# Governance Pipeline

> Canonical page: https://saig.terraxon.eu/docs/governance-pipeline/
> Last updated: 2026-06-16

## Overview

Every request passing through SAIG is evaluated by a deterministic 9-step governance pipeline. Same input + same policy = same decision.

## Pipeline steps

### 01 — Parse
Extract messages, metadata, model reference, and attachments from the incoming OpenAI-compatible request.

### 02 — PII Detect
Scan content using hybrid NER + regex across 6 EU languages (EN, DE, FR, IT, CS, SK). Identify entities: PERSON, EMAIL, PHONE, IBAN, ADDRESS, and more.

### 03 — Classify
Determine intent (24+ business categories), ownership (first-party, third-party, unknown), and abuse type (22 threat categories including prompt injection).

### 04 — Policy Decision
Evaluate against the deterministic 6-rule decision matrix. Output: ALLOW, ANONYMIZE, DENY, or SYNTHETIC_ONLY. Generate decision trace.

### 05 — Anonymize
If policy requires anonymization, replace detected PII with stable reversible placeholders ([PERSON_1], [EMAIL_1], etc.).

### 06 — Route
Select provider based on sovereignty mode, model alias, availability, and circuit breaker state. Enforce residency constraints.

### 07 — Forward
Send the governed request to the selected LLM provider. Perform outbound PII verification before egress.

### 08 — De-anonymize
Restore original values from placeholders in the provider response, returning natural text to the caller.

### 09 — Audit
Write tamper-evident audit record with SHA-256 hash chain reference and Ed25519 signature. Attach governance receipt to the response.

## Deterministic guarantee

The pipeline is deterministic: same input + same policy = same governance decision. Decisions are reproducible and auditable.