DEV Community: Ramon Marrero The latest articles on DEV Community by Ramon Marrero (@ramon_marrero_dd8539e55fb). https://dev.to/ramon_marrero_dd8539e55fb https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1728304%2Fb27b0057-b2b5-4414-9621-a23e4a8f3f4b.png DEV Community: Ramon Marrero https://dev.to/ramon_marrero_dd8539e55fb en Stop Shipping Ungoverned AI: Add Policy Gates, Audit Trails, and Compliance to Every LLM Call Ramon Marrero Mon, 16 Mar 2026 10:07:13 +0000 https://dev.to/ramon_marrero_dd8539e55fb/stop-shipping-ungoverned-ai-add-policy-gates-audit-trails-and-compliance-to-every-llm-call-2o2a https://dev.to/ramon_marrero_dd8539e55fb/stop-shipping-ungoverned-ai-add-policy-gates-audit-trails-and-compliance-to-every-llm-call-2o2a <h2> Your AI Solution Works. But Can You Prove What It Did? </h2> <p>You shipped the chatbot. The coding assistant is saving your team hours. The RAG workflow is answering questions from internal docs. Product is happy because the demo works.</p> <p>Then the harder questions show up:</p> <ul> <li>Can you show which policy checks ran before a model call?</li> <li>Can you prove what happened for a specific <code>runId</code> last week?</li> <li>Can you redact sensitive input before it reaches the provider?</li> <li>Can you generate evidence for audits instead of screenshotting dashboards?</li> </ul> <p>That is where most AI solutions fall apart.</p> <p>A successful model response is not the same thing as governed AI.</p> <h2> The Real Problem in Production AI </h2> <p>Most teams still ship LLM features with a thin wrapper around the provider SDK:</p> <ol> <li>Accept a prompt.</li> <li>Send it to OpenAI, Anthropic, Gemini, or Bedrock.</li> <li>Return the response.</li> <li>Hope logs are enough later.</li> </ol> <p>That works until you need to answer operational or compliance questions:</p> <ul> <li>What exactly was sent to the model?</li> <li>Was sensitive data redacted first?</li> <li>Which policy decided the call was allowed?</li> <li>What other artifacts are linked to that run?</li> <li>Can you replay or verify the evidence later?</li> </ul> <p>You do not solve that with another <code>console.log</code>.</p> <p>You solve it by putting governance in the execution path.</p> <h2> What the AI Governance SDK Actually Gives You </h2> <p>The AI Governance SDK exposes three complementary surfaces:</p> <ul> <li> <a href="https://api.arelis.digital/docs/runtime-governance" rel="noopener noreferrer"><code>createArelis</code></a>: the recommended unified SDK for governed model calls and agent runs.</li> <li> <a href="https://api.arelis.digital/docs/sdk" rel="noopener noreferrer"><code>ArelisPlatform</code></a>: the platform API client for <code>/api/v1/*</code> resources like events, policies, proofs, replay, governance snapshots, jobs, and usage.</li> <li> <a href="https://api.arelis.digital/docs/sdk" rel="noopener noreferrer"><code>createArelisClient</code></a>: the in-process runtime SDK for models, agents, MCP, knowledge, memory, quotas, approvals, secrets, compliance, and governance helpers.</li> </ul> <p>If you want the fastest path to governed LLM calls, start with <code>createArelis</code>.</p> <p>If you need centrally managed policy lifecycle, proof generation, replay, or governance snapshots, add <code>ArelisPlatform</code>.</p> <h2> The 5-Minute Path: Govern a Real Model Call </h2> <p>The public runtime guide positions <code>governedInvoke()</code> as the main entry point for governed model calls: PII scanning, policy evaluation, model invocation, risk scoring, and audit logging in one flow.</p> <p>Install the SDK first:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># TypeScript</span> npm <span class="nb">install</span> @arelis-ai/ai-governance-sdk @google/genai <span class="c"># Python</span> pip <span class="nb">install </span>ai-governance-sdk google-genai </code></pre> </div> <p>In Python, the package installs as <code>ai-governance-sdk</code> and is imported as <code>arelis</code>.</p> <h3> TypeScript </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createArelis</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@arelis-ai/ai-governance-sdk</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">GoogleGenAI</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@google/genai</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">arelis</span> <span class="o">=</span> <span class="nf">createArelis</span><span class="p">({</span> <span class="na">platform</span><span class="p">:</span> <span class="p">{</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARELIS_API_KEY</span> <span class="p">},</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">gemini</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">GoogleGenAI</span><span class="p">({</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">GEMINI_API_KEY</span><span class="o">!</span> <span class="p">});</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">main</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">arelis</span><span class="p">.</span><span class="nf">governedInvoke</span><span class="p">({</span> <span class="na">runId</span><span class="p">:</span> <span class="s2">`run-</span><span class="p">${</span><span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gemini-2.5-flash</span><span class="dl">"</span><span class="p">,</span> <span class="na">prompt</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Explain the three most important AI governance controls for a support bot.