AI Governance & Risk8 min read

Why Compliance Reviews Block Your AI Content Strategy

Your AI content agent said something off-brand in production last Tuesday. The fix is a pull request.

Your AI content agent said something off-brand in production last Tuesday. The fix is a pull request. Someone on the compliance team flags a phrase, files a ticket, waits for an engineer to find the string buried in the codebase, edit it, get a review, and deploy. Every change to what the agent says is now a code change, and every code change waits behind the same queue. That is why compliance reviews block your AI content strategy: the thing compliance needs to govern lives in a place only engineering can touch, so governance and shipping fight over the same narrow door.

Sanity is the Content Operating System for the AI era, the intelligent backend for companies building AI content operations at scale, and its stance on this problem is specific: an agent's system prompt is customer-facing behavior, so you should author it like content and gate it like code. This article reframes the compliance bottleneck as a modeling problem, not a policy problem. When agent behavior lives as structured, role-owned content instead of a string in a repo, compliance stops being the team that blocks the pipeline and becomes the team that owns a field in it.

Illustration for Why Compliance Reviews Block Your AI Content Strategy
Illustration for Why Compliance Reviews Block Your AI Content Strategy

Why compliance became the bottleneck in the first place

The bottleneck is structural, not cultural. In most teams the agent's system prompt is a string in the codebase. The marketing team cannot read it. The compliance team cannot review it. The support manager cannot update the escalation language. When the agent says something embarrassing in production, the fix is a pull request. When the brand voice changes for a campaign, the prompt drifts out of date and nobody notices for a sprint. Every one of those changes is trivial as text and expensive as code, because it inherits the full weight of the deploy pipeline, engineering triage, review, merge, and release.

Compliance sits at the end of that pipeline by necessity. Regulated language, forbidden claims, disclosure requirements, and escalation rules are exactly the parts of agent behavior that carry legal and reputational risk, so they must be reviewed before anything ships. But when review can only happen by reading a diff on a code change, compliance is forced into a role it was never meant to play: part-time code reviewer, gating a merge queue. The team that should be defining the rules is instead approving pull requests one at a time, and the AI content roadmap moves at the speed of that approval.

The usual reaction is to demand fewer changes, longer review windows, or a freeze. That treats the symptom. The real problem is that behavior and code share one artifact and one lifecycle. Separate them and the queue disappears. The reframe is simple to state and harder to build: the thing compliance governs should not require a deploy to change.

Author it like content, gate it like code

The real choice is not "content, loose" versus "code, rigorous." It is "governed, with the right people able to edit and a test gate on the way out" versus "a string only engineering can touch." You want both properties in the same system: the editability of content and the discipline of code. In Sanity, the agent prompt lives as a document in the Studio rather than a literal in the repo, which means it carries the governance you already use for your website: drafts, version history, scheduled publishing, permission gating, audit trails, and rollback.

That is the "author it like content" half. Because the prompt is a document, a compliance reviewer opens it the way they open any other page, reads it in plain language, suggests an edit, and leaves an attributable trail, no diff literacy required. Content Releases let you stage and preview agent behavior the same way you stage a website before shipping, so a proposed change to the never-say rules can be reviewed in context and scheduled, not merged and hoped for.

The "gate it like code" half is what keeps this safe, and it is covered in the next section. The point here is that Sanity does not ask you to choose between rigor and reach. Legacy CMSes bolt AI on as a plugin or a sidebar; Sanity is built for it, treating agent behavior as first-class content with the same lifecycle as everything else you publish. Nearform reports that editors tuned an agent's voice by storing the system prompt in a Sanity document with no code changes, which is precisely the shift from pull request to publish that unblocks the pipeline.

Split the prompt into fields so each team owns its risk

Splitting the prompt into fields is not cosmetic. It is access control. A single opaque string forces every stakeholder through the same edit path and the same reviewer. Break that string into structured schema fields and ownership becomes explicit: Brand owns the voice field, Product owns how the agent uses user context, Support owns the escalation language, and Compliance owns the mustNotSay or Forbidden Topics field. None of them files a pull request. None waits for a deploy. The fields stitch together into one final system prompt at runtime, the same way a page builder stitches sections, references, and logic into a page.

