Configuration Management

Centralize tenant settings, security policies, and resource limits to keep AISentinel deployments consistent across environments. This guide outlines governance patterns and customization options.

Configuration Domains

Domain	Description	Key Settings
Security Policies	Rulepacks, enforcement modes, exception workflows	Default rulepack, allowlist domains, override approvals
Tenant Settings	Regional residency, BYOK linkage, logging destinations	Data region, BYOK key ARN, SIEM endpoint
Resource Limits	Evaluation quotas, concurrency controls, retention windows	Max evaluations/min, async queue size, audit retention
Integrations	Webhooks, SIEM, ticketing, billing connectors	Webhook secrets, Splunk HEC URL, ServiceNow instance

Configuration Methods

Configurations can be managed through environment variables, configuration files, and available API endpoints. Refer to the specific component documentation for implementation details.

Mandatory Security Controls

BYOK Enforcement: Set encryption.required = true and verify BYOK is configured (see BYOK).
Key Rotation Policies: Define apiKeys.rotationDays and byok.rotationDays, aligning with Key Rotation.
Audit Retention: Configure audit.retentionDays to satisfy HIPAA (6 years) or GDPR (customizable).
IP Allowlist: Restrict access by defining network.allowedCidrs.

Customization Patterns

Per-Project Namespaces: Use configuration overrides for specific projects or agent groups. Example path: config.projects.sales.rulepack.
Runtime Overrides: Expose limited overrides to developers through environment variables while locking global policies at the tenant level.
Rulepack Bundles: Distribute curated rulepack bundles across tenants—combine with GitOps for consistent deployment.

Integration References

Webhooks: Implement retries and authentication as described in Webhook Integrations.
Research Agents: Apply sandbox configurations from Research Automation to isolate experimental agents.
Remediation Pipelines: Configure asynchronous queues and webhook targets using Remediation Automation.
Deployments: Align regional settings with the guides in docs/deployment.

Monitoring Configuration Drift

Schedule daily GET /v1/config exports and store in immutable storage.
Compare exports with baseline templates using CI/CD diff jobs.
Configure alerts when drift is detected, especially on enforcement mode or logging endpoints.

Incident Response

Enable break-glass roles with limited time-bound permissions. Document approvals in your incident management tool.
Use configuration snapshots (/v1/config/snapshots) to roll back to known-good states.
Coordinate with Team Management to ensure only authorized responders can apply emergency changes.

Effective configuration management keeps governance consistent, supports compliance audits, and accelerates new agent deployments.