</span><span class="dl">"</span><span class="p">,</span> <span class="na">denyMode</span><span class="p">:</span> <span class="dl">"</span><span class="s2">return</span><span class="dl">"</span><span class="p">,</span> <span class="na">invoke</span><span class="p">:</span> <span class="k">async </span><span class="p">(</span><span class="nx">sanitizedPrompt</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">completion</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">gemini</span><span class="p">.</span><span class="nx">models</span><span class="p">.</span><span class="nf">generateContent</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gemini-2.5-flash</span><span class="dl">"</span><span class="p">,</span> <span class="na">contents</span><span class="p">:</span> <span class="nx">sanitizedPrompt</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">completion</span><span class="p">.</span><span class="nx">text</span> <span class="o">??</span> <span class="dl">""</span><span class="p">;</span> <span class="p">},</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">runId:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">runId</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">invoked:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">invoked</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">decision:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">decision</span><span class="p">.</span><span class="nx">decision</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">sanitizedPrompt:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">sanitizedPrompt</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">result:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">result</span><span class="p">);</span> <span class="p">}</span> <span class="nf">main</span><span class="p">();</span> </code></pre> </div> <h3> Python </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">uuid</span> <span class="kn">from</span> <span class="n">arelis</span> <span class="kn">import</span> <span class="n">GovernedInvokeInput</span><span class="p">,</span> <span class="n">create_arelis</span> <span class="kn">from</span> <span class="n">google</span> <span class="kn">import</span> <span class="n">genai</span> <span class="n">arelis</span> <span class="o">=</span> <span class="nf">create_arelis</span><span class="p">({</span> <span class="sh">"</span><span class="s">platform</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">apiKey</span><span class="sh">"</span><span class="p">:</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">ARELIS_API_KEY</span><span class="sh">"</span><span class="p">]},</span> <span class="p">})</span> <span class="n">gemini</span> <span class="o">=</span> <span class="n">genai</span><span class="p">.</span><span class="nc">Client</span><span class="p">(</span><span class="n">api_key</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">GEMINI_API_KEY</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">invoke_model</span><span class="p">(</span><span class="n">sanitized_prompt</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">completion</span> <span class="o">=</span> <span class="n">gemini</span><span class="p">.</span><span class="n">models</span><span class="p">.</span><span class="nf">generate_content</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gemini-2.5-flash</span><span class="sh">"</span><span class="p">,</span> <span class="n">contents</span><span class="o">=</span><span class="n">sanitized_prompt</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">completion</span><span class="p">.</span><span class="n">text</span> <span class="ow">or</span> <span class="sh">""</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">main</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">arelis</span><span class="p">.</span><span class="nf">governed_invoke</span><span class="p">(</span> <span class="nc">GovernedInvokeInput</span><span class="p">(</span> <span class="n">run_id</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="s">run-</span><span class="si">{</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gemini-2.5-flash</span><span class="sh">"</span><span class="p">,</span> <span class="n">prompt</span><span class="o">=</span><span class="sh">"</span><span class="s">Explain the three most important AI governance controls for a support bot.</span><span class="sh">"</span><span class="p">,</span> <span class="n">deny_mode</span><span class="o">=</span><span class="sh">"</span><span class="s">return</span><span class="sh">"</span><span class="p">,</span> <span class="n">invoke</span><span class="o">=</span><span class="n">invoke_model</span><span class="p">,</span> <span class="p">)</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">invoked:</span><span class="sh">"</span><span class="p">,</span> <span class="n">result</span><span class="p">.</span><span class="n">invoked</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">decision:</span><span class="sh">"</span><span class="p">,</span> <span class="n">result</span><span class="p">.</span><span class="n">decision</span><span class="p">.</span><span class="n">decision</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">result:</span><span class="sh">"</span><span class="p">,</span> <span class="n">result</span><span class="p">.</span><span class="n">result</span><span class="p">)</span> <span class="n">asyncio</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span><span class="nf">main</span><span class="p">())</span> </code></pre> </div> <p>Once you have centrally managed policies on the platform, add <code>policyIds</code> to the governed call to enforce those policies in the runtime path.</p> <h2> What Happens on That Call </h2> <p>The useful part is not just that you called the model. It is what the SDK does around it.</p> <p>With <code>governedInvoke()</code>:</p> <ul> <li>Your original prompt is redacted into <code>sanitizedPrompt</code> before your callback runs.</li> <li>The governance gate evaluates whether the call should proceed.</li> <li>If the gate denies the request and <code>denyMode</code> is <code>"return"</code>, the model is not called.</li> <li>The run is linked by <code>runId</code>, which you can reuse across events, snapshots, proofs, replay, and investigations.</li> <li>Risk scoring and platform-side audit reporting are part of the unified flow documented in the runtime guide.</li> </ul> <p>That is the main shift: your provider SDK stays the same, but the boundary around it becomes governed.</p> <h2> Managed Policies: Use the Platform for Central Control </h2> <p>The platform docs make an important distinction: centrally managed policies live on the platform surface.</p> <p>That means policy lifecycle belongs in <code>ArelisPlatform</code>:</p> <ul> <li>create policies</li> <li>version them</li> <li>simulate them</li> <li>activate or roll them back</li> <li>evaluate them against explicit checkpoints</li> <li>query evaluation history later</li> </ul> <h3> Create a managed policy </h3> <p>This example matches the public governance docs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">ArelisPlatform</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@arelis-ai/ai-governance-sdk</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">platform</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">ArelisPlatform</span><span class="p">({</span> <span class="na">baseUrl</span><span class="p">:</span> <span class="dl">"</span><span class="s2">https://api.arelis.digital</span><span class="dl">"</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARELIS_API_KEY</span><span class="o">!</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">policy</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">platform</span><span class="p">.</span><span class="nx">governance</span><span class="p">.</span><span class="nx">policies</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">key</span><span class="p">:</span> <span class="dl">"</span><span class="s2">require-eu-routing</span><span class="dl">"</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Require EU routing for PII</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Deny calls routed outside the EU when handling PII data.</span><span class="dl">"</span><span class="p">,</span> <span class="na">condition</span><span class="p">:</span> <span class="p">{</span> <span class="na">operator</span><span class="p">:</span> <span class="dl">"</span><span class="s2">and</span><span class="dl">"</span><span class="p">,</span> <span class="na">conditions</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">routing.region</span><span class="dl">"</span><span class="p">,</span> <span class="na">operator</span><span class="p">:</span> <span class="dl">"</span><span class="s2">neq</span><span class="dl">"</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">eu-west-1</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">field</span><span class="p">:</span> <span class="dl">"</span><span class="s2">content.classification</span><span class="dl">"</span><span class="p">,</span> <span class="na">operator</span><span class="p">:</span> <span class="dl">"</span><span class="s2">eq</span><span class="dl">"</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="dl">"</span><span class="s2">pii</span><span class="dl">"</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="na">action</span><span class="p">:</span> <span class="dl">"</span><span class="s2">deny</span><span class="dl">"</span><span class="p">,</span> <span class="na">severity</span><span class="p">:</span> <span class="dl">"</span><span class="s2">high</span><span class="dl">"</span><span class="p">,</span> <span class="na">priority</span><span class="p">:</span> <span class="mi">10</span><span class="p">,</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">policy</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">policy</span><span class="p">.</span><span class="nx">activeVersion</span><span class="p">);</span> </code></pre> </div> <h3> Evaluate a policy against a checkpoint </h3> <p>Also from the public docs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">evaluated</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">platform</span><span class="p">.</span><span class="nx">governance</span><span class="p">.