Designed for Regulated AI Workflows.

Regulated enterprises carry specific obligations that shape how AI can be deployed. The regulations predate generative AI in most cases, and the underlying requirements around authentication of actors, control of sensitive data, retention of auditable records, and defensibility under review map directly to the properties of an inline AI policy gateway.

DeepInspect addresses these obligations through three mechanisms. Deterministic inline policy evaluates each AI request against the active configuration before the request reaches the model. Per-role action overrides let the same policy produce different outcomes for different user roles, so a Finance user might receive tokenized data while an HR user receives redacted data and other roles are blocked outright. A tamper-evident forensic record preserves the decision, the policy version in effect, and the actor identity for every interaction. The complete transaction, including the original request, the transformed request, the upstream response, and the transformed response, is retained in a customer-configurable object store.

Healthcare

For enterprises processing PHI through AI systems, DeepInspect supports inline redaction, tokenization, and blocking on request payloads. The PHI opt-in policy runs in the request path and applies the configured action before any data reaches the upstream model. Per-role action overrides let a clinical role receive tokenized identifiers for traceability while a non-clinical role sees redacted payloads and other roles are blocked outright. Every decision writes to a tamper-evident forensic record with a cryptographic signature, providing audit material relevant to HIPAA Security Rule 45 CFR 164.312(b) audit controls and 164.312(c) integrity requirements.

-Deterministic PHI redaction
-Tokenization with traceability
-Audit export for HIPAA compliance
Read the full Healthcare and Life Sciences brief →

Financial Services

For financial services workloads, DeepInspect enforces segmented access to customer and market data through identity-aware policy evaluation. PII, payment, and customer-owned data classes are available as opt-in policies with configurable actions. Per-role action overrides segment access along organizational lines without separate deployment stacks. The forensic store and the transaction object store together retain the decision record and the complete request and response data that regulators review during inspection. Capabilities in this area apply to obligations under the Gramm-Leach-Bliley Act, SEC Regulation S-P, and FINRA Rule 4511.

-Segmented access enforcement
-Data sensitivity classification
-Policy lineage tracking

EU AI Act High-Risk Systems

For enterprises subject to EU AI Act obligations on high-risk systems, DeepInspect provides the enforcement and record-keeping layer the regulation anticipates. Policy versioning in the control plane produces the change-control trail relevant to Article 17 quality management. The forensic record supports Article 12 record-keeping obligations, with every rule evaluation path preserved alongside the decision. Inline enforcement addresses Article 9 risk management by applying the configured controls at request time, with fail-closed default behavior. Identity-based restrictions and per-role action overrides apply transparency requirements in Article 13 to the actors that a given rule concerns.

-Identity-based restrictions
-Enforced workflow controls
-Decision traceability

SOC 2

For SOC 2 engagements, DeepInspect produces evidence aligned to the Trust Services Criteria. Identity-aware policy evaluation and access-decision logs apply to CC6.1 logical access requirements. The event-level audit trail supports CC6.6 monitoring for unauthorized access, and the real-time block and escalation paths support CC7.2 monitoring controls for security events. The policy-versioning workflow in the control plane addresses CC8.1 change management. Evidence exports are organized by control narrative, so the auditor reads a list of events mapped against the specific criteria the engagement covers.

-Evidence exports aligned to control narratives
-Continuous monitoring with audit trails
-Access control enforcement records

Creating and Managing Policies

Policies in DeepInspect fall into two categories. The first is a set of deterministic opt-in detectors for PII, PHI, PCI, and other well-defined sensitive data classes. Each detector runs inline and applies a configurable action (redact, tokenize, or block) to matching payloads, with per-role action overrides for different user roles in the same policy. The second is a user-defined natural-language policy, where the customer describes a governance rule in plain language and the gateway evaluates it at request time using a configured LLM or SLM. Natural-language evaluation is non-deterministic by design, and each evaluation is captured in the forensic store alongside the inputs.

Policies are grouped into policy profiles. A profile bundles a set of policies together with their per-role action maps into a reusable configuration. Profiles are attached to application routes in the gateway, which lets the same policy structure apply to multiple applications without duplication. When a profile changes, the control plane replays recent production traffic against the draft in a staging environment to surface the decisions the new profile would produce. Promotion to production is explicit, and the previous profile version stays available for rollback.

Customer audits run against a read-only projection of the forensic store. The auditor connects with their own credentials, issues the query defined in the engagement scope, and receives a signed result set. The audit path leaves its own trace in the store, so the enterprise sees exactly what the auditor retrieved and when. This pattern reduces the back-and-forth of traditional compliance engagements and keeps the evidence exchange inside a verifiable boundary.

Deterministic enforcement of the controls each framework requires.