Assign Projects to Governance Policies on the Fly
Enroll each project into the right governance policy straight from your CI/CD pipeline, so every deployment is gated without any manual UI steps.
Overview
This guide is for teams running AI governance at scale — typically one Confident AI project per customer or per agent — that need every project enrolled into a governance policy automatically, without anyone clicking through the platform UI.
It builds directly on Provision Projects for Agents on the Fly: once your pipeline creates a project, the next step is to enroll that project into the governance policy that gates its deployment. A governance policy is organization-scoped (a named bundle of controls), and each project belongs to at most one policy.
In this guide, you will:
- Configure the Admin SDK with one Organization API Key.
- Find the target governance policy by name.
- Assign the project to the policy in code, as part of your pipeline.
- Verify enrollment by reading the project’s policy back.
Build It
Install the Admin SDK
Governance policies are managed with the confidentai Admin SDK.
Python
TypeScript
Configure the Admin SDK
You need an Organization API Key before you start. Retrieve yours here.
Set CONFIDENT_ORG_API_KEY to your Organization API Key. The Admin SDK reads this variable by default when you create a client.
Python
TypeScript
Find the Target Policy
Governance policies are created and configured (with their controls) in the platform UI. From code, list them and pick the one your deployment should be gated by — usually by name.
Python
TypeScript
Each policy in the list includes its controls and a projectsCount. To page through the projects already enrolled in a policy, use governance.policies.list_projects(policy_id) (TypeScript: governance.policies.listProjects(policyId)).
Assign the Project
Assign the project to the policy. Assignment is additive and partial: every project that exists is enrolled and returned in assignedProjectIds (any on a different policy are moved over), while the policy’s other projects are left untouched. Ids that don’t exist in your organization come back in notFoundProjectIds instead of failing the call — so one stale id never tanks the whole batch. Re-assigning an already-enrolled project still counts it, so this is safe to run on every pipeline execution.
Python
TypeScript
To remove projects from a policy (for example when deprovisioning a customer), use governance.policies.unassign(policyId, ...) the same way — it returns unassignedProjectIds and skippedProjectIds.
Verify Enrollment
Read the project back and confirm it is enrolled. Every project returned by projects.list() (and project(id).get()) includes its governancePolicy — { id, name } when enrolled, or null when not.
Python
TypeScript
Done! Your pipeline now enrolls each project into the right governance policy using a single Organization API Key.
Gate Deployments in CI
Everything above is the platform team’s job — enroll each project into the right policy once, as part of provisioning. From then on, the product team that owns a project gates its own deployments with the deepeval CLI. They don’t need the Organization API Key; they only need that project’s Project API Key (CONFIDENT_API_KEY).
Python
TypeScript
deepeval gate assesses every control in the project’s policy and exits with code 0 only when the whole policy passes — any failure exits non-zero and stops the deployment. See Gate deployments on a policy for the full reference.
Next Steps
Create a dedicated project per customer or agent — the step before enrollment.
Configure governance policies and the controls that gate your deployments.
See the governance-policy endpoints in the API reference under Organization data models.
Update and clean up the projects your pipeline creates.