Governance Pipeline | SAIG by Terraxon

Request lifecycle

Every request that passes through SAIG is evaluated by a deterministic 9-step governance pipeline. The same input with the same policy always produces the same decision.

Pipeline steps

01

Parse

Extract messages, metadata, model reference, and attachments from the incoming OpenAI-compatible request.

02

PII Detect

Scan content using hybrid NER + regex across 6 EU languages (EN, DE, FR, IT, CS, SK). Identify entities: PERSON, EMAIL, PHONE, IBAN, ADDRESS, and more.

03

Classify

Determine intent (24+ business categories), ownership (first-party, third-party, unknown), and abuse type (22 threat categories including prompt injection).

04

Policy Decision

Evaluate against the deterministic 6-rule decision matrix. Output: ALLOW, ANONYMIZE, DENY, or SYNTHETIC_ONLY. Generate decision trace.

05

Anonymize

If policy requires anonymization, replace detected PII with stable reversible placeholders ([PERSON_1], [EMAIL_1], etc.).

06

Route

Select provider based on sovereignty mode, model alias, availability, and circuit breaker state. Enforce residency constraints.

07

Forward

Send the governed request to the selected LLM provider. Perform outbound PII verification before egress.

08

De-anonymize

Restore original values from placeholders in the provider response, returning natural text to the caller.

09

Audit

Write tamper-evident audit record with SHA-256 hash chain reference and Ed25519 signature. Attach governance receipt to the response.

Deterministic guarantee

The pipeline is deterministic: same input + same policy = same governance decision. This is critical for compliance evidence — decisions are reproducible and auditable.