Domain Governance

Domain Governance lets you define and enforce governance rules at the domain level, providing an additional layer of organizational control over how AI agents interact with different areas of your business.

Overview

While standard CHAM policies apply globally or per-agent, Domain Governance introduces a domain dimension. Domains represent logical boundaries within your organization -- business units, data categories, service areas, or operational zones. By classifying actions and services into domains, you can create governance rules that respect these boundaries.

Domain Classification

Define the domains that matter to your organization. Each domain represents a distinct governance context:

Example Domain	Description
`finance`	Financial data and transactions
`customer-data`	Customer PII and account records
`infrastructure`	Cloud resources, servers, networking
`communications`	Email, messaging, notifications
`hr`	Employee data and HR systems
`product`	Product databases and configurations

Classifying Services

Map your target services to domains. When an agent submits an action targeting a classified service, the domain's governance rules are applied in addition to global and agent-scoped policies.

Domain-Specific Policies

Create CHAM policies that apply only within a specific domain:

A confidence_floor of 0.90 for the finance domain, while the global floor is 0.75
An action_type_block on delete_record in the customer-data domain
A rate_limit of 10 actions per minute in the infrastructure domain

Domain policies are evaluated alongside global policies. The most restrictive verdict wins.

json

{
  "name": "Finance High Confidence Floor",
  "type": "confidence_floor",
  "domain": "finance",
  "config": {
    "floor": 0.90,
    "action_on_fail": "HOLD"
  }
}

Cross-Domain Governance Rules

Define rules that govern actions spanning multiple domains:

Cross-Domain Restrictions

Block or hold actions that attempt to move data or perform operations across domain boundaries. For example:

Block actions that read from customer-data and write to communications without explicit approval
Hold actions that access finance data and target an infrastructure service

Data Flow Controls

Enforce directional data flow policies:

Allow reads from product into communications (e.g., sending product updates)
Block reads from hr into any external-facing domain
Hold any action that crosses more than one domain boundary

TIP

Cross-domain rules are powerful for enforcing data segregation requirements. If your compliance framework requires that certain data categories never cross specific boundaries, cross-domain governance automates that enforcement.

Domain Hierarchy

Domains can be organized hierarchically:

organization
  finance
    accounts-payable
    accounts-receivable
    treasury
  customer-data
    pii
    account-records
    support-tickets

Policies applied to a parent domain cascade to child domains unless explicitly overridden.

WARNING

Domain governance adds complexity to your policy evaluation. Start with a small number of top-level domains and expand as your governance maturity grows. Use the Governance Lab to test domain policy interactions before deploying.

Governance Policies -- Domain-specific policies use the same CHAM types
Tier Mapping -- Tier assignments can vary by domain
Governance Lab -- Test domain governance rules in the sandbox

Domain Governance ​

Overview ​

Domain Classification ​

Classifying Services ​

Domain-Specific Policies ​

Cross-Domain Governance Rules ​

Cross-Domain Restrictions ​

Data Flow Controls ​

Domain Hierarchy ​

Related Features ​