Skip to main content
More and more teams run multi-model workloads, but few can answer the questions that matter to a security or legal review: which provider actually served this request, under which jurisdiction was it processed, and where is the data retained? Compliance routing turns those answers into a guarantee you declare once and enforce on every call. You load the AIs your organization approves; PRYSM routes only to models that satisfy your policy and refuses the rest — before a model is ever scored or called.
Compliance is strictly opt-in. With no policy set, routing is byte-for-byte unchanged and every model is eligible. A policy only ever removes models from consideration — it never changes how the survivors are ranked.

The four pieces

Regulatory Compliance Matrix

A baseline map of each provider → jurisdiction, data regions, supported frameworks, certifications, and retention posture.

Policy-as-Code

Your declarative rules: approved providers, jurisdictions, required frameworks & certifications, data residency, blocked data classes, zero-retention.

Content classification

A fast, local scan that flags PII / PHI / FINANCIAL / SECRETS in the prompt — by pattern only, never by calling a model.

Hard exclusion filter

Non-compliant models are removed from the candidate pool before scoring, so the engine cannot pick one — and each decision is attested.

The policy

A policy is a small set of constraints. Every field is optional; set only what you need.
FieldMeaning
provider_allowlistIf set, only these providers are eligible.
provider_denylistThese providers are always excluded.
jurisdictionThe provider’s governing jurisdiction must be one of these (e.g. US, EU).
data_residencyThe provider’s data regions must be a subset of these — no leakage outside the region.
frameworksThe provider must support all of these (e.g. GDPR, CCPA, LGPD).
certificationsThe provider must hold all of these (e.g. SOC2, ISO27001, HIPAA).
block_data_classesData classes that may not reach a non-cleared provider: PII, PHI, FINANCIAL, SECRETS.
require_zero_retentionThe provider must offer a zero-retention / no-train mode.
The compliance matrix is an editable baseline for routing decisions, not legal advice and not a verified statement of any third party’s certifications. Confirm a provider’s posture against your own contracts before relying on it.

Content classification (the prompt never leaves to be classified)

Before routing, PRYSM scans the request text locally for sensitive data classes using regex / keyword / checksum heuristics only. The text is never sent to a model to be classified, and the scan does nothing but match patterns:
  • PII — emails, phone numbers, national IDs.
  • PHI — medical-record and health identifiers (clears only via a HIPAA certification).
  • FINANCIAL — card numbers (Luhn-checked), IBANs, account numbers.
  • SECRETS — API keys, access tokens, private keys.
If a detected class appears in your block_data_classes and no approved provider is cleared for it, the candidate pool collapses to empty and the request is refused (fail-closed) rather than routed somewhere it shouldn’t go.

Hard exclusion before scoring

This is the core guarantee. PRYSM applies the policy as a filter on the candidate pool, then routes among only what survives. A non-compliant model is never scored, never a fallback, and never reachable — not by a routing rule, not by a hard model lock. 
prompt ─▶ classify (local) ─▶ COMPLIANCE FILTER ─▶ route / orchestrate ─▶ attest

                non-compliant models removed from the pool here
This applies everywhere a model is chosen: /v1/chat/completions, /v2/orchestrate, and /v2/code.

Preview before you spend

/v2/compliance/preview is a pure dry-run — no model is called, so it costs nothing and needs no provider keys. It shows exactly what a policy would do for a given prompt:
  • the data classes the text triggers, and what matched;
  • which models are allowed vs excluded, with a reason per exclusion;
  • the Compliance Cost Premium — what staying compliant costs versus the cheapest unrestricted model;
  • a sample attestation hash for your audit trail.
from prysm import Prysm

client = Prysm()
p = client.compliance_preview(
    "summarize this patient's chart",
    compliance={"frameworks": ["HIPAA"], "block_data_classes": ["PHI"]},
)
print(p["allowed_models"])              # only HIPAA-cleared providers survive
print(p["compliance_cost_premium"])     # what that costs vs. unrestricted

Set it where it belongs

In BRAIN.md (version-controlled)

Add a compliance: block so the policy is reviewed in pull requests and applied to every request automatically.

Inline per request

Pass compliance= to orchestrate() / complete() (or the compliance field in the REST body) to confine a single call.
BRAIN.md
# Only EU-resident, GDPR-supporting providers may serve any request,
# and personal data may never reach a provider outside the EU.
compliance:
  jurisdiction: ["EU"]
  frameworks: ["GDPR"]
  data_residency: ["EU"]
  block_data_classes: ["PII"]

Auditable by design

Every confined run carries a compliance attestation — a SHA-256 receipt binding the policy, the detected data classes, the exclusion decisions, and the chosen model. Paired with PrysmProof, it proves not just that a response was produced, but that it was produced within policy — and what it cost relative to the unrestricted reference.

Preview endpoint

Dry-run a policy against any prompt — allowed/excluded models, classes, CCP, attestation.

BRAIN.md

Declare the compliance: block alongside your routing rules and cost guardrails.

AgentGuard

Compliance pairs with cost caps and model blocks — both run after selection and win.

PrysmProof

The verifiable receipt the compliance attestation attaches to.