AI 扩展计划 / Playbooks

AI Policy-as-Code / Decision Automation Playbook

这些来源是本文的术语和架构锚点, 不构成法律、合规或审计意见。正式项目必须由 legal / compliance / risk 结合司法辖区、产品、客户类型、模型用途和内部政策确认。

931 行AI_POLICY_AS_CODE_DECISION_AUTOMATION_PLAYBOOK.md

AI Policy-as-Code Decision Automation Playbook

受众: AI Product Architect / AI Platform PM / Enterprise Architect / Risk & Compliance Technology Lead / 高阶 BA。核心问题: 如何把金融零售 AI 产品中的“政策、权限、决策、审批、解释和审计”从 prompt 中外置出来, 变成可测试、可版本化、可审批、可回滚的 decision automation 架构。学习目标: 能设计一个以 DMN、Policy-as-Code、OPA/Rego、Cedar、Zanzibar/ReBAC、PDP/PEP、decision service、simulation 和 audit evidence 为核心的 AI 决策自动化方案, 并能用信贷、KYC、支付争议、客户建议边界和 Agent 工具授权案例讲清楚。

Source Anchors

Anchor	Primary link	本文用法
OMG Decision Model and Notation (DMN)	https://www.omg.org/spec/DMN/	用 decision requirements、decision logic、decision table 和 FEEL 思路把业务决策显式建模
Open Policy Agent Documentation	https://openpolicyagent.org/docs	用通用 policy engine、PDP/PEP 解耦和 policy decision API 设计 AI 控制面
OPA Policy Language	https://openpolicyagent.org/docs/policy-language	用 Rego 表达授权、审批、deny reason、policy test 和 decision trace
Cedar Policy Language	https://docs.cedarpolicy.com/	用 permit/forbid、principal/action/resource/context 模型表达应用级授权和细粒度访问控制
Zanzibar: Google's Consistent, Global Authorization System	https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/	用关系元组和 ReBAC 思路处理组织、账户、客户、case、文档、工具的关系授权
NIST AI Risk Management Framework	https://www.nist.gov/itl/ai-risk-management-framework	用 Govern / Map / Measure / Manage 语言组织 AI 决策自动化的风险分层、测试、监控和治理证据

1. 核心定位: AI 决策不能藏在 Prompt 里

金融零售 AI 产品里, 很多高风险边界看起来像“回答风格”或“模型指令”, 实际上是决策和控制问题:

能不能读取这个客户?
能不能使用这份 KYC 文件?
能不能建议退款?
能不能输出个性化金融建议?
能不能调用账户冻结工具?
能不能把拒贷原因展示给客户?
能不能绕过人工审批?

这些问题不能靠 prompt 解决。Prompt 可以表达偏好和任务说明, 但它不是授权系统、规则引擎、审批系统、审计系统或监管证据。成熟的 AI 产品架构应该把 guardrails 分层:

Guardrail layer	应放在哪里	不能只靠 prompt 的原因
行为边界	产品范围、workflow、risk tier	模型可能误解、被注入或被上下文污染
业务决策	DMN / decision service / rules engine	需要确定性、版本、解释和回归测试
权限授权	OPA / Cedar / ReBAC / IAM	需要绑定身份、资源、关系、purpose 和租户
工具执行	Tool gateway + PEP	工具调用有副作用, 必须外部拦截
审批双控	Workflow / case management	高风险动作需要人类责任人和证据包
审计证据	Event log / evidence store	事后要能复盘输入、规则、版本、审批和输出
变更治理	Policy registry + release gate	决策逻辑变化要被测试、批准和回滚

一句话:

The model may propose.
The decision service decides.
The policy engine authorizes.
The workflow approves.
The audit system remembers.

中文表达:

模型负责生成建议, 决策服务负责规则判断, 策略引擎负责授权, 工作流负责审批, 审计系统负责留证。

2. Decision Automation Framework

高阶 AI 产品架构不要先问“用哪个模型”, 而要先问“哪些决策正在被自动化、辅助或影响”。本文建议用 8 层框架:

Decision inventory
-> Decision classification
-> Decision model
-> Policy architecture
-> Runtime PDP/PEP design
-> Test and simulation
-> Release governance
-> Audit, monitoring and rollback

2.1 Decision Inventory

把 AI 产品里所有“判断点”登记出来, 包括模型判断、规则判断、人工判断和系统授权。重点不是画流程图, 而是识别每个判断点的后果、证据和控制。

Decision type	金融零售例子	自动化风险
Eligibility	客户是否符合信用卡预审、优惠、分期、争议临时贷记条件	错误纳入或排除客户, 触发公平性和客户权益风险
Suitability / advice boundary	AI 能否回答投资、保险、信贷建议问题	输出个性化建议、误导客户或越过持牌人员边界
KYC / document sufficiency	文件是否满足身份、地址、收入或实益拥有人验证要求	接受伪造或不足材料, 或不当拒绝客户
Dispute / payment rule	争议是否符合时限、交易类型、证据要求和临时贷记条件	错误拒绝、错误退款、违反网络规则或法规
Authorization	Agent 是否能读客户、调工具、写 CRM、发外部通知	越权、跨租户、数据泄露、未经批准的资金动作
Escalation	是否升级到人工、主管、risk、legal、compliance	低估高风险事项或制造过多摩擦
Explanation	给客户、审计或监管的原因是否准确	黑箱解释、错误 reason code、无法追溯
Release decision	policy / model / prompt / tool 变更能否上线	未测试变更导致控制失效

2.2 Decision Classification

对每个决策做风险分类。金融零售里, 分类至少看五个维度:

Dimension	Low	Medium	High
Customer impact	不影响客户权益	影响响应、分流或草稿	影响信贷、资金、账户、投诉、合规记录
Automation level	read / summarize	recommend / draft	decide / act
Explainability	内部可理解即可	需要运营解释	需要客户通知、审计或监管解释
Reversibility	可快速纠正	可补救但成本高	不可逆、监管记录或资金影响
Policy volatility	稳定规则	经常促销或流程变化	多辖区、多产品、多监管解释

输出不是一个标签, 而是控制强度:

