What PalmerAI controls
- document intake
- inspectability
- allow / approval_required / deny decisions
- document refs in governed chat flows
- evidence metadata and approval state
Document Control
Prompt-only governance is not enough once files enter the workflow.
PalmerAI governs document uploads through a dedicated intake route, inspectability checks, class-aware decisions, approval handling, and evidence metadata. Documents are part of the governed path, not an attachment loophole around it.
Why prompt-only governance breaks
If a team controls prompts but lets raw files enter a workflow without inspection or approval logic, the real risk path has simply moved. Document-heavy work changes the governance problem because file type, inspectability, sensitive class signals, and retention all matter before the final request is composed.
What that prevents
- raw attachment bypass on generate and chat endpoints
- silent use of uninspectable files
- document usage without tenant or use-case checks
- evidence gaps when a file triggered the risky path
How the intake route works
Documents enter PalmerAI through a dedicated intake route. The file is evaluated before it can become workflow context.
1. Intake
The file enters a controlled upload path with tenant and use-case context.
2. Validation
File type, extension, and size are checked against policy.
3. Inspectability
The system attempts supported extraction and records inspectability state and extractor result.
4. Classification
Deterministic signals classify sensitive document types that matter to policy.
5. Decision
The outcome becomes allow, approval_required, or deny with evidence-ready metadata.
How decisions work
Allow
The document is compatible with policy for that tenant and use case, and it can later be used through controlled document refs.
Approval required
The document is sensitive, uninspectable, or otherwise policy-elevated, so explicit review is required before use.
Deny
The document is incompatible with policy, for example because of blocked file type, forbidden class, or another hard policy boundary.
Inspectability matters here. If inspection is not possible, PalmerAI records that state explicitly and routes the file according to policy instead of pretending nothing important happened.
How document refs work after intake
Document refs are the controlled way to reuse an approved document in chat or a governed workflow. The file itself does not bypass the system.
- The document must belong to the same tenant.
- The document must be allowed for that use case.
- The document must not be expired or deleted.
- The workflow must have extracted text if inline use depends on it.
- The final composed request still flows through normal request governance.
That means document approval is not a bypass of request governance. It is one control step inside the larger governed path.
What Document Control v1 does and does not imply
Included in v1
- controlled document intake
- inspectability-aware decisions
- approval-aware handling
- document refs in governed flows
- hashes, reason codes, and evidence metadata
Out of scope by default
- OCR
- antivirus or malware scanning
- full enterprise DLP replacement
- arbitrary file-type support
- advanced contract intelligence or image understanding