Assign Projects to Governance Policies on the Fly

Enroll each project into the right governance policy straight from your CI/CD pipeline, so every deployment is gated without any manual UI steps.

Overview

This guide is for teams running AI governance at scale — typically one Confident AI project per customer or per agent — that need every project enrolled into a governance policy automatically, without anyone clicking through the platform UI.

It builds directly on Provision Projects for Agents on the Fly: once your pipeline creates a project, the next step is to enroll that project into the governance policy that gates its deployment. A governance policy is organization-scoped (a named bundle of controls), and each project belongs to at most one policy.

In this guide, you will:

  • Configure the Admin SDK with one Organization API Key.
  • Find the target governance policy by name.
  • Assign the project to the policy in code, as part of your pipeline.
  • Verify enrollment by reading the project’s policy back.

Build It

1

Install the Admin SDK

Governance policies are managed with the confidentai Admin SDK.

$pip install confidentai
2

Configure the Admin SDK

You need an Organization API Key before you start. Retrieve yours here.

Set CONFIDENT_ORG_API_KEY to your Organization API Key. The Admin SDK reads this variable by default when you create a client.

$export CONFIDENT_ORG_API_KEY="confident_us_org_..."
main.py
1from confidentai import ConfidentAI
2
3confident_ai = ConfidentAI()
3

Find the Target Policy

Governance policies are created and configured (with their controls) in the platform UI. From code, list them and pick the one your deployment should be gated by — usually by name.

main.py
1from confidentai import ConfidentAI
2
3confident_ai = ConfidentAI()
4
5def find_policy_id(policy_name: str) -> str:
6 organization = confident_ai.organization()
7 policies = organization.governance.policies.list()
8 for policy in policies:
9 if policy.name == policy_name:
10 return policy.id
11 raise ValueError(f"No governance policy named {policy_name!r}")

Each policy in the list includes its controls and a projectsCount. To page through the projects already enrolled in a policy, use governance.policies.list_projects(policy_id) (TypeScript: governance.policies.listProjects(policyId)).

4

Assign the Project

Assign the project to the policy. Assignment is additive and partial: every project that exists is enrolled and returned in assignedProjectIds (any on a different policy are moved over), while the policy’s other projects are left untouched. Ids that don’t exist in your organization come back in notFoundProjectIds instead of failing the call — so one stale id never tanks the whole batch. Re-assigning an already-enrolled project still counts it, so this is safe to run on every pipeline execution.

main.py
1from confidentai import ConfidentAI
2
3confident_ai = ConfidentAI()
4
5# find_policy_id() is defined above
6
7def enroll_project(project_id: str, policy_name: str = "Production Gate") -> list[str]:
8 policy_id = find_policy_id(policy_name)
9 organization = confident_ai.organization()
10 result = organization.governance.policies.assign(
11 policy_id, project_ids=[project_id]
12 )
13 return result.assigned_project_ids

To remove projects from a policy (for example when deprovisioning a customer), use governance.policies.unassign(policyId, ...) the same way — it returns unassignedProjectIds and skippedProjectIds.

5

Verify Enrollment

Read the project back and confirm it is enrolled. Every project returned by projects.list() (and project(id).get()) includes its governancePolicy{ id, name } when enrolled, or null when not.

1from confidentai import ConfidentAI
2
3confident_ai = ConfidentAI()
4
5project = confident_ai.project("project-uuid-1").get()
6print(project.governance_policy) # NamedRef(id="...", name="Production Gate")

Done! Your pipeline now enrolls each project into the right governance policy using a single Organization API Key.

Gate Deployments in CI

Everything above is the platform team’s job — enroll each project into the right policy once, as part of provisioning. From then on, the product team that owns a project gates its own deployments with the deepeval CLI. They don’t need the Organization API Key; they only need that project’s Project API Key (CONFIDENT_API_KEY).

$export CONFIDENT_API_KEY="confident_us_proj_..."
$deepeval gate

deepeval gate assesses every control in the project’s policy and exits with code 0 only when the whole policy passes — any failure exits non-zero and stops the deployment. See Gate deployments on a policy for the full reference.

Next Steps