Risk tier	默认架构
T0 Informational	prompt + RAG + lightweight logging
T1 Internal decision support	DMN/rules + citation + sample QA
T2 Customer-impacting recommendation	decision service + PDP/PEP + HITL + eval gate
T3 Regulated or adverse decision boundary	deterministic decision logic + reason service + dual control + audit evidence
T4 Prohibited autonomous decision	no autonomous execution; redesign as assistive workflow

2.3 Decision Model

不同决策适合不同表达方式。

Model	适合什么	不适合什么
DMN decision table	业务可读、条件明确、需要解释和审批的规则, 如 KYC 文件要求、争议时限、资格判断	大规模关系授权、复杂层级权限、实时图关系
OPA/Rego	通用 policy decision, 如工具授权、环境限制、审批条件、risk tier gate、release gate	业务人员直接维护的复杂表格, 除非有上层配置 UI
Cedar	应用级授权, principal/action/resource/context 清晰, 需要 permit/forbid 组合	深度工作流编排或复杂数值决策
Zanzibar/ReBAC	关系型授权, 如用户-团队-客户-账户-case-文档-工具之间的 viewer/editor/owner/approver	纯业务计算或可表格化的 eligibility
Rules engine / decision service	高性能、稳定、可测试的规则执行, 可封装 DMN 或代码规则	不应混入生成式解释和自然语言自由判断
LLM / classifier	意图识别、摘要、证据抽取、草稿、模糊分类初筛	最终授权、最终拒贷、最终合规结论、不可审计规则

设计原则:

DMN 管“业务决策逻辑”。
OPA / Cedar 管“能不能做”。
ReBAC 管“这个人和这个资源有什么关系”。
Workflow 管“谁批准、何时批准、批准什么版本”。
LLM 管“提取、解释、起草、建议”, 但不单独成为最终 authority。

2.4 Policy Architecture

Policy-as-Code 的核心不是“把所有规则写成代码”, 而是让政策拥有工程化生命周期:

policy authoring
-> review
-> test
-> simulation
-> approval
-> versioned release
-> runtime decision
-> audit
-> monitoring
-> rollback

成熟策略资产应具备:

Capability	要求
Versioning	每次 policy、decision table、reason mapping、approval rule、tool permission 变更都有版本和变更说明
Ownership	每条 policy 有 business owner、risk owner、technical owner、approver
Testability	policy rule 有正例、反例、边界值、冲突规则、回归样本
Explainability	PDP 返回 rule id、decision reason、evidence reference 和下一步动作
Simulation	新版本上线前能在历史案例、合成案例、shadow traffic 上比较差异
Approval	高风险规则变更需要 risk / compliance / business / architecture sign-off
Rollback	能按 policy bundle、tool、tenant、workflow、model route 回滚
Audit	运行时记录 input facts、policy version、decision、explanation、approver 和 trace id

2.5 PDP / PEP Runtime

PDP 是 Policy Decision Point, 负责做策略判断。PEP 是 Policy Enforcement Point, 负责在系统路径上执行 allow、deny、redact、require_approval、dry_run、route_to_human 等动作。

Layer	PDP 示例	PEP 示例
API access	OPA / Cedar / IAM decision	API gateway, BFF, service middleware
Agent tool use	OPA tool policy, ReBAC relationship check	tool gateway, connector adapter
RAG retrieval	entitlement policy, document relationship policy	retriever filter, vector DB query layer
Decision service	DMN / rules PDP	workflow engine, case management transition
Customer response	advice boundary policy, disclosure policy	response renderer, chat orchestration layer
Release gate	policy test gate, eval gate, risk approval gate	CI/CD pipeline, feature flag platform

关键判断:

PDP 没有接入执行路径, 只是咨询。
PEP 没有可靠执行策略, 只是装饰。
PDP + PEP + audit trace 同时存在, 才是可治理的决策自动化。

3. Reference Architecture

3.1 AI Decision Automation 架构图

flowchart TB
  User[Customer / Employee / Workflow] --> Channel[Channel or Workbench]
  Channel --> Identity[Identity, Role, Tenant, Purpose]
  Channel --> Orchestrator[AI Orchestrator]
  Orchestrator --> ContextGW[Prompt and Context Gateway]
  ContextGW --> Retrieval[RAG Retrieval with Entitlement Filter]
  Retrieval --> ReBAC[Relationship Graph / ReBAC]
  ContextGW --> Model[Model Gateway]
  Model --> Orchestrator
  Orchestrator --> Intent[Intent, Evidence, Proposed Action]
  Intent --> DecisionSvc[Decision Service: DMN / Rules]
  Intent --> PolicyPDP[Policy Decision Point: OPA / Cedar]
  ReBAC --> PolicyPDP
  DecisionSvc --> PolicyPDP
  PolicyPDP --> PEP[Policy Enforcement Point]
  PEP --> Approval[Human Approval / Dual Control]
  PEP --> ToolGW[Tool Gateway]
  ToolGW --> Core[Core Banking / CRM / KYC / Payments / Credit / Case Systems]
  PEP --> ResponseGuard[Response Boundary and Explanation Service]
  ResponseGuard --> Channel
  PolicyPDP --> Audit[Decision and Policy Audit Log]
  DecisionSvc --> Audit
  Approval --> Audit
  ToolGW --> Audit
  ResponseGuard --> Audit
  Audit --> Eval[Policy Tests / Simulation / Replay]
  Eval --> ReleaseGate[Release Gate and Rollback]

3.2 运行时序列

sequenceDiagram
  participant U as User / Agent User
  participant O as AI Orchestrator
  participant R as Retrieval + ReBAC Filter
  participant M as Model Gateway
  participant D as Decision Service
  participant P as PDP
  participant E as PEP / Tool Gateway
  participant H as Human Approval
  participant A as Audit Log
  participant S as System of Record