For compliance specifically, this is the whole game. Instead of scanning an entire prompt on every change to check that nobody weakened a disclosure or reintroduced a banned claim, compliance owns one field and gates that field with permissions. A marketing edit to the voice field cannot touch the never-say list, because the never-say list is a different field with a different owner and a different permission. Roles and Permissions in the Studio enforce that boundary; Audit logs record who changed what and when. The review surface shrinks from "the whole prompt, every time" to "my field, when it changes."

This is the practical meaning of the pillar "model your business." Legacy CMSes create silos where behavior rules live in code and policy lives in a document nobody reads next to it; Sanity provides a shared foundation where the policy and the behavior are the same modeled content. Vipps came to Sanity wanting the whole organization, and product managers specifically, to own prompt writing rather than only engineers, which is exactly what field-level ownership delivers.

The eval bench: what makes "anyone can edit" safe

Letting more people edit customer-facing behavior sounds like a governance nightmare until you add the gate. The gate is evals. An eval suite is a frozen set of representative conversations, twenty to start, each scored against a rubric you wrote. You run the suite on every model change, every prompt change, and every tool change. The bar to ship anything to production is the eval bench staying green. That is the mechanism that turns "anyone can edit" from scary into safe: a brand edit or a support edit ships only if the bench holds.

This matters most for compliance. A rubric can encode the exact obligations compliance cares about, whether a required disclosure appears, whether a forbidden claim is ever produced, whether the agent escalates when it should, and whether a regulated phrase stays out of the response. Now compliance is not reading every diff hoping to catch a regression by eye. Compliance defines the tests, and the tests run automatically on every change from every team. A well-meaning voice tweak that quietly softens a disclosure fails the bench and never reaches production. Governance moves from manual, serial, and slow to automated, parallel, and continuous.

This is the pillar "automate everything" applied to risk. Rigid systems force you to scale people, more reviewers for more changes; Sanity scales output by making the review a test that runs itself. Store the prompt in a markdown file in a private repo instead if you prefer, as long as you get the same properties: versioning, attribution, scheduled release, rollback, role-based edit, an eval gate, and separation from code deploys. The structure is what unblocks the strategy, and the eval bench is the part that keeps it honest.

When the agent acts: inherit your security model, do not rebuild it

Governance is not only about what the agent says. It is about what the agent does. The moment an agent can read a customer record, issue a refund, or update an account, compliance has a second surface to worry about, and the instinct is to invent a separate "AI security" discipline with its own permissions, its own audit trail, and its own set of unknowns. That is duplicated work and duplicated risk.

The cleaner pattern is auth-forwarding: the user's session token flows through the app, the agent runtime, and the tool layer to the backend API, so the agent's reach is exactly the user's reach. Auth-forwarded tools enable three things. Personalized retrieval, so the agent sees only what the user can see. Personalized action, so the agent does only what the user could do. Traceable audit, so the action is logged against the user, not the model. The side benefit is the whole point for compliance: the agent inherits your existing security model, the same row-level permissions, the same rate limits, and the same regulatory boundaries you already enforce. You do not build AI security as a separate discipline. You make sure the token flows.

For a review team, this collapses a frightening new attack surface back into a known one. There is no privileged model account that can see everything and act on anything. Every agent action is attributable to a real user with real permissions, and it lands in the same Audit logs and access controls compliance already signs off on. The question stops being "what can the AI do" and becomes "what can this user do," which is a question your organization already knows how to answer.

What this buys the AI content roadmap

When behavior is content, ownership is field-level, the eval bench gates every change, and the agent inherits the user's permissions, the compliance review stops being a blocker and becomes a checkpoint that runs at the speed of the work. Compliance no longer waits for an engineer to translate a policy into a string, and engineering no longer waits for compliance to finish reading a diff. Both teams own their part of a shared model, and the pipeline moves.

Concretely, the change to the operating rhythm looks like this. A campaign needs a new brand voice: marketing edits the voice field, the bench runs, it ships the same day. Compliance tightens a disclosure requirement: they edit the mustNotSay field, the bench proves nothing else regressed, it ships without a deploy. A new model version comes out: you run the frozen suite against it and know in minutes whether your obligations still hold. None of these is a pull request. None waits for a release train. This is Sanity as the intelligent backend for companies building AI content operations at scale, where the same platform that governs your website governs your agent.

The strategic payoff is that AI content stops being the thing legal is nervous about and becomes the thing the organization can actually operate. Governance is not the tax you pay to ship AI; modeled correctly, it is the infrastructure that lets you ship AI faster than a team stuck filing pull requests ever could. The compliance review was never the enemy. The string in the codebase was.

The review shrinks from the whole prompt to one field

When the never-say rules are their own permission-gated schema field with an eval rubric behind them, compliance reviews only their field when it changes, not the entire prompt on every edit. A marketing voice tweak physically cannot alter the forbidden-topics list, and if any change quietly weakens a disclosure, the eval bench fails and it never reaches production. Serial manual review becomes automated parallel review, so more teams editing agent behavior means faster shipping, not more risk.

Governing AI agent behavior: where the rules live and who can change them

FeatureSanityContentfulStrapi + LangChain.jsDirectus
Where agent behavior livesA document in the Studio: authored like content, versioned, and separated from code deploys, so behavior changes without a pull request.Typically a string in the app code or a third-party chatbot config; AI shows up via the App Framework as sidebar apps outside the content model.Wired in code via LangChain.js and Next.js; the prompt and any never-say rules live in the repo, so changes route through the deploy pipeline.Configured inside OpenAI Flows or an AI Researcher extension; editors can experiment, but behavior is not modeled as role-owned content.
Who can edit safelyField-level ownership via Roles and Permissions: Brand owns voice, Compliance owns the never-say field, none files a pull request.Editing prompt behavior generally means an engineer changing app or plugin code; non-technical teams cannot own a behavior field directly.Engineers own the prompt in code, which keeps compliance in the pull-request loop rather than owning a governed field.Low-code Flows let editors adjust some steps, but role-scoped ownership of specific behavior fields is not native the way it is modeled here.
Pre-ship safety gateEval bench: a frozen set of scored conversations runs on every prompt, model, or tool change; green is the bar to ship.No native eval bench for agent behavior; teams add their own testing in CI or accept manual review of changes.Evals are possible in code but are a build-it-yourself concern, not a platform gate tied to content changes.No first-party eval gate for AI behavior; validation is left to the team building the Flow.
Staging and rollback of behaviorContent Releases stage and preview agent behavior like a website; drafts, scheduling, history, and rollback come for free.Content staging exists for entries; staging the agent's behavior string means a code branch and deploy, not a content release.Behavior changes ship through code, so rollback is a git and deploy operation rather than a content rollback.Flow changes can be revised, but staged preview and one-click rollback of agent behavior are not modeled as content.
When the agent acts in your systemsAuth-forwarding: the user token flows to the backend so the agent inherits row-level permissions, rate limits, and per-user audit.Tool and action security depends on the custom app; auth-forwarding to inherit the user's permissions is a build-it-yourself pattern.Achievable in the LangChain layer, but you assemble the auth-forwarding and audit trail yourself in code.Actions run through Flows and integrations; per-user auth-forwarding and audit against the user are not a native default.
Audit and attributionAudit logs record who changed which behavior field and when; agent actions log against the user, not the model.Change history exists for content entries; attributing agent behavior edits depends on the code review and CI trail.Attribution lives in git history for prompts and in your own logging for actions; no unified content-plus-behavior trail.Activity logging exists for the CMS; unified attribution across behavior edits and agent actions is not native.