AI policy version control is the practice of storing the AI guardrail policy in git, reviewing changes through PRs, and pinning every production release to a specific policy version. Every decision the system makes — every refusal, every routing to human review, every cost cap — traces back to the policy it was operating under. The policy and the code that enforces it move together.

Why version the policy.

  • Auditability. “What rule applied at 14:23 on 2026-04-02?” should have one answer. Without version control, it has zero.
  • Rollback. A policy change that produces too many false refusals can be rolled back like a code change. Without versioning, rollback is “undo whatever someone typed in the doc”.
  • Regulatory readiness. The EU AI Act, sectoral regulators (FINMA, BaFin), and most enterprise customers ask for a versioned policy as evidence. Build it; you will need it.

What the policy file looks like.

Markdown or YAML in version control, alongside the eval rubric and the prompts. Each clause is numbered. Each clause has an associated fixture in the eval harness that asserts the system honours it. The release tag pins the policy version: when the system makes a decision, the observability trace records both the model version and the policy version.

The change process.

Policy edits go through PR review like code. Product, engineering, and legal (where applicable) review. The PR includes the new fixtures that test the new clauses, and the regression gate must pass against both the old and new fixture sets. Merging triggers a re-baseline of any metric the new policy affects.

Frequently asked.

What is AI policy version control?
AI policy version control is the practice of storing the AI guardrail policy in git, reviewing changes through PRs, and pinning every production release to a specific policy version. Every decision the system makes traces back to the policy it was operating under, making rollback, audit, and regulatory response straightforward.
Where should the policy file live?
In version control, alongside the eval rubric, the prompts, and the agent code. Markdown or YAML is the common format; each clause is numbered and has an associated fixture in the eval harness. Storing the policy in Notion or a wiki without versioning is the most common path to an audit failure.
How does policy version control help with the EU AI Act?
Auditors ask for the policy that was in effect at the time of a given decision. With version control plus observability traces that record the policy version per request, the answer is one git ref. Without it, the answer requires reconstruction from logs and memory, and reconstruction is what auditors penalise.
Who reviews a policy change?
Product owns the policy. Engineering reviews the enforcement mechanism. Legal or compliance reviews when the change touches refusal categories, audit obligations, or regulatory clauses. The PR template asks for sign-off from all three where applicable.
Related practice

Intelligent Systems & AI Infrastructure

Versioned policy, versioned rubric, versioned baseline — every Morvion production AI engagement ships them together with observability traces that record the policy version per decision.