60
Action: ESCALATE
Approval Level: 4
Timeout: 30 minutes
Require Dual Approval: true
Notifications: [security-executives, compliance-team]
Description: |
Requires senior management approval and dual authorization for
any operations that modify permissions, roles, or privileges.
Critical for preventing unauthorized access escalation.
SEC-003: Credential Access Protection
Blocks or heavily restricts access to credentials and secrets.
Template: SEC-003
Name: credential-access-protection
Category: Security
Compliance: SOC 2 CC6.1, PCI-DSS 8.3, NIST IA-5
Match Criteria:
- Resource patterns: [
"*credential*", "*password*", "*secret*",
"*api_key*", "*token*", "*certificate*",
"*.pem", "*.key", "*vault*"
]
Conditions: None (applies to all)
Action: DENY
Message: "Credential access is restricted. Contact security team."
Notifications: [security-operations, audit-log]
Exceptions:
- User roles: [security-admin, secrets-manager]
- With approval level 5
Description: |
Blocks all agent access to credential storage and secrets.
Only security administrators can access credentials after
executive approval.
SEC-004: Network Security Operations
Controls network-related operations.
Template: SEC-004
Name: network-security-control
Category: Security
Compliance: SOC 2 CC6.6, PCI-DSS 1.3, NIST SC-7
Match Criteria:
- Namespace patterns: ["network", "firewall", "dns", "routing"]
- Verb patterns: ["modify", "create", "delete", "update"]
Action: REQUIRE_APPROVAL
Approval Level: 3
Timeout: 45 minutes
Notifications: [network-security, infrastructure]
Description: |
Requires approval for any modifications to network configuration,
firewall rules, DNS settings, or routing tables.
Data Protection Templates
DATA-001: PII Protection
Protects personally identifiable information.
Template: DATA-001
Name: pii-data-protection
Category: Data Protection
Compliance: GDPR Art. 25, CCPA, SOC 2 CC6.5
Match Criteria:
- Resource patterns: [
"*pii*", "*personal*", "*ssn*", "*social_security*",
"*date_of_birth*", "*dob*", "*address*", "*phone*",
"*email*", "*.customers.*", "*.users.*"
]
Conditions:
- Data Classification: [pii, personal]
Action: REQUIRE_APPROVAL
Approval Level: 2
Timeout: 30 minutes
Notifications: [privacy-team, data-protection-officer]
Exceptions:
- User roles: [privacy-admin, compliance-analyst]
- Operations: [count, aggregate] (non-identifying queries)
Description: |
Requires approval for any access to PII data. Includes
customer names, addresses, phone numbers, email addresses,
and government identifiers.
DATA-002: Financial Data Protection
Protects financial and payment information.
Template: DATA-002
Name: financial-data-protection
Category: Data Protection
Compliance: PCI-DSS 3.4, SOX, SOC 2 CC6.5
Match Criteria:
- Resource patterns: [
"*credit_card*", "*card_number*", "*cvv*", "*expiry*",
"*bank_account*", "*routing_number*", "*payment*",
"*transaction*", "*billing*", "*invoice*"
]
- Data Classification: [financial, pci, payment]
Action: ESCALATE
Approval Level: 4
Timeout: 15 minutes
Require Dual Approval: true
Notifications: [finance-security, pci-compliance, audit]
Description: |
Provides enhanced protection for financial data including
payment card information, bank accounts, and transaction records.
Requires executive approval with dual authorization.
DATA-003: Healthcare Data Protection (HIPAA)
Protects protected health information (PHI).
Template: DATA-003
Name: phi-protection
Category: Data Protection
Compliance: HIPAA 164.312, HITECH
Match Criteria:
- Resource patterns: [
"*patient*", "*medical*", "*diagnosis*", "*treatment*",
"*prescription*", "*health*", "*hipaa*", "*phi*",
"*.ehr.*", "*.emr.*"
]
- Data Classification: [phi, medical, hipaa]
Conditions:
- Environment: [production, staging]
Action: REQUIRE_APPROVAL
Approval Level: 3
Timeout: 30 minutes
Audit: enhanced
Notifications: [hipaa-compliance, healthcare-security]
Description: |
Protects PHI in compliance with HIPAA requirements.