  U->>O: request + identity + purpose
  O->>R: retrieve entitled context
  R->>O: evidence with source and permission labels
  O->>M: ask model to extract intent and propose action
  M->>O: intent, evidence summary, proposed decision or tool call
  O->>D: evaluate business decision facts
  D->>P: decision outcome + reason code + policy facts
  O->>P: authorize proposed action with user/resource/context
  P->>E: allow / deny / require_approval / dry_run / redact
  alt approval required
    E->>H: approval packet with policy version and evidence
    H->>A: approve / reject / modify
    H->>E: approval decision
  end
  alt allowed
    E->>S: execute scoped action
    S->>E: result
  else denied
    E->>O: blocked with safe reason
  end
  E->>A: tool/action trace
  P->>A: policy decision trace
  D->>A: decision service trace
  O->>U: response, escalation or explanation

3.3 Product Capability Map

把 policy-as-code 做成平台能力, 而不是每个 AI use case 自建一套。

Capability	产品形态	使用者	成熟标准
Decision inventory	AI use case intake 中的决策登记页	PM / BA / Risk	每个 AI decision 有 owner、risk tier、automation boundary
Policy catalog	policy bundles、rules、decision tables、tool permissions	Platform PM / Architect / Risk	能按 use case、tool、tenant、resource 查询策略
Decision service	DMN / rules API, reason code API	Engineering / Operations	每次调用返回 decision、reason、version、trace
PDP API	OPA / Cedar decision endpoint	Tool gateway / API gateway / workflow	响应稳定, 支持缓存, 返回可解释 decision
PEP integration	middleware、tool gateway、retriever filter、workflow gate	Engineers	所有高风险路径都有 enforcement, 不是旁路咨询
Policy test suite	unit tests、scenario tests、regression tests、red-team cases	EvalOps / Risk / QA	高风险变更无测试不得发布
Simulator	历史案例 replay、synthetic cases、shadow traffic diff	PM / Risk / Compliance	能量化新旧策略差异和客户影响
Approval workflow	policy release approval、action approval、dual control	Risk / Ops / Compliance	批准绑定具体版本、证据和参数
Audit evidence	decision trace、policy version、input facts、approver、output	Audit / Compliance / Incident	事故和审计可以重放关键决策链
Rollback control	feature flag、policy bundle rollback、tool kill switch	SRE / Platform / Risk	可按 workflow/tool/tenant/version 局部回滚

4. AI Guardrails 外置化模式

4.1 从 Prompt Guardrail 到 Externalized Policy

Prompt-only 写法	问题	外置化设计
“不要给客户投资建议”	模型可能误判建议边界, 也无法审计为什么阻断	advice boundary classifier + policy PDP + response PEP + licensed advisor handoff
“不要读取无关客户”	模型没有资源关系图和权限事实	ReBAC entitlement filter + PDP + retriever PEP
“高风险动作要审批”	模型可能把动作拆小或跳过审批	tool gateway PEP + cumulative policy + approval workflow
“按政策判断 KYC 文件是否有效”	政策版本、地区、产品、例外很难靠 prompt 稳定执行	DMN decision table + document classifier + human review
“生成拒贷原因要合规”	自由文本可能不对应真实 reason code	reason code service + adverse action boundary policy + compliance approval

4.2 Recommended Split

问题	LLM 做什么	Policy / Decision 层做什么
用户想做什么	意图识别、提取字段、总结上下文	判断该意图是否允许、是否需审批
证据是什么	从文档和记录中提取候选证据	校验证据来源、权限、时效、完整性
规则如何适用	起草解释、指出可能规则	执行 DMN / Rego / Cedar 决策
能否调用工具	生成 tool call proposal	PDP/PEP 决定 allow/deny/approval
如何回复客户	生成草稿和语气调整	response boundary、disclosure、advice gate、reason code gate
如何解释	生成面向人类的说明	绑定 rule id、facts、reason code、policy version

5. Financial Retail Cases

5.1 信贷资格与 Adverse Action 边界

场景

AI Credit Assistant 帮信贷官整理申请材料、检测政策缺口、解释资格判断、起草客户通知。高风险边界是: AI 不能自由决定批准/拒绝, 不能自由生成 adverse action reasons, 不能把受保护特征或代理变量作为理由。

决策拆分

Decision	推荐实现	AI 角色	自动化边界
申请材料是否完整	DMN decision table	提取字段、指出缺失证据	可自动标缺失, 关键例外需人工
是否满足政策资格	Decision service / rules	解释政策条款, 生成 memo 草稿	规则服务输出资格结果, 信贷官决策
adverse action reason code	Reason code service + compliance-approved mapping	起草客户可读语言	reason code 必须来自可验证映射
是否能发送通知	OPA/Cedar + workflow approval	准备通知草稿	PEP 阻断未审批通知

控制重点

Risk	Control
LLM 编造拒贷原因	reason code service 返回 approved code, LLM 只能改写批准话术
解释不对应实际决策因素	decision trace 绑定 facts、rule id、score reason 和 policy version
protected class / proxy factor 被使用	feature policy + fairness review + prohibited factor tests
人工被 AI 暗示性替代	UX 显示“assistant recommendation”, workflow 要求人类 decision owner

Portfolio Artifact

Credit Decision Boundary Pack
- Decision inventory: credit eligibility, completeness, reason code, notice send
- DMN table: completeness and eligibility pre-check
- Reason code mapping: approved reason -> evidence -> customer wording
- PDP/PEP map: who can view, decide, approve, send
- Simulation: historical applications old vs new policy impact
- Release gate: zero unauthorized final decision, zero unsupported adverse reason
- Audit evidence: application facts, policy version, reason code, approver, notice version

5.2 KYC 文档决策

场景

AI KYC Copilot 读取客户上传文件、OCR 结果、客户资料和 jurisdiction/product policy, 判断文档是否满足身份、地址、收入、企业注册、UBO 或 sanctions screening 前置要求。

决策拆分

Decision	推荐实现	AI 角色	自动化边界
文档类型识别	classifier + human review fallback	OCR、分类、字段抽取	低置信度进入人工
文档有效性	DMN table	提取 issue date、expiry、issuer、country	规则服务判断有效性
是否满足 KYC policy	DMN / rules by jurisdiction/product	摘要缺口和下一步	高风险客户、PEP、sanctions 相关不自动通过
能否更新 KYC status	OPA/Cedar PDP + PEP	提出更新建议	写入 status 需要权限和审批

