Posted on

How to Deploy an AI Governance Layer for Your Organization’s Chatbots

If your organization is rolling out AI chatbots (for customer support, internal helpdesk, or employee-facing tools), there’s a question that will come up sooner or later: how do you make sure the AI actually follows your policies?

Most LLMs are trained to be helpful. That’s great until “helpful” means the bot gives a customer medical advice, estimates someone’s home value, or leaks internal process details it was never supposed to share. The AI isn’t being malicious. It’s just doing what it was trained to do: answer the question.

The fix isn’t more prompt engineering. It’s adding a governance layer between the user and the AI that enforces your policies at runtime.

What a Governance Layer Does

Think of it the same way you think about a firewall or a web application proxy. Traffic goes through it. Rules get enforced. Everything gets logged.

A governance layer for AI does the same thing:

  1. The user sends a message
  2. The AI generates a proposed response
  3. The governance layer evaluates the response against your policies
  4. If it passes, the user sees it. If it violates policy, it gets blocked
  5. Every interaction is logged with full audit details

This means your compliance team has a paper trail. Your CISO has proof the AI is staying inside the guardrails. And if something goes wrong, you can trace exactly what happened.

SAFi: An Open-Source Option

SAFi is a free, open-source governance engine that does exactly this. I built it to solve the gap between having a policy document and actually enforcing that policy at runtime.

It evaluates every AI response against your defined rules, blocks violations, audits everything, and even tracks whether the AI’s behavior is drifting over time.

Quick Deployment with Docker

You can have it running in minutes:

docker pull amayanelson/safi:v1.2

docker run -d -p 5000:5000 \
  -e DB_HOST=your_db_host \
  -e DB_USER=your_db_user \
  -e DB_PASSWORD=your_db_password \
  -e DB_NAME=safi \
  -e OPENAI_API_KEY=your_openai_key \
  --name safi amayanelson/safi:v1.2

It requires a MySQL 8.0+ database and at least one LLM API key (OpenAI, Anthropic, Google, Groq, Mistral, or DeepSeek are all supported).

Using It with Your Existing Bots

The part that matters most for helpdesk and support teams: SAFi can run as a headless API. That means you don’t have to use its built-in chat interface. You can plug it into whatever bot you already have (Microsoft Teams, Telegram, WhatsApp, or a custom application).

Your bot sends the user’s message to SAFi’s API, SAFi runs it through the governance pipeline, and returns the governed response:

POST /api/bot/process_prompt
Headers:
  Content-Type: application/json
  X-API-KEY: sk_policy_12345...

Body:
{
  "user_id": "teams_user_123",
  "user_name": "John Doe",
  "message": "Can I approve this expense?",
  "conversation_id": "chat_456"
}

SAFi processes the message, enforces the policy attached to that API key, and returns the response. Users are automatically registered in the system so you can audit their interactions later.

What You Get Out of the Box

  • Policy enforcement. You define the rules. SAFi enforces them on every response.
  • Full audit trail. Every AI decision is logged: what was proposed, whether it was approved or blocked, and why.
  • Drift detection. SAFi tracks whether the AI’s behavior is shifting over time. Most guardrail tools only check each request individually. SAFi checks the trend.
  • Model flexibility. You can swap the underlying AI model (GPT, Claude, Llama, etc.) without losing your governance layer.

Who This Is For

If you’re in IT and your organization is deploying AI in any user-facing capacity, this is worth looking at. Especially if:

  • You need to prove to compliance or legal that your AI is following policy
  • You’ve had incidents where the AI said something it shouldn’t have
  • You’re managing multiple chatbots and want centralized governance
  • You want audit logs that go beyond “the user asked X and got Y”

The project is open source and free. Check out the GitHub repo for the full code, or visit selfalignmentframework.com for the documentation. 

Thanks,

Nelson


Posted on

How to Bypass Internet Requirement for Windows 11 Setup

The procedure below outlines how to bypass the Out-of-the-Box-Experience (OOBE) setup for Windows 11 without an internet connection, but keep in mind that some features and functionalities may require an internet connection to fully utilize the operating system. The Microsoft Account requirement in Windows 11 is implemented for various reasons, such as improved security, synchronization of settings across devices, and access to Microsoft services. If you don’t have a Microsoft Account and wish to use Windows 11, I recommend creating one. It’s a straightforward process, and it will enable you to access the full features and benefits of the operating system.

If you want to continue with the process, go for it, here is what you will see: Let’s connect you to a network and Next is grayed out. At this screen press Shift + F10 Keys on your keyboard

You will get a black command window:
Type oobe\bypassnro command and press Enter.

Note: The command is a single phrase without spaces.

If the command worked your computer will restart

Once your computer comes back to setup screen you will get options to select “I don’t have internet

Click “Continue with limited setup

Now you can finish setting up your computer as normal by accepting License Agreement.

Enter the name of the individual who will be using the computer

Enter a password

Confirm password

Please provide the necessary security information and answer any additional questions as required.

Common issues/solutions:
When you press Shift + F10 nothing happens, it may be due to your keyboard having an Fn key, which you will need to press too.

That’s all, hope this helped someone out there.


Posted on

how to fix sound issues in Windows computer

Sound problems

Playing sound is common, it should just work, but sometimes the software or driver causes conflicts which causes the sound to stop working. Windows 10 or 11 you will be able to fix the issue by going into troubleshooting sound, it will walk you through step by step.

To open the troubleshooter, you can right-click on the Sound icon in the bottom right corner

Select Troubleshoot sound problems

It will find all your hardware info, you can select the one you are having issues with and see if it fixes it for you.

In case the troubleshooter does not work you can do manual changes to your sound to get it working.

Open Control Panel\Hardware and Sound

Then click on Sound>Select the Speakers>Properties>Advanced tab

at the bottom you will see Signal Enhancements, un-check “Enable audio enhancements

Speaker Properties

That’s all, there are so many other options based on your hardware or selections, so pay attention to them and see which works for you.


Posted on

How to setup OAuth on osTicket using Microsoft 365

Upgrading from basic authentication to OAuth on osTicket is a must if you are using Microsoft 365 since Microsoft 365 has a hard cut-off on basic authentication by end of 2022. Here are steps to configure step by step, if you are using multiple departments, this work for that too. You must be using osTicket v1.17 or higher, you can download it from here https://osticket.com/download, also you have to be an admin or have rights to create app registration, and give API permissions. This post covers everything from Creating App registration to, adding plugins, configuring, and Fetching emails automatically. Official documentation can find it here that also covers Google OAuth2 Guide

For your osTicket application, you will need the following info, which you can find, under Overview of your application, you need this info to configure OAuth.

  • Application ID
  • Directory (tenant ID)
  • Endpoints: authorize and token: Overview>Endpoints
    • If you have selected the multi-tenant option, your Endpoints URL will be generic, like these:
      https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
      https://login.microsoftonline.com/organizations/oauth2/v2.0/token
  • Value of secrets from one of the steps below

Create an app registration

You need to log in to your Azure portal: Go to Azure Active Directory>App registrations

Next, click on New registration

Next, fill in the info

This is where you choose your access options, based on the selection, the next screen will have different options, for us, we choose a Single tenant and Redirect URL: Web

The redirect URL should be: https://YourSupportTicketURL.tld/api/auth/oauth2

Next, add API permission
YourApp>API permissions>Add a permission

Select Microsoft Graph

Next, select Delegated permissions

Then add the following permissions: you can search or scroll to select these, then click add permissions

  • IMAP.AccessAsUser.All
  • Mail.ReadWrite
  • offline_access
  • POP.AccessAsUser.All
  • SMTP.Send
  • User.Read

Once you have added all permission, you have to give admin consent by clicking on Grant admin consent for Name of your Business

You should see Status with Green checks, for all permissions.

Give Implicit grant and hybrid flows under Authentication
Check box for ID tokens (used for implicit and hybrid flows)

You need to be assigned roles to support address as an Application Administrator

To view and manage consented permissions for individual apps, as well as your tenant’s consent settings, need to go to Enterprise applications.

Add your Support email/user, if you have more than one department, you can add them here

Then click on each support email/user and assigned roles

Add assignments>Seach for Application administrator, then click add

Note: you need to do this for each support email address If you are using multiple departments setup.

Now to create client credentials, click on Overview>Add a certificate or secret

Click on the Clent secrets>New client secret

Enter the name, this could be anything and select the time when it Expires, then click on Add

Before you click out of this screen make sure to copy the value of your secret ID, which you will need for your app. Once you leave this screen, you will not be able to get this value back, so you may need to create a new one in case you have not copied it or you need to change it.
Note: You never want to show your Value to anyone, I am showing Value here for the test, which I have already deleted

Install OAuth plugin

If you have not downloaded it, you can go to https://osticket.com/download

Select Plugins>choose v1.17, you should see Oauth2

Install the OAuth plugin by uploading it to your installation/include/plugins

Click Add New Plugin

Click Install

and activate it, do NOT configure it here, go to the next step

To configure OAuth on osTicket

Now go to Emails>Select your support email address>Remote Mailbox>Select OAuth2 – Microsoft under Authentication

Fill in the details, once you click on Submit, it’s going to redirect you to the login page of MS365 https://login.microsoftonline.com :

You will get a prompt to Accept permission

If everything goes well you should see

Then you can enable email fetching, settings

For Outgoing should be something like this:

To schedule to Fetch emails in the background:

https://docs.osticket.com/en/latest/Getting%20Started/POP3-IMAP%20Settings.html

For Ubuntu: This will check email every 1 minute
Sudo nano /etc/crontab

1 * * * * nobody php /var/www/osticket_Path/api/cron.php

That’s all, hope this helps someone out there who is going through these changes in technologies

Issues and Solutions:

Error: Unable to update an email address or blank windows or sping circle

Solution:

Try these

  • Make sure you clear your cache on your browser
  • Make sure your rewrite is enabled:
    To enable rewrite on Ubuntu:
    sudo a2enmod rewrite

    You might need to edit apache2.conf file: sudo nano /etc/apache2/apache2.conf
    change from AllowOverride none to AllowOverride all
    under: < Directory /var/www/>
  • You might need to delete the email and re-add it, If you have only one email address, you will not be able to delete it, so you need to make another email address as default

To change click on Settings>Change Default System Email address to something else, then you can change it back, once you add your original support address.
Note: Don’t forget to change your default MTA back, otherwise it will be set to PHP mail:

Outgoing Email: Default email only applies to outgoing emails without SMTP settings.
Default MTA:

Error:  array ( ‘code’ => ‘MailboxNotEnabledForRESTAPI’, ‘message’ => ‘The mailbox is either inactive, soft-deleted, or is hosted on-premise.’, )

Solution: check the user consent and API permission, also make sure they have admin consent

Error: Expired Access Token

Solution: need to setup a scheduled task to fetch the email: #Fetch-emails
Link to the official documentation: