Skip to Content
Customer PortalRules
💡
Quick overview

Rules Builder

Rules Builder is where teams turn policy expectations into enforceable logic. Create visual threshold rules for common use cases or use Rego when you need precise logic, reusable conditions, and versioned policy workflows.

Rules created here drive alerts, review queue routing, and evidence readiness, so treat this workspace as part of your live operating model.

Rules

The Rules Builder is VeriProof’s policy authoring workspace. Rules define the conditions your applications must meet, then drive alerts, review routing, and framework evidence. Two rule types are supported: metric rules for threshold-based checks and Rego policy rules for more advanced logic.

Who can use this
Available to
AdministratorGovernance EngineerCompliance OfficerBusiness Owner
Not available to
DeveloperAuditor

Authoring rights differ significantly by role. Administrators and Governance Engineers can author Rego and metric rules. Compliance Officers have read-only access and can review AI-generated policy suggestions. Business Owners can view active rules only — they do not see the policy suggestions queue. Only Administrators can delete rules permanently.

Gov. Engineer

You are the primary author of Rego policy rules. Validate your logic in the Playground against live session data before activating. On Production applications, activating a rule requires an Administrator or Compliance Officer to approve your request. Your draft appears in their Focus Queue automatically.

Admin

You are the only role that can permanently delete rules. Use Draft state to deactivate a rule without losing its version history. You and Compliance Officers are the approval authority for production rule activation requests raised by Governance Engineers — these appear in your Focus Queue with the draft rule context attached.

Compliance

You can view all active and draft rules, review AI-generated policy suggestions, and flag suggestions for Governance Engineer follow-up. You cannot author rules, but your perspective on which policy suggestions to prioritize directly shapes the governance roadmap.

Biz. Owner

You can view active policy rules to understand what governance controls are in effect across your applications — without needing to understand the Rego syntax behind them. Policy authoring and the suggestions queue are handled by your Governance Engineers and Compliance Officers.

Rule Types

Metric Rules

Metric rules evaluate structured policy fields against threshold conditions. They are authored with a visual condition builder, so most teams can create useful checks without writing code.

Supported condition fields:

FieldTypeExample condition
Risk levelEnumrisk_level is CRITICAL
Policy scoreNumericscore is below 60
Decision outcomeEnumoutcome is FAILURE
Guardrail actionEnumguardrail_action is blocked
Model confidenceNumeric (0–1)confidence < 0.7
Intent labelStringintent contains "loan"
Has human oversightBooleanhuman_oversight is false
Model identifierStringmodel equals "gpt-4o"
Session step countNumericstep_count > 20
Token countNumerictotal_tokens > 8000

Conditions are combined with AND / OR logic. Parenthetical grouping is supported for complex expressions.

Rego Policy Rules

For organizations with more complex policy requirements, VeriProof supports Rego, the policy language of Open Policy Agent (OPA). Rego rules receive the complete session document as input and return a Boolean result (allow) or a violation object.

When to use Rego:

  • You need to express policy logic that compares multiple steps in a session
  • You want to encode a regulatory requirement as executable policy
  • You need to inspect nested annotation structures
  • You are already using OPA elsewhere in your infrastructure and want consistent policy authorship

The Rego editor in the portal includes:

  • Syntax highlighting and bracket matching
  • A Test panel where you can paste sample session documents and evaluate the policy immediately without saving
  • An Explain button that shows the OPA trace for your test evaluation
  • Version history with diff view

Rego policy rules execute synchronously on every session evaluation. Poorly written policies (e.g., policies that loop over unbounded arrays without guards) can increase evaluation latency. Use the Test panel to validate performance before activating.

Creating a Metric Rule

  1. Navigate to Rules and click New Rule.
  2. Select Metric rule.
  3. Enter a Name and optional Description.
  4. Set the Scope: All Applications, a specific application, or a filtered subset.
  5. Build your condition expression using the condition builder.
  6. Configure Actions (see below).
  7. Click Save as draft to save without activating, or Save & Activate to put it into immediate effect.

Creating a Rego Policy Rule

  1. Navigate to Rules and click New Rule.
  2. Select Rego policy rule.
  3. Enter a Name and optional Description.
  4. Set the Scope.
  5. Write your policy in the Rego editor. Your policy must define an allow rule that returns true (session passes) or false (session fails the policy).
  6. Use the Test panel to validate your policy against sample session data.
  7. Click Save as draft or Save & Activate.

Rule Actions

Every rule has one or more actions that fire when the rule matches a session:

Action typeDescription
Email notificationSend an email to one or more addresses
WebhookPOST to a configured webhook endpoint
In-portal alertCreate a visible alert in the portal notification center
Add to review queueAdd the matching session to a named Review Queue
Escalate to complianceMark the session as requiring compliance officer review

Actions support throttling: you can configure a minimum interval between repeated firings to prevent notification floods during mass incidents.

Click Template Gallery to browse pre-built rule templates for common policy scenarios. See Policy Rule Templates for the full catalogue and guidance on applying and customizing them.

Rule Versioning

Every change to a rule — condition edits, action changes, activation or deactivation — is recorded as a new version in the rule’s history. To view history:

  1. Open the rule detail page.
  2. Click History in the right panel.
  3. Select any two versions to see a side-by-side diff.

You can roll back to any previous version by clicking Restore this version.

Use descriptive rule names and the Description field to document why a rule exists, not just what it does. Auditors often review rule configuration as evidence of your risk management process.

Rule Evaluation Order

When multiple rules match the same session, all matching rules fire — there is no priority ordering or short-circuit evaluation. Design rules to be independent; avoid creating rules that depend on the evaluation result of other rules.

Pre-built templates for common AI risk scenarios across major regulatory frameworks.

Policy Rule Templates

Detailed guide to conditions, actions, throttling, and notification channel setup.

Alert Rules Guide

Configure human-in-the-loop review workflows triggered by rule actions.

Review Queues

Set up outbound webhook endpoints for rule notification actions.

Webhooks
Last updated on
PlaygroundReview Queues