DMN 决策片段

Rule	Product	Jurisdiction	Customer type	Document type	Expired	Address match	Risk rating	Decision	Reason
1	Deposit	US	Individual	Government ID	false	not_required	Low	accept_for_identity	ID valid for low-risk individual onboarding
2	Deposit	US	Individual	Utility Bill	false	true	Low	accept_for_address	Address evidence matches customer profile
3	Deposit	US	Individual	Utility Bill	true	true	Low	reject_document	Address document expired
4	Business Banking	US	Entity	Incorporation Certificate	false	not_required	Medium	require_analyst_review	Entity document requires analyst verification
5	Any	Any	Any	Unknown	any	any	Any	require_manual_review	Document type not reliably classified
6	Any	Any	Any	Any	any	any	High	require_enhanced_due_diligence	High-risk profile requires EDD workflow

控制重点

Risk	Control
AI 接受伪造或无效文件	document fraud signals + deterministic policy + confidence threshold
地区和产品政策混用	jurisdiction/product facts 必须进入 decision input, policy version 留痕
高风险客户自动通过	risk rating PEP 强制 route_to_edd
上传文件中的 prompt injection	文件内容只作为 evidence, 不作为 instruction

5.3 支付争议规则

场景

AI Payment Dispute Assistant 帮运营人员解释交易、网络规则、时限、证据和下一步动作。高风险边界是: AI 不能直接决定争议结果、不能未经授权发起退款或 provisional credit, 不能绕过双控。

决策拆分

Decision	推荐实现	AI 角色	自动化边界
争议类型分类	LLM/classifier + rule validation	识别 fraud、goods not received、duplicate、merchant error	低置信度人工分流
是否在时限内	DMN/rules	提取 transaction date、claim date	规则服务计算
需要什么证据	DMN decision table	整理缺失材料	自动生成 checklist
能否建议 provisional credit	rules + risk tier	起草建议和客户说明	高金额、重复争议、异常模式需审批
能否执行资金动作	OPA/Cedar + PEP + dual control	提出 tool call	tool gateway 强制审批和幂等

控制重点

Risk	Control
错误解释网络规则	approved rule source + policy version + citation
拆分金额绕过审批	cumulative exposure policy, customer/account/day aggregation
重复退款或重复 case	idempotency key = transaction_id + dispute_type + customer_id
客户沟通误导	response PEP 检查禁止承诺和 required disclosure

5.4 面向客户 AI 建议边界

场景

客户问 AI: “我应该买这个基金吗?”、“我该不该提前还贷?”、“我这个收入能申请多少额度?”、“帮我选最适合的信用卡”。这些问题既可能是产品信息, 也可能越过个性化金融建议、信贷推荐或 suitability 边界。

决策拆分

Decision	推荐实现	AI 角色	自动化边界
问题是否涉及个性化建议	classifier + policy PDP	识别用户意图、提取个性化因素	PDP 决定 answer / safe info / handoff
能否展示产品信息	policy + content allowlist	生成比较表草稿	只使用 approved content
是否需要持牌人员	advice boundary policy	生成 handoff summary	客户建议转人工或 advisor
回复是否合规	response PEP + eval	改写为教育性信息	禁止个性化 recommendation

Advice Boundary Matrix

User request	Allowed AI response	Required control
“这张卡年费是多少?”	回答批准知识库中的产品事实	RAG citation + policy freshness
“我适合哪张卡?”	解释比较维度, 引导用户查看资格和条款	no personalized recommendation unless approved flow
“我应该买这个基金吗?”	提供一般性教育信息, 转持牌顾问	advice boundary PEP
“按我的交易记录告诉我买什么”	拒绝个性化投资建议, 提供 advisor handoff	high-risk intent + customer data boundary
“我能不能贷款?”	提供申请条件和流程, 不做最终资格承诺	eligibility pre-check disclosure + human decision boundary

5.5 Agent 工具授权

场景

企业 AI Agent 可以查询客户、读取 KYC、创建 case、起草邮件、提交争议、触发退款、冻结账户、外发供应商工单。工具越多, prompt injection、confused deputy、越权、外泄和审批绕过风险越高。

工具风险分层

Tool tier	示例	默认策略
T0 Read public	`search_public_policy`	allow with logging
T1 Read internal	`search_internal_sop`	RBAC + source citation
T2 Read customer	`read_customer_transactions`	RBAC + ReBAC + purpose + field minimization
T3 Draft write	`draft_crm_note`, `draft_customer_email`	draft only + user confirmation
T4 Controlled action	`issue_fee_waiver`, `open_dispute_case`	approval + limits + audit
T5 Regulated / irreversible	`freeze_account`, `submit_sar_draft`, `send_adverse_action_notice`	dual control + restricted roles + evidence packet
T6 Prohibited	`export_all_customers`, `modify_consent`, `reveal_secret`	deny + incident signal

OPA/Rego 示例

以下示例表达“Agent 可以提出动作, 但工具网关按身份、目的、case、风险、审批和注入信号决策”。生产实现还需要接入 IAM、case system、policy registry、DLP 和 audit。

package ai.agent.authz

import rego.v1

default decision := {
  "effect": "deny",
  "reason": "No matching policy",
  "rule_id": "DEFAULT-DENY"
}

decision := {
  "effect": "allow",
  "reason": "KYC analyst may read an open KYC case for review",
  "rule_id": "KYC-READ-001"
} if {
  input.action == "read_kyc_case"
  input.user.role == "kyc_analyst"
  input.purpose == "kyc_review"
  input.case.status == "open"
  input.user.tenant == input.case.tenant
}

decision := {
  "effect": "require_approval",
  "reason": "Customer-impacting payment action requires supervisor approval",
  "rule_id": "PAY-ACT-004",
  "approval_role": "payments_supervisor"
} if {
  input.action == "issue_provisional_credit"
  input.tool.risk_tier == "T4"
  input.amount_usd > 100
}

decision := {
  "effect": "deny",
  "reason": "Prompt injection risk blocks write actions",
  "rule_id": "AI-INJECT-010"
} if {
  input.action_type == "write"
  input.security.prompt_injection_risk == "high"
}

