Skip to main content

Policy Intelligence

Your compliance documents become your enforcement physics.

Policy Intelligence is how a PDF that lives in your GRC folder becomes a Guardian that blocks violations at inference time. Not a RAG hack. Not regex over paragraph text. A typed knowledge graph, thousands of adversarial variations per rule, and a ratchet that locks every addressed failure into the platform forever.

The Ingestion Pipeline

SourcePDF · DOCX · URLConfluence · SharePoint1IngestionParse · ExtractChunk · Normalize2Knowledge GraphPolicy NodesRule · Definition · Principle3FinalizationLock · TDG`n` number of adversarial variations4RAG at InferenceEmbed · RetrieveInject into context5GuardianEvaluate · PassCorrect · Block6Compliance documents become enforcement geometry — automatically

Six stages. You provide the source document; Trinitite does the rest.

  1. Source — PDF, DOCX, URL, Confluence page, SharePoint doc, or plain text. Attach once.
  2. Ingestion — parse, extract, chunk, and normalize. Structural elements preserved (sections, numbered clauses, cross-references).
  3. Knowledge Graph — nodes typed as Principle (intent), Definition (term), Rule (enforceable), or Exception (scoped carve-out).
  4. Finalization — the draft is locked. The Teleological Generator produces adversarial variations for every rule. Test suites validate.
  5. RAG at inference — the policy is embedded and injected into Guardian context when a matching request arrives.
  6. Guardian verdict — pass, correct, or block, with a citation back to the originating rule node.

The output is a versioned, finalizable, testable policy artifact — not a prompt.

A Typed Knowledge Graph, Not a Text Blob

Policy Knowledge Graph — One Document, Typed Nodes

POLICY ROOTpolicy_id · version · finalized_atPRINCIPLELeast privilegeDEFINITIONPII = name + SSN + DOBRULE"No gifts over $50"RULEAdmin ops require 2 approversRULEDestructive SQL → denyEXCEPTIONRedact PII in transit · not at restRULEVendor = "acme" exemptRULEAmounts in EUR / GBP / USD onlyPrinciple — intentDefinition — termRule — enforceableException — scoped

Your document becomes typed nodes with explicit edges. The Guardian doesn't pattern-match paragraphs — it evaluates against a structured graph where every rule, definition, and exception has its own identity and version.

Every policy document produces a graph with explicit node types and typed edges. That matters because:

  • Definitions resolve once and reuse. "PII" means one thing across every rule in the document.
  • Principles are the intent behind rules. The Guardian can reason about intent, not just syntax.
  • Rules are enforceable predicates. They produce verdicts directly.
  • Exceptions scope themselves — "Vendor acme is exempt" doesn't leak into rules it shouldn't.

A policy edit traces to the node that changed. A policy version diff is a graph diff, not a text diff. An auditor asking "which rule blocked this?" gets a stable node ID, not a line number.

Teleological Adversarial Fan-Out

Teleological Data Generator — Adversarial Fan-Out

SOURCE RULE"No gifts over $50"TELEOLOGICAL GENERATORteacher LLM · adversarial policy · rule context→ `n` number of variations per invocationSyntax obfuscation"$5_0" · "fifty dollars" · "50 USD"→ Guardian trains againstBase64 / hexEncoded dollar amounts→ Guardian trains againstMulti-languageSpanish · Chinese · pig-latin→ Guardian trains againstGift framing"promotional credit" · "loyalty bonus"→ Guardian trains againstLegitimate exceptionVendor "acme" quote over $50→ Guardian trains againstEdge-case amount$49.99 · $50.00 · $50.01→ Guardian trains againstChained violationsGift + kickback + disclosure→ Guardian trains againstAggregation$10 × 6 transactions→ Guardian trains againstEight shown. Production runs generate hundreds to thousands per source rule.

One rule — "No gifts over $50" — isn't one test. It's the adversary space around that rule. The Teleological Data Generator (TDG) creates n adversarial variations per rule:

  • Syntax obfuscation$5_0, fifty dollars, 50 USD, unicode homoglyphs
  • Encoding attacks — base64, hex, rot13, URL-encoded
  • Multi-language — the same intent in Spanish, Chinese, pig-latin
  • Semantic reframing — "promotional credit", "loyalty bonus", "finder's fee"
  • Edge-case amounts$49.99, $50.00, $50.01
  • Chained violations — gift + kickback + disclosure in the same request
  • Aggregation attacks — six $10 gifts to the same recipient on the same day
  • Legitimate exceptions — vendor "acme" quoted at $75 per approved carve-out

Every variation becomes a training example for the Guardian. The Guardian learns the rule's boundary in vector space, not just its surface text. Regex can't do this. Prompt engineering can't do this. A trained specialist Guardian can — and at sub-millisecond latency.

The Safety Ratchet

Safety Ratchet — Known-Failure Surface Only Shrinks

Known-failure surface(relative size)time →BaselineGuardian v1 · 12 rulesThreat A foundNovel prompt-injection variantTDG → Lock842 variations · all blockedThreat B foundBase64-encoded SQL via tool argTDG → Lock1,206 variations · all blockedThreat C foundMulti-step privilege escalationTDG → Lock934 variations · all blockedTodayGuardian v14 · manifold compactsRed = threat discovered · Teal = TDG lock-in · Green = compacted manifold. No step in the curve goes up.

Every threat Trinitite has addressed is locked into the manifold. The known-failure surface — the portion of vector space where attacks previously succeeded — only ever shrinks. That's the ratchet.

This is the mathematical flip of the industry default. Every new model release from OpenAI, Anthropic, or open-source bumps the capability surface (good) and the attack surface (usually bad). Trinitite's Guardians operate on a separate, orthogonal manifold: each addressed threat is a permanent compaction. Fleet-wide, across every client, across every customer — once TDG has locked a threat class, no Trinitite-governed agent anywhere can fall to that attack again.

Versioning and Finalization

Policies are versioned like code:

StageWhat it means
DraftMutable. Authors edit nodes, run test suites, iterate.
Under reviewLocked for content. Reviewers comment and approve.
FinalizedImmutable. Cryptographic hash anchored to the ledger. Guardians retrain against this version.
SupersededNewer finalized version exists. Old version remains queryable for historical audits.

Finalization is an auditable event: who approved it, when, which test suites ran, what TDG corpus was produced, which Guardian versions train against it. "We changed the policy in March" is answerable down to the hour, the approver, and the diff — with receipts.

What You Get

CapabilityText-only policyPolicy Intelligence
EditabilityWord doc in SharePointVersioned graph with node-level diffs
EnforcementManual review or regexTrained Guardian on a vector manifold
Adversarial coverage"We read it carefully"n variations generated, tested, locked
Failure trajectoryUnknownRatchet — failures only shrink
TraceabilityKeyword search in docsRule-node → training example → Guardian verdict → ledger entry
Exception handlingComments in the docFirst-class typed nodes with scope

Next Steps

Guardian Training — how the Guardians that enforce this policy actually get trained.

Testing & Simulation — the suites that prove TDG-generated attacks are blocked.

Compliance Architecture — how these rules map to regulatory frameworks automatically.

Last updated on