OVERT-as-Code — AI governance as code

Status: Preview — in active development

OVERT-as-Code is not yet generally available as a public package. These docs describe the intended v0.1 surface so you can evaluate the approach. APIs and crate boundaries may change before release. Want early access? Get in touch.

OVERT-as-Code turns the OVERT standard into a declarative, machine-deployable policy you can put under version control. Write your AI governance rules in TOML, validate them in CI, and export machine-readable compliance evidence — the same way Terraform made infrastructure declarative.

# overt.toml — an AI governance policy as code
[policy]
id = "healthcare-ambient-v1"
name = "Healthcare Ambient AI Scribe Policy"
enforcement_mode = "enforce"
profile = "healthcare-ambient"

[policy.overt_level]
target = 3

[tool.defaults]
mode = "deny"              # deny-by-default: only allowed tools execute

[[tool.allow]]
name = "read_patient_record"
requires_consent = true
classification = "read_only"

[[tool.deny]]
name = "delete_*"          # glob patterns
reason = "Deletion prohibited in clinical ambient context"

What it does

Capability	Description
Declarative policy	Express rules across all six OVERT domains in TOML
Build-time validation	glacis overt validate catches policy errors before production
Policy testing	Assert specific decisions for specific requests in TOML test suites
OSCAL export	Emit NIST OSCAL Assessment Results for compliance automation
Industry profiles	Pre-built constraint sets (healthcare-ambient, finserv-trading, …) that upgrade — never downgrade — your settings
Shadow mode	Observe what would be denied without blocking, then enforce when ready

Where the open line is drawn

OVERT-as-Code is the policy language and toolchain — it decides and validates. It is open because it carries the standard’s authority and exposes no enforcement or cryptographic IP. Running enforcement on your live traffic and producing signed, notarized receipts is the runtime product — that is where execution is actually proven, and OVERT’s design principle “self-attestation is not compliant” makes that a structural boundary, not artificial gating.

Quickstart Write and validate your first policy.

Policy as code for AI How OVERT-as-Code differs from OPA/Rego and Terraform Sentinel.

OSCAL export Turn a policy into NIST OSCAL Assessment Results.

The OVERT standard The six domains and AALs this maps to.