</span><span class="nf">evaluatePolicy</span><span class="p">({</span> <span class="na">runId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">run_checkout_001</span><span class="dl">"</span><span class="p">,</span> <span class="na">checkpoint</span><span class="p">:</span> <span class="p">{</span> <span class="na">model</span><span class="p">:</span> <span class="p">{</span> <span class="na">provider</span><span class="p">:</span> <span class="dl">"</span><span class="s2">openai</span><span class="dl">"</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gpt-4o</span><span class="dl">"</span> <span class="p">},</span> <span class="na">routing</span><span class="p">:</span> <span class="p">{</span> <span class="na">region</span><span class="p">:</span> <span class="dl">"</span><span class="s2">eu-west-1</span><span class="dl">"</span> <span class="p">},</span> <span class="p">},</span> <span class="na">policyIds</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">pol_critical_region</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">pol_pii_guard</span><span class="dl">"</span><span class="p">],</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">evaluated</span><span class="p">.</span><span class="nx">decisions</span><span class="p">);</span> </code></pre> </div> <p>This is the right mental model:</p> <ul> <li> <code>governedInvoke()</code> is the fastest path for governed model execution.</li> <li> <code>ArelisPlatform</code> is the control plane for centrally managed policy definitions and audit history.</li> </ul> <p>If you need custom checkpoint fields beyond the defaults your runtime path provides, evaluate them explicitly through the platform or wire them into your runtime governance layer.</p> <h2> Audit Trails That Are Actually Useful </h2> <p>The public runtime docs emphasize runtime-to-platform interoperability and recommend persisting <code>runId</code> as the primary join key across artifacts.</p> <p>That is the difference between “we have logs” and “we can investigate an incident without guessing.”</p> <p>With Arelis, the practical pattern is:</p> <ol> <li>Use <code>runId</code> for the governed call.</li> <li>Persist or sync related events under that same <code>runId</code>.</li> <li>Retrieve governance history and snapshots by <code>runId</code>.</li> <li>Generate proofs and replay artifacts for the same run later.</li> </ol> <p>On the platform side, the relevant APIs are already documented:</p> <ul> <li><a href="https://api.arelis.digital/docs/sdk/client/events" rel="noopener noreferrer"><code>platform.events.*</code></a></li> <li><a href="https://api.arelis.digital/docs/sdk/client/governance" rel="noopener noreferrer"><code>platform.governance.listPolicyEvaluations()</code></a></li> <li><a href="https://api.arelis.digital/docs/sdk/client/governance" rel="noopener noreferrer"><code>platform.governance.getSnapshot()</code></a></li> <li><a href="https://api.arelis.digital/docs/sdk/client/proofs" rel="noopener noreferrer"><code>platform.proofs.*</code></a></li> <li><a href="https://api.arelis.digital/docs/sdk/client/replay" rel="noopener noreferrer"><code>platform.replay.*</code></a></li> </ul> <p>That gives you a real investigation workflow instead of a pile of provider logs.</p> <h2> Compliance Proofs Are a First-Class Operation </h2> <p>One of the strongest parts of the public surface is that compliance proofs are explicit, documented operations, not vague “trust us” marketing.</p> <p>From the proofs docs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">proof</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">platform</span><span class="p">.</span><span class="nx">proofs</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">runId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">run_checkout_001</span><span class="dl">"</span><span class="p">,</span> <span class="na">schemaVersion</span><span class="p">:</span> <span class="dl">"</span><span class="s2">v2</span><span class="dl">"</span><span class="p">,</span> <span class="na">composed</span><span class="p">:</span> <span class="p">{</span> <span class="na">layers</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">event_integrity</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">causal_consistency</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">policy_compliance</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="na">async</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="dl">"</span><span class="s2">proofId</span><span class="dl">"</span> <span class="k">in</span> <span class="nx">proof</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Proof ready:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">proof</span><span class="p">.</span><span class="nx">proofId</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="dl">"</span><span class="s2">Queued proof job:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">proof</span><span class="p">.</span><span class="nx">jobId</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>That matters because “audit trail” and “compliance artifact” are not the same thing.</p> <p>An audit trail helps your engineers debug.</p> <p>A proof is the thing you generate when you need verifiable evidence tied to a governed run.</p> <h2> This Is Not Just for Chatbots </h2> <p>The AI Governance SDK is broader than one-off prompt calls.</p> <h3> Agents </h3> <p>The runtime guide exposes <code>agents.run()</code> for governed agent loops:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">arelis</span><span class="p">.</span><span class="nx">agents</span><span class="p">.</span><span class="nf">run</span><span class="p">({</span> <span class="na">runId</span><span class="p">:</span> <span class="s2">`run-agent-</span><span class="p">${</span><span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">()}</span><span class="s2">`</span><span class="p">,</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">gemini-2.5-flash</span><span class="dl">"</span><span class="p">,</span> <span class="na">prompt</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Investigate this billing anomaly and produce a short incident summary.</span><span class="dl">"</span><span class="p">,</span> <span class="na">tools</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">fetchUsage</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Get recent usage records</span><span class="dl">"</span><span class="p">,</span> <span class="na">schema</span><span class="p">:</span> <span class="p">{}</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">fetchPolicies</span><span class="dl">"</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Get active policy metadata</span><span class="dl">"</span><span class="p">,</span> <span class="na">schema</span><span class="p">:</span> <span class="p">{}</span> <span class="p">},</span> <span class="p">],</span> <span class="na">maxSteps</span><span class="p">:</span> <span class="mi">6</span><span class="p">,</span> <span class="na">invokeModel</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">messages</span><span class="p">,</span> <span class="nx">tools</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Call your model here</span> <span class="k">return</span> <span class="p">{</span> <span class="na">text</span><span class="p">:</span> <span class="dl">"</span><span class="s2">...</span><span class="dl">"</span> <span class="p">};</span> <span class="p">},</span> <span class="na">executeToolCall</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">tool</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Execute tool here</span> <span class="k">return</span> <span class="p">{</span> <span class="na">ok</span><span class="p">:</span> <span class="kc">true</span> <span class="p">};</span> <span class="p">},</span> <span class="na">mapOutput</span><span class="p">:</span> <span class="p">({</span> <span class="nx">finalResponse</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="nx">finalResponse</span><span class="p">.</span><span class="nx">text</span> <span class="o">??</span> <span class="dl">""</span><span class="p">,</span> <span class="p">});</span> </code></pre> </div> <p>The public runtime docs describe this path as governed agent execution with event, graph, and proof enrichment. That is a much stronger story than bolting logging onto a hand-rolled agent loop after the fact.</p> <h2> Why This Matters for Regulation </h2> <p>This is not only about engineering hygiene.</p> <p>The EU AI Act entered into force on <strong>August 1, 2024</strong>. Key obligations for general-purpose AI models start applying on <strong>August 2, 2025</strong>. Major obligations for high-risk AI systems apply on <strong>August 2, 2026</strong>.</p> <p>If your system touches hiring, finance, healthcare, education, critical infrastructure, or other regulated workflows, the questions get sharper:</p> <ul> <li>Can you show what happened for a specific run?</li> <li>Can you demonstrate what safeguards were in place?</li> <li>Can you trace policy decisions over time?</li> <li>Can you produce evidence without rebuilding the timeline by hand?</li> </ul> <p>You do not want to start inventing governance architecture after those questions are already live.</p> <h2> What Makes This Worth Using </h2> <p>The strongest case for Arelis is not “it has a lot of features.”</p> <p>It is this:</p> <ul> <li>You keep your provider SDK.</li> <li>You wrap the execution boundary instead of rewriting your app.</li> <li>You get a documented split between runtime enforcement and platform control plane.</li> <li>You can move from governed calls to policy lifecycle, proofs, replay, and snapshots without changing vendors halfway through.</li> </ul> <p>That is a much better story than “we have prompt logs somewhere.”</p> <h2> Where to Start </h2> <p>If you want the shortest path to value:</p> <ol> <li>Read the <a href="https://api.arelis.digital/docs/runtime-governance" rel="noopener noreferrer">runtime governance guide</a>.</li> <li>Install the SDK from the <a href="https://api.arelis.digital/docs/sdk" rel="noopener noreferrer">SDK docs</a>.</li> <li>Wrap one real model call with <code>createArelis()</code> and <code>governedInvoke()</code>.</li> <li>Reuse the <code>runId</code> everywhere.</li> <li>Add platform-managed policies and proofs once the first governed path is working.</li> </ol> <p>Useful links:</p> <ul> <li><a href="https://api.arelis.digital/docs" rel="noopener noreferrer">Docs overview</a></li> <li><a href="https://api.arelis.digital/docs/sdk" rel="noopener noreferrer">SDK reference</a></li> <li><a href="https://api.arelis.digital/docs/runtime-governance" rel="noopener noreferrer">Runtime governance guide</a></li> <li><a href="https://api.arelis.digital/docs/sdk/client/governance" rel="noopener noreferrer">Governance client docs</a></li> <li><a href="https://api.arelis.digital/docs/sdk/client/proofs" rel="noopener noreferrer">Proofs client docs</a></li> <li><a href="https://api.arelis.digital/app/quickstart" rel="noopener noreferrer">Quickstart</a></li> </ul> <p>If your AI feature is already in production, the real question is no longer whether the model works.</p> <p>It is whether the call is governed.</p> ai typescript python security