Industry Configurations
Goal: Reference for configuring TapPass per industry vertical.
Audience: Solutions engineer, CISO during onboarding
All examples use the category format for pipeline overrides. The structure is:
preset: <starter|standard|regulated>overrides: categories: <phase>: # before, call, after <category>: # access_control, data_protection, threat_detection, etc. on_detection: <action> # block, redact, notify, log steps: <step_name>: enabled: true options: <key>: <value>Financial Services
Section titled “Financial Services”Regulatory: EU AI Act (high-risk), DORA, MiFID II, PSD2, PCI DSS
preset: regulated # 45 stepsoverrides: categories: before: data_protection: on_detection: redact steps: detect_pii: options: custom_patterns: - name: iban pattern: "[A-Z]{2}[0-9]{2}[A-Z0-9]{4}[0-9]{7,}" level: CONFIDENTIAL - name: credit_card pattern: "[0-9]{4}[\\s-]?[0-9]{4}[\\s-]?[0-9]{4}[\\s-]?[0-9]{4}" level: RESTRICTED classify_and_prepare: steps: classify_data: options: custom_patterns: - name: transaction_amount pattern: "(?i)(transfer|payment|debit).*€[0-9,.]+" level: CONFIDENTIAL call: route_and_execute: steps: require_approval: options: conditions: - classification: RESTRICTEDGovernance flags:
flags={"pii": "mask", "email": "internal:client-domain.com", "secrets": "redact"}Key conversations with the CISO:
- Which trading data is RESTRICTED vs. CONFIDENTIAL?
- Do agents handle customer-facing comms? (strict PII masking needed)
- DORA incident reporting: do they need real-time webhook to their SIEM?
- Cross-border data: any model routing constraints (EU-only models)?
Healthcare
Section titled “Healthcare”Regulatory: HIPAA, EU AI Act (high-risk), MDR (if clinical), GDPR Art. 9
preset: regulated # 45 stepsoverrides: categories: before: data_protection: on_detection: redact # Stronger than mask for PHI steps: detect_pii: options: custom_patterns: - name: mrn pattern: "MRN[:\\s]?[0-9]{6,10}" level: RESTRICTED - name: icd_code pattern: "[A-Z][0-9]{2}\\.[0-9]{1,4}" level: CONFIDENTIAL classify_and_prepare: steps: model_routing: options: rules: - classification: RESTRICTED route_to: "azure-eu" # PHI stays in EU call: route_and_execute: steps: require_approval: options: conditions: - classification: RESTRICTED - tool_pattern: "patient_record_*"Governance flags:
flags={"pii": "redact", "secrets": "redact", "mode": "enforce"}Key conversations:
- Is the AI agent clinical (MDR applies) or administrative?
- Where does PHI live? On-prem model requirement?
- BAA (Business Associate Agreement) needed if we process PHI
- Integration with existing EHR system (Epic, Cerner)?
Regulatory: Legal privilege, bar association rules, GDPR, client confidentiality
preset: regulated # 45 stepsoverrides: categories: before: data_protection: on_detection: redact steps: detect_pii: options: custom_patterns: - name: case_reference pattern: "[0-9]{4}/[A-Z]{2,4}/[0-9]{3,6}" level: CONFIDENTIAL - name: privilege_marker pattern: "(?i)(privileged|attorney.client|work.product)" level: RESTRICTED classify_and_prepare: steps: classify_data: options: custom_patterns: - name: client_matter_id pattern: "MATTER-[A-Z]{2,4}-[0-9]{4,8}" level: CONFIDENTIAL call: route_and_execute: steps: require_approval: options: conditions: - classification: RESTRICTEDGovernance flags:
flags={"pii": "mask", "secrets": "redact", "files": "read_only"}Key conversations:
- How do they separate client matters? Matter IDs in prompts?
- Is the AI used for drafting (high risk) or research (lower risk)?
- Privilege: can AI-generated content be privileged? Depends on jurisdiction.
- Multi-jurisdictional: different rules per office/country?
