XaseXASE

Policy Engine

The Policy Engine determines whether AI can access data in real-time—at the exact moment of use—not days or weeks later.

What it does

The Policy Engine evaluates every access request in real-time against a set of rules defined by the data holder.

It acts as the gatekeeper between AI systems and sensitive data, determining:

  • Which model can access the data
  • For what purpose (training, inference, QA)
  • For how long (expiration)
  • With which constraints (regulators, jurisdictions)

If the policy evaluation fails at any point, access does not happen.

How it works

1. Define Policies

Data holders define access policies using a simple JSON format:

{
  "id": "policy_medical_research",
  "name": "Medical Research Access",
  "rules": [
    {
      "allowed_models": ["research-v1", "research-v2"],
      "allowed_purposes": ["training", "validation"],
      "max_duration": "30d",
      "jurisdictions": ["EU", "UK"],
      "require_approval": true
    }
  ],
  "rejection_behavior": "block_access"
}

2. Request Access

AI systems request access with specific parameters:

import xase

client = xase.Client(api_key="sk_...")

# Request governed access
session = client.access(
    dataset="medical-records-2024",
    purpose="training",
    model_id="research-v2",
    duration="30d"
)

# Policy evaluation happens HERE in real-time
# If approved, session is created
# If rejected, AccessDeniedError is raised

3. Policy Evaluation

The policy engine evaluates each request against all applicable rules:

  • — Is this model allowed to access this dataset?
  • — Is this purpose allowed?
  • — Is the requested duration within limits?
  • — Does this comply with regulatory requirements?
  • — Is human approval required before access?

4. Access Result

Based on the evaluation:

✓ Approved
  • - Session created
  • - Access granted
  • - Evidence recorded
  • - Usage metering starts
✗ Denied
  • - AccessDeniedError raised
  • - Denial logged
  • - Detailed reason provided
  • - No data access occurs

Policy features

Conditions

Fine-grained conditions based on model, purpose, time, and metadata.

Human Approval

Optional human approval workflow before access is granted.

Versioning

Policy changes are versioned with full history for audit.

Regulatory Compliance

Built-in rules for GDPR, LGPD, and EU AI Act compliance.

Next steps

Access SessionsUse data after policy approval
Data StreamingAccess data without downloading
© 2025 Xasefounders@xase.ai