Cedar 示例

Cedar 的 principal/action/resource/context 模型适合应用内授权和工具授权。

permit(
  principal in Role::"KycAnalyst",
  action == Action::"ViewKycCase",
  resource
)
when {
  resource.tenant == principal.tenant &&
  resource.status == "open" &&
  context.purpose == "kyc_review"
};

permit(
  principal in Role::"PaymentsSupervisor",
  action == Action::"ApproveProvisionalCredit",
  resource
)
when {
  resource.amount_usd <= 500 &&
  context.case_status == "open" &&
  context.dual_control_required == false
};

forbid(
  principal,
  action in [Action::"SendExternalMessage", Action::"IssueRefund"],
  resource
)
when {
  context.prompt_injection_risk == "high" ||
  context.dlp_result == "blocked"
};

Zanzibar / ReBAC 关系授权示例

关系授权解决的是“谁和哪个资源有什么关系”, 例如:

customer:123#relationship_manager@user:alice
account:456#owner@customer:123
case:KYC-789#subject@customer:123
case:KYC-789#viewer@team:kyc-us
team:kyc-us#member@user:bob
document:DOC-222#attached_to@case:KYC-789
tool:read_kyc_case#invoker@team:kyc-us

当 Agent 请求读取 document:DOC-222 时, PDP 不只看 role, 还看:

用户是否属于可访问该 case 的 team。
文档是否附属于该 case。
case 是否属于当前 tenant。
purpose 是否与 case workflow 匹配。
工具是否允许该 team 调用。
是否存在临时授权、冲突隔离或 legal hold。

6. Artifact Pack

6.1 Decision Inventory

Field	示例
Decision ID	`DEC-KYC-014`
Decision name	Determine whether address proof is acceptable
Business capability	KYC onboarding
Workflow point	Document review before status update
AI role	OCR extraction and evidence summary
Decision owner	KYC Operations Lead
Risk owner	Financial Crime Compliance
Technical owner	AI Platform Decision Services
Decision type	Document sufficiency
Automation level	recommend + deterministic decision service
Customer impact	Medium: onboarding delay or incorrect acceptance
Policy source	KYC policy US v2026.06
Implementation	DMN table executed by decision service
PDP dependency	OPA tool authorization for status update
Explanation output	accept/reject/review reason with rule id
Required evidence	document type, expiry date, issuing country, address match, risk rating
Test pack	positive, expired, mismatch, unknown type, high-risk customer
Release approvers	KYC Ops, Compliance, Architecture
Audit fields	input facts, document id, policy version, decision, reviewer, trace id

6.2 Policy Architecture Template

Layer	Design decision	Example
Business policy	哪些政策被自动化, 哪些只做辅助	KYC address proof rules are automated; EDD final approval remains manual
Decision model	使用 DMN、rules、Rego、Cedar 或 ReBAC	DMN for document sufficiency, OPA for tool action authorization
Runtime location	决策服务部署在哪里	Central decision service called by KYC workbench and AI orchestrator
Input facts	决策所需事实及来源	OCR fields, customer risk rating, product, jurisdiction, document metadata
Output contract	PDP/decision service 返回什么	decision, reason, rule_id, policy_version, confidence, next_action
PEP locations	哪些地方执行结果	UI button state, workflow transition, tool gateway, response renderer
Versioning	策略如何打包发布	`kyc-policy-bundle:2026.06.3` with changelog and approvers
Testing	如何验证	unit tests, historical replay, synthetic edge cases, red-team prompt injection
Approval	谁批准上线	business owner, risk owner, compliance owner, architecture owner
Audit	运行时记录什么	facts hash, sensitive evidence pointer, policy version, decision, approver
Rollback	如何撤回	feature flag to previous policy bundle, block write tools, route to manual

6.3 PDP / PEP Map

Use case path	PDP	PEP	Decision	Enforcement
Customer service RAG retrieval	ReBAC entitlement PDP	Retriever filter	Can this user retrieve this policy/customer document?	Exclude unauthorized chunks before model call
KYC status update	OPA tool policy	Tool gateway	Can this analyst/agent update status?	allow, require approval, deny
Payment provisional credit	OPA + limits rules	Payments action gateway	Does this action require approval or dual control?	Create approval packet before tool execution
Credit adverse action notice	Reason service + policy PDP	Notice workflow	Can this notice be generated and sent?	block unsupported reason, require review
Customer advice answer	Advice boundary PDP	Response renderer	Is this personalized advice?	safe info, handoff, refusal, disclosure
Policy release	CI policy tests + risk gate	Deployment pipeline	Can this policy bundle ship?	pass, conditional, fail, rollback

6.4 DMN Decision Table Example

Use case: payment dispute evidence requirement.

Rule	Dispute type	Claim age days	Card present	Amount USD	Prior disputes 90d	Required evidence	Decision	Reason code
1	fraud	0-60	false	0-100	0-2	customer attestation, transaction detail	eligible_for_standard_review	DIS-FRD-STD
2	fraud	61-120	false	0-100	0-2	customer attestation, late claim reason	require_specialist_review	DIS-FRD-LATE
3	duplicate	0-120	any	0-500	0-5	both transaction ids, merchant name match	eligible_for_standard_review	DIS-DUP-STD
4	goods_not_received	0-120	any	0-1000	0-3	merchant communication, expected delivery date	require_evidence_upload	DIS-GNR-EVD
5	any	any	any	1000+	any	case packet, supervisor review	require_supervisor_review	DIS-HIGH-AMT
6	any	any	any	any	6+	case history, fraud pattern review	require_risk_review	DIS-REPEAT

Decision service output contract:

{
  "decision_id": "DEC-PAY-DISPUTE-EVIDENCE",
  "policy_version": "payments-dispute-2026.06.2",
  "decision": "require_supervisor_review",
  "reason_code": "DIS-HIGH-AMT",
  "required_evidence": ["case packet", "supervisor review"],
  "explanation": "High amount disputes require supervisor review before provisional credit or customer commitment.",
  "trace_id": "trace-20260629-001"
}

6.5 Policy Test Suite

Test ID	Policy area	Input	Expected decision	Failure caught
POL-KYC-001	KYC document	valid US government ID, low-risk individual	accept_for_identity	false rejection
POL-KYC-002	KYC document	expired utility bill, address matches	reject_document	accepting expired evidence
POL-KYC-003	KYC document	unknown document type	require_manual_review	over-automation on uncertain evidence
POL-PAY-001	Payment dispute	fraud claim, 45 days, amount 80	eligible_for_standard_review	incorrect time-window handling
POL-PAY-002	Payment dispute	fraud claim, 95 days, amount 80	require_specialist_review	late claim misclassification
POL-AUTH-001	Tool auth	analyst reads open case in same tenant	allow	blocking legitimate work
POL-AUTH-002	Tool auth	analyst reads closed case from different tenant	deny	cross-tenant access
POL-AUTH-003	Tool auth	write action with high prompt injection risk	deny	injected tool execution
POL-ADV-001	Advice boundary	customer asks product fee	allow_fact_answer	over-refusal
POL-ADV-002	Advice boundary	customer asks what fund to buy using account data	handoff_to_advisor	personalized advice leakage
POL-REL-001	Release gate	policy bundle with failing high-risk regression	fail_release	unsafe policy deployment

6.6 Simulation Report

Section	Portfolio-ready content
Objective	Compare `payments-dispute-2026.06.1` vs `2026.06.2` before production release
Dataset	5,000 historical dispute cases, 200 synthetic edge cases, 50 red-team cases
Scope	dispute evidence requirements, provisional credit approval routing, customer response boundary
Key metric	decision change rate, high-risk escalation rate, false auto-approval count, manual review volume
Result	7.8% decision changes; high-amount disputes routed to supervisor increased from 92.1% to 99.4%; false auto-approval in red-team set reduced to 0
Business impact	estimated +4.2% manual review workload for high-amount cases, accepted due to risk reduction
Risk finding	repeat-dispute rule created 1.1% additional risk reviews; operations capacity remains within SLA
Release recommendation	approve limited release for card disputes with daily monitoring for first 10 business days
Rollback trigger	supervisor queue SLA breach over 20%, false auto-approval > 0, customer complaint spike > agreed threshold

6.7 Release Gate

Gate	Required evidence	Pass standard
G1 Decision inventory	Decision IDs, owners, risk tier, automation boundary	100% high-risk decisions registered
G2 Architecture review	PDP/PEP map, data flow, trust boundary, tool gateway design	No high-risk path without PEP
G3 Policy test	Unit, scenario, regression, red-team tests	0 critical failures; documented medium-risk exceptions
G4 Simulation	Historical replay and synthetic edge cases	Decision delta explained and approved
G5 Explainability	reason code, rule id, policy version, evidence mapping	Every customer-impacting decision has traceable reason
G6 Approval	business, risk, compliance, architecture sign-off	Approvals bind exact policy bundle version
G7 Monitoring	dashboard, alerts, audit trace sampling	Metrics and owners active before release
G8 Rollback	feature flag, previous bundle, manual fallback	rollback tested in non-prod and runbook approved

6.8 Audit Evidence

Evidence item	Example
Request metadata	authenticated user, role, tenant, channel, purpose, timestamp
Resource facts	customer id hash, case id, document id, account relationship, data classification
Model facts	model id, prompt version, retrieved source ids, tool proposal, confidence
Decision facts	policy bundle, DMN table version, Rego/Cedar version, input facts hash
Decision output	allow/deny/approval/review, reason code, rule id, explanation
Enforcement record	PEP location, action blocked/executed, approval packet id, tool result summary
Human oversight	reviewer, decision, override reason, timestamp, version reviewed
Release evidence	test run id, simulation report, approvers, deployment artifact
Incident evidence	trace id, failing control, containment action, rollback version, corrective test

6.9 Incident Rollback Runbook

Step	Action	Output
1	Classify incident by customer impact, data exposure, funds movement, regulatory record impact	severity and incident owner
2	Freeze evidence: policy bundle, model/prompt version, audit traces, approval packets, tool logs	evidence snapshot
3	Contain: disable affected policy bundle, tool, workflow, tenant or model route	kill switch record
4	Route work to manual fallback or previous approved decision bundle	continuity path
5	Identify failed control: decision logic, PDP, PEP, approval, DLP, ReBAC, prompt/context boundary	control failure classification
6	Add regression case from incident facts	new policy/eval test id
7	Fix and replay historical/synthetic/incident cases	replay report
8	Obtain risk/compliance/business approval for restoration	restoration approval
9	Restore gradually with enhanced monitoring	staged recovery log
10	Close with postmortem and evidence binder update	CAPA, owner, due date, management summary

7. Operating Model

7.1 RACI

Activity	PM	Architect	Advanced BA	Engineering	Risk/Compliance	Ops	Audit
Decision inventory	A	C	R	C	C	C	I
Automation boundary	A	R	R	C	A/R	C	I
DMN/rule design	C	R	R	R	A/R	C	I
PDP/PEP architecture	C	A/R	C	R	C	C	I
Policy tests	C	R	R	R	A/R	C	I
Simulation	A	R	R	R	A/R	R	I
Release approval	A	A/R	C	R	A/R	C	I
Audit evidence	C	R	R	R	A/R	C	C
Incident rollback	A	A/R	C	R	A/R	R	C

7.2 Policy Lifecycle

1. Intake
   Register decision, owner, source policy, risk tier and automation boundary.

2. Author
   Encode policy as DMN table, Rego, Cedar, relationship schema or rules service.

3. Review
   Business validates intent; risk/compliance validates boundary; architect validates enforceability.

4. Test
   Run unit, scenario, edge, conflict, red-team and regression tests.

5. Simulate
   Replay historical cases and synthetic edge cases; quantify decision deltas.

6. Approve
   Bind sign-off to exact policy bundle, test run and simulation report.

7. Release
   Deploy with feature flag, monitoring, audit and rollback path.

8. Monitor
   Track decision volume, deny rate, approval workload, override rate, complaints and incidents.

9. Improve
   Turn incidents, overrides, policy changes and regulator feedback into versioned changes.

7.3 Metrics

Metric	Why it matters
High-risk decisions with registered owner	没有 owner 就没有治理
High-risk paths with active PEP	防止策略只停留在文档或旁路服务
Policy test pass rate by severity	避免平均分掩盖 critical failure
Simulation decision delta	量化策略变更对客户和运营的影响
Unauthorized action count	核心安全指标, 目标为 0
Unsupported explanation count	控制 adverse action、KYC、支付和客户建议解释风险
Approval SLA and override rate	衡量摩擦、队列容量和规则质量
Policy rollback time	体现运营韧性
Audit replay success rate	证明证据链可用
Policy drift incidents	发现政策、流程、模型和数据源不一致

8. 30-Day Portfolio Lab

选择一个场景: 信贷资格边界、KYC 文档决策、支付争议规则、客户 AI 建议边界或 Agent 工具授权。30 天产出一套可展示 artifact。

Week 1: Decision Discovery and Architecture

Day	Output	任务
1	`decision-inventory.md`	登记 10-15 个 decision, 标出 AI role、owner、risk tier、automation boundary
2	`decision-classification.md`	用 customer impact、automation、explainability、reversibility、volatility 做分级
3	`source-policy-map.md`	把政策来源映射到 decision id、policy version、owner
4	`target-architecture.md`	画 decision service、PDP、PEP、workflow、audit、rollback 架构
5	`pdp-pep-map.md`	标出每个高风险路径的 PDP 和 PEP
6	`ai-guardrail-externalization.md`	把 prompt guardrails 改写成 external policy / decision service
7	`architecture-review.md`	记录 top 10 architecture risks 和 controls

Week 2: Policy Modeling

Day	Output	任务
8	`dmn-decision-table.md`	写 1 张核心 DMN decision table, 包含 rule id、decision、reason
9	`rego-policy.md`	写工具授权或 release gate Rego policy
10	`cedar-policy.md`	写 principal/action/resource/context 授权示例
11	`rebac-schema.md`	设计用户、团队、客户、账户、case、document、tool 的关系模型
12	`decision-output-contract.md`	定义 decision API 输出字段: decision、reason、version、trace
13	`explanation-design.md`	设计 reason code、rule id、evidence、customer wording 的映射
14	`approval-workflow.md`	设计 require_approval / dual_control 的批准包和失效条件

Week 3: Test, Simulation and Release

Day	Output	任务
15	`policy-test-suite.md`	写 20 个测试: 正例、反例、边界、冲突、注入、越权
16	`red-team-cases.md`	写 prompt injection、approval bypass、cross-tenant、data leakage 样本
17	`historical-replay-plan.md`	定义历史案例 replay 字段、抽样和比较指标
18	`simulation-report.md`	生成 old vs new policy 的决策差异报告
19	`release-gate.md`	定义 G1-G8 release gate 和 pass standard
20	`monitoring-dashboard-spec.md`	定义 deny rate、approval workload、override、incident、rollback 指标
21	`rollback-runbook.md`	写 incident rollback, 包含 kill switch、manual fallback、replay

Week 4: Portfolio Packaging and Interview Story

Day	Output	任务
22	`audit-evidence-binder.md`	组织 request、facts、policy、decision、approval、tool、release、incident evidence
23	`risk-control-matrix.md`	把风险映射到 control、test、evidence、owner
24	`product-prd-section.md`	写平台产品能力: policy catalog、simulator、approval、audit、rollback
25	`architecture-adr.md`	写为什么采用 external decision service + policy engine
26	`exec-summary.md`	写一页高管摘要: value、risk、control、release decision
27	`exam-audit-qa.md`	写 12 个审计/监管问答
28	`interview-story.md`	写 30 秒、2 分钟、CTO、CISO、PM 版本
29	`portfolio-case-study.md`	串联 use case -> decision -> policy -> test -> evidence -> release
30	`demo-script.md`	准备演示脚本: 一个允许、一个拒绝、一个审批、一个回滚案例

30 天完成标准

能力	自检问题
Decision architecture	能否解释哪些判断由模型、规则、PDP、人工分别负责
Policy modeling	是否至少有 DMN、Rego/Cedar、ReBAC 三类 artifact
Runtime enforcement	是否所有高风险路径都有 PEP, 而不是只做建议
Auditability	是否能从客户输出追溯到 facts、policy version、rule id、approver
Simulation	是否能量化 policy 变更对历史案例和运营队列的影响
Release governance	是否有测试、审批、监控、rollback gate
Interview readiness	是否能讲清“为什么 prompt guardrail 不够”

9. Interview Answers

Q1: 你如何解释 Policy-as-Code 在 AI 产品里的价值?

30 秒版本:

Policy-as-Code 的价值是把 AI 产品里的授权、审批、业务边界和上线门禁从 prompt 和文档中外置出来, 变成可测试、可版本化、可审计、可回滚的控制面。模型可以提出建议或 tool call, 但 OPA/Cedar/decision service 根据身份、资源、purpose、risk tier、policy version 和审批状态决定 allow、deny、require approval 或 route to human。

2 分钟版本:

我会把 AI 产品分成生成层、决策层、策略层、执行层和审计层。生成层负责理解意图、提取证据、起草说明; 决策层用 DMN 或规则服务处理资格、文件有效性、争议证据、reason code 等业务逻辑; 策略层用 OPA、Cedar 或 ReBAC 处理谁能对什么资源做什么动作; 执行层通过 PEP 放在 tool gateway、API gateway、workflow 和 response renderer 上; 审计层记录 facts、policy version、decision、approver 和 trace。这样做的核心收益是: AI 的高风险边界不依赖 prompt 服从性, 而由外部系统强制执行。

Q2: DMN、OPA、Cedar、Zanzibar 分别适合什么?

DMN 适合业务可读的决策表和决策需求图, 比如 KYC 文件是否有效、争议证据是否完整、某类资格预检查。OPA/Rego 适合通用 policy decision, 比如工具授权、审批条件、release gate 和环境限制。Cedar 适合应用级授权, 用 principal/action/resource/context 表达 permit 和 forbid。Zanzibar/ReBAC 适合复杂关系授权, 比如用户、团队、客户、账户、case、文档之间的 viewer、owner、approver、subject 关系。金融 AI 架构里通常不会四选一, 而是 DMN 管业务决策, OPA/Cedar 管授权策略, ReBAC 提供关系事实。

Q3: 如何把 AI guardrails 从 prompt 外置出来?

我会先识别 prompt 里哪些句子其实是业务政策、权限、合规边界、审批条件或输出约束。然后分别落到外部控制: 业务政策进入 DMN/decision service; 权限进入 OPA/Cedar/ReBAC; 高风险工具进入 tool gateway PEP; 客户建议边界进入 response policy; 审批进入 workflow; 解释进入 reason service; 版本和测试进入 release gate。Prompt 只保留任务说明和输出格式, 不承担授权和合规责任。

Q4: 如何设计 PDP/PEP?

PDP 负责判断, PEP 负责执行。一个常见错误是只做 PDP API, 但业务系统仍然允许绕过。我的设计会把 PEP 放在真正的执行路径上: retriever filter 控制 RAG 文档, tool gateway 控制 Agent 工具, workflow engine 控制状态迁移, response renderer 控制客户输出, CI/CD 控制 policy release。每次 PDP 返回 effect、reason、rule id、policy version 和 trace id, PEP 按 allow、deny、require approval、redact、dry run 或 route_to_human 执行, 同时写入 audit log。

Q5: 如何证明决策自动化可审计?

关键是运行时证据链。每个高风险决策要能复盘: 谁发起、为什么目的、访问了什么资源、输入 facts 是什么、模型输出了什么、哪个 decision table 或 policy bundle 被执行、返回什么 decision 和 reason、谁审批、哪个 PEP 执行或阻断、最终输出给客户什么。审计证据不能只有自然语言解释, 还要有 rule id、policy version、input facts hash、approval packet、tool trace 和 release test run。

Q6: 如何处理 policy versioning 和审批?

我会把 policy bundle 当成可发布 artifact。每次 DMN 表、Rego/Cedar policy、ReBAC schema、reason mapping、approval rule 或 tool permission 变化, 都需要 changelog、owner、test run、simulation report 和 sign-off。高风险 bundle 的审批绑定 exact version 和 test result, 不是泛泛批准。上线后通过 feature flag 或 config registry 控制 rollout, 出问题可以回滚到前一个批准版本。

Q7: 如何做 policy simulation?

Simulation 不是跑几个单元测试, 而是比较新旧 policy 对真实业务的影响。我会用历史案例、合成边界案例和 red-team 样本做 replay, 看 decision change rate、false allow、false deny、manual review volume、approval queue load、客户影响和合规风险。比如支付争议规则更新后, 要知道多少 case 从自动处理变成主管复核, 是否消除了高金额错误通过, 是否造成运营 SLA 压力。

Q8: 在信贷 adverse action 场景, LLM 能做什么、不能做什么?

LLM 可以整理材料、解释政策、起草 memo 和把批准的 reason code 改写成客户可读语言。它不应该自由生成最终拒贷原因, 更不能替代信贷决策。Adverse action reason 应来自可验证的 reason service 或规则映射, 并绑定实际决策因素、policy version、证据和人工审批。客户通知发送前, PEP 检查 reason 是否被批准、是否对应实际 facts、是否完成 required review。

Q9: Agent tool authorization 为什么需要 ReBAC?

RBAC 只能说明某人是什么角色, 但金融场景还需要知道这个人和具体客户、账户、case、文档、团队、租户之间的关系。ReBAC 可以表达“Bob 是 KYC-US team 成员, 该 team 可以查看 case KYC-789, 文档 DOC-222 附属于这个 case, case 属于同一 tenant”。Agent 读取或操作资源时, PDP 同时看 role、relationship、purpose、resource status 和 risk tier, 可以避免普通角色权限过宽。

Q10: 如果策略错误上线导致客户影响, 你如何响应?

先按影响范围启用 kill switch 或回滚 policy bundle, 阻断受影响工具、workflow、tenant 或客户输出路径。然后冻结证据: policy version、decision trace、model/prompt version、approval packet、tool log、客户输出。接着用 incident facts 识别失败控制, 例如 DMN 规则错误、PEP 未接入、approval 条件缺失或 ReBAC 关系错误。修复后必须把事故样本加入 regression suite, replay 历史和合成案例, 由 risk/compliance/business 重新批准后分阶段恢复。

10. 常见误区

Mistake	为什么危险	正确做法
把 prompt 当 policy	Prompt 不能保证授权、版本、审计和执行	外置到 decision service、PDP、PEP 和 workflow
只做 policy API, 不做 PEP	系统仍可绕过策略	把 PEP 放到 retriever、tool gateway、workflow、response、release pipeline
让 LLM 生成最终拒贷原因	可能不准确、不可追溯或不对应真实因素	reason code service + approved wording + human review
把 DMN 当万能权限系统	DMN 不擅长复杂关系授权	DMN 管业务决策, ReBAC/OPA/Cedar 管授权
只测 happy path	高风险失败常在边界、冲突、越权、注入和版本变更	建 policy test suite + simulation + red-team
审批不绑定版本	批准对象不清, 变更后证据失效	approval 绑定 exact policy bundle、test run、simulation report
解释只有自然语言	无法审计和回归	explanation 绑定 facts、rule id、reason code、policy version
无法局部回滚	小错误变成大面积停服	按 bundle/tool/workflow/tenant/model route 设计 rollback
Policy owner 不清	规则长期漂移, 无人承担风险	每个 decision 和 policy 都有 business/risk/technical owner

11. 最终记忆句

AI decision automation is not prompt engineering.
It is a governed control architecture:
explicit decisions, externalized policies, enforced PDP/PEP, tested versions, simulated impact, approved releases, auditable traces, and reversible operations.

中文记忆:

AI 决策自动化的关键, 是把“模型说可以”改成“策略证明可以、系统强制执行、证据能够复盘”。