Insurance
Section titled “Insurance”Regulatory: Solvency II, IDD, GDPR, EU AI Act (if automated underwriting)
preset: regulated # 45 stepsoverrides: categories: before: data_protection: on_detection: redact steps: detect_pii: options: custom_patterns: - name: policy_number pattern: "POL-[A-Z]{2}-[0-9]{8}" level: CONFIDENTIAL - name: claims_amount pattern: "(?i)claim.*€[0-9,.]+" level: CONFIDENTIAL call: route_and_execute: steps: require_approval: options: conditions: - tool_pattern: "underwriting_*" - tool_pattern: "claims_decision_*"Governance flags:
flags={"pii": "mask", "secrets": "redact"}Government
Section titled “Government”Regulatory: National classification schemes, NIS2, EU AI Act (high-risk for public services)
preset: regulated # 45 stepsoverrides: categories: before: data_protection: on_detection: redact steps: detect_pii: options: custom_patterns: - name: national_id pattern: "[0-9]{2}\\.[0-9]{2}\\.[0-9]{2}-[0-9]{3}\\.[0-9]{2}" level: RESTRICTED classify_and_prepare: steps: classify_data: options: custom_levels: - OFFICIAL - OFFICIAL_SENSITIVE - SECRET - TOP_SECRET model_routing: options: rules: - classification: SECRET route_to: "on-premises" - classification: TOP_SECRET action: block # No LLM access for TOP_SECRET call: route_and_execute: steps: require_approval: options: conditions: - classification: SECRET - classification: TOP_SECRETGovernance flags:
flags={"pii": "redact", "mode": "enforce", "secrets": "block", "files": "read_only"}Key conversations:
- What classification scheme? (NATO, national, custom)
- Air-gapped deployment required for classified workloads?
- Citizen data: any sovereignty requirements (data stays in-country)?
- Procurement process: security accreditation needed before deploy?
SaaS / Multi-tenant
Section titled “SaaS / Multi-tenant”Regulatory: SOC 2, ISO 27001, customer DPAs, EU AI Act (varies)
preset: standard # 38 stepsoverrides: categories: before: access_control: steps: budget_enforcement: options: per_tenant: true data_protection: on_detection: redactGovernance flags (per-tenant, set at agent registration):
# Tenant A: strict governanceflags={"pii": "mask", "mode": "enforce", "tools": "allowlist:search,summarize"}
# Tenant B: observe only (new customer, building trust)flags={"pii": "mask", "mode": "observe"}Key conversations:
- Do their customers know AI is being used? (transparency obligation)
- Per-tenant config: some customers will want stricter governance
- White-label: do they want TapPass invisible to their end users?
- Data residency: per-tenant region routing?
Quick Reference
Section titled “Quick Reference”| Industry | Preset | Steps | PII flag | Mode | Approval triggers |
|---|---|---|---|---|---|
| Financial | regulated | 45 | mask | enforce | RESTRICTED classification |
| Healthcare | regulated | 45 | redact | enforce | RESTRICTED, patient tools |
| Legal | regulated | 45 | mask | enforce | RESTRICTED classification |
| Insurance | regulated | 45 | mask | enforce | Underwriting/claims tools |
| Government | regulated | 45 | redact | enforce | SECRET+ classification |
| SaaS | standard | 38 | mask | observe | Per-tenant |
| Consulting | standard | 38 | mask | enforce | CONFIDENTIAL+ |
| Startups | starter | 11 | mask | observe | None |
Available Governance Flags
Section titled “Available Governance Flags”All flags from the SDK, for reference:
| Flag | Modes | Default | Description |
|---|---|---|---|
mode | observe, warn, enforce, lockdown | enforce | Overall governance posture |
pii | mask, block, flag, off | off | PII handling in responses |
email | mirror:<addr>, internal:<domain>, reviewqueue, block, allow | allow | Email tool restrictions |
budget | dev, standard, custom:<per_call>:<per_session>, unlimited | unlimited | Cost and token budget |
tools | allowlist:<t1>,<t2>, denylist:<t1>,<t2>, confirm, log, block | log | Tool call restrictions |
files | read_only, project, sandbox, block, allow | allow | File operation restrictions |
db | read_only, safe_write, block | safe_write | Database operation restrictions |
secrets | redact, block, flag | redact | Secret handling in responses |
Resolution order (most restrictive wins): Per-call header > Agent defaults > Org policy lock > Catalog default.