All access is logged and requires approval from
authorized healthcare personnel.
DATA-004: Intellectual Property Protection
Protects proprietary and confidential business information.
Template: DATA-004
Name: intellectual-property-protection
Category: Data Protection
Compliance: SOC 2 CC6.5, Trade Secret Protection
Match Criteria:
- Resource patterns: [
"*proprietary*", "*confidential*", "*trade_secret*",
"*source_code*", "*algorithm*", "*patent*",
"*roadmap*", "*strategy*"
]
- Data Classification: [confidential, secret, proprietary]
Action: DENY
Message: "Access to intellectual property is restricted."
Notifications: [legal-team, security]
Exceptions:
- User roles: [executive, legal-counsel, ip-manager]
- With approval level 5
Description: |
Protects intellectual property and trade secrets from
unauthorized access. Only executives and legal can access
with explicit approval.
Compliance Templates
COMP-001: SOX Compliance
Supports Sarbanes-Oxley compliance for financial systems.
Template: COMP-001
Name: sox-compliance-controls
Category: Compliance
Compliance: SOX Section 404
Match Criteria:
- Resource patterns: [
"*financial*", "*accounting*", "*ledger*",
"*journal*", "*revenue*", "*expense*"
]
- Verb patterns: ["create", "update", "delete", "modify"]
Conditions:
- Environment: production
Action: REQUIRE_APPROVAL
Approval Level: 3
Timeout: 60 minutes
Audit: enhanced
Require Segregation of Duties: true
Notifications: [sox-compliance, finance-controls, audit]
Description: |
Enforces SOX compliance for financial reporting systems.
All modifications require approval with segregation of duties
and enhanced audit logging.
COMP-002: GDPR Data Subject Rights
Supports GDPR compliance for data subject requests.
Template: COMP-002
Name: gdpr-data-subject-rights
Category: Compliance
Compliance: GDPR Articles 15-22
Match Criteria:
- Verb patterns: ["export", "delete", "anonymize", "rectify"]
- Resource patterns: ["*user*", "*customer*", "*personal*"]
Action: REQUIRE_APPROVAL
Approval Level: 2
Timeout: 72 hours # GDPR requires response within 30 days
Audit: enhanced
Notifications: [privacy-team, dpo]
Description: |
Governs AI actions related to GDPR data subject rights
including access requests, deletion, and rectification.
Ensures proper authorization and audit trail.
COMP-003: Audit Trail Enforcement
Ensures comprehensive audit logging.
Template: COMP-003
Name: audit-trail-enforcement
Category: Compliance
Compliance: SOC 2 CC7.2, PCI-DSS 10.2, HIPAA 164.312(b)
Match Criteria:
- All actions
Action: ALLOW (with enhanced logging)
Audit Level: comprehensive
Retention: 7 years
Immutable: true
Include: [
action_details,
user_context,
risk_assessment,
policy_evaluation,
timestamp,
session_info
]
Description: |
Ensures all AI actions are logged with comprehensive
audit information. Logs are immutable and retained
for compliance requirements.
Operational Templates
OPS-001: After-Hours Operations
Controls operations outside business hours.
Template: OPS-001
Name: after-hours-controls
Category: Operations
Compliance: SOC 2 CC6.1
Match Criteria:
- All actions
Conditions:
- Time Range: OUTSIDE 09:00-17:00
- Days: Monday-Friday
- Timezone: Organization default
- Risk Score: >= 30
Action: ESCALATE
Approval Level: 3
Timeout: 30 minutes
Notifications: [on-call-security, operations]
Description: |
Requires escalated approval for medium and higher risk
operations performed outside normal business hours.
OPS-002: Autonomous Agent Controls
Enhanced controls for autonomous agents.
Template: OPS-002
Name: autonomous-agent-controls
Category: Operations
Compliance: SOC 2 CC6.1, Emerging AI Governance
Match Criteria:
- Agent Type: autonomous
Conditions:
- Risk Score: >= 40
Action: REQUIRE_APPROVAL
Approval Level: 2
Timeout: 15 minutes
Require Dual Approval: true (for risk >= 70)
Rate Limit: 100/hour
Notifications: [ai-governance, security]
Description: |
Applies stricter controls to autonomous AI agents.
Lower risk thresholds and rate limiting to prevent
runaway operations.
OPS-003: Bulk Operations Control
Controls large-scale batch operations.
Template: OPS-003
Name: bulk-operations-control
Category: Operations
Compliance: SOC 2 CC6.1
Match Criteria:
- Operation metadata: batch_size > 100
- Verb patterns: ["bulk_*", "batch_*", "mass_*"]
Action: REQUIRE_APPROVAL
Approval Level: 3
Timeout: 45 minutes
Notifications: [operations, data-team]
Description: |
Requires approval for bulk operations that affect
more than 100 records to prevent accidental
large-scale changes.
OPS-004: Rate Limiting Enforcement
Prevents excessive API usage.
Template: OPS-004
Name: rate-limiting
Category: Operations
Compliance: SOC 2 CC6.1
Match Criteria:
- All actions
Conditions:
- Actions per minute > 100
- OR Actions per hour > 2000
Action: DENY
Message: "Rate limit exceeded. Please slow down requests."
Cooldown: 5 minutes
Notifications: [operations, security]
Description: |
Enforces rate limiting to prevent API abuse or
runaway agent operations.
How to Use Templates
1. Browse and Select
# List available templates
curl -X GET https://api.ascend.security/api/policies/templates \
-H "Authorization: Bearer YOUR_API_KEY"
# Get template details
curl -X GET https://api.ascend.security/api/policies/templates/SEC-001 \
-H "Authorization: Bearer YOUR_API_KEY"
2. Deploy Template
# Deploy a template with defaults
curl -X POST https://api.ascend.security/api/policies/templates/SEC-001/deploy \
-H "Authorization: Bearer YOUR_API_KEY"
# Deploy with customizations
curl -X POST https://api.ascend.security/api/policies/templates/SEC-001/deploy \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name_override": "custom-production-protection",
"customizations": {
"priority": 25,
"resource_patterns": ["production.*", "prod-env.*"],
"approval_level": 4
}
}'
3. Customize Template (SDK)
from ascend import AscendClient
client = AscendClient(api_key="your-api-key")
# Get template
template = client.policies.templates.get("DATA-001")
# Customize and deploy
policy = template.deploy(
name_override="custom-pii-protection",
customizations={
"resource_patterns": [
"*pii*", "*customer.*", "*user.*"
],
"approval_level": 3,
"notifications": ["privacy-team@company.com"]
}
)
Best Practices
Template Selection
- Start with Compliance: Choose templates matching your regulatory requirements
- Layer Templates: Combine multiple templates for defense in depth
- Customize Thoughtfully: Understand each setting before modifying
- Test First: Deploy to staging before production
Customization Guidelines
| Field | Safe to Modify | Caution Required |
|---|---|---|
| Name | Yes | Keep descriptive |
| Priority | Yes | Maintain logical order |
| Resource Patterns | Yes | Don't over-broaden |
| Approval Level | Yes | Don't lower unnecessarily |
| Notifications | Yes | Ensure coverage |
| Action Type | Caution | May reduce protection |
| Conditions | Caution | May create gaps |
Template Maintenance
- Review Quarterly: Ensure templates match current requirements
- Track Updates: Watch for new template versions
- Audit Usage: Verify templates are correctly applied
- Document Changes: Record all customizations
Related
- Policy Engine Overview - Engine architecture
- Policy Concepts - Core concepts
- Visual Policy Builder - UI creation
- Policy Testing - Testing templates
- Compliance - Compliance frameworks
Compliance
Templates support compliance with:
- SOC 2: CC6.1, CC6.2, CC6.5, CC6.6, CC7.2, CC8.1
- PCI-DSS: 1.3, 3.4, 7.1, 7.2, 8.3, 10.2
- HIPAA: 164.312(a), 164.312(b), 164.312(c)
- GDPR: Articles 5, 15-22, 25, 32
- SOX: Section 404
- NIST 800-53: AC-1 through AC-6, IA-5, SC-7