Posted on

How to Deploy an AI Governance Layer for Your Organization’s Chatbots

If your organization is rolling out AI chatbots (for customer support, internal helpdesk, or employee-facing tools), there’s a question that will come up sooner or later: how do you make sure the AI actually follows your policies?

Most LLMs are trained to be helpful. That’s great until “helpful” means the bot gives a customer medical advice, estimates someone’s home value, or leaks internal process details it was never supposed to share. The AI isn’t being malicious. It’s just doing what it was trained to do: answer the question.

The fix isn’t more prompt engineering. It’s adding a governance layer between the user and the AI that enforces your policies at runtime.

What a Governance Layer Does

Think of it the same way you think about a firewall or a web application proxy. Traffic goes through it. Rules get enforced. Everything gets logged.

A governance layer for AI does the same thing:

  1. The user sends a message
  2. The AI generates a proposed response
  3. The governance layer evaluates the response against your policies
  4. If it passes, the user sees it. If it violates policy, it gets blocked
  5. Every interaction is logged with full audit details

This means your compliance team has a paper trail. Your CISO has proof the AI is staying inside the guardrails. And if something goes wrong, you can trace exactly what happened.

SAFi: An Open-Source Option

SAFi is a free, open-source governance engine that does exactly this. I built it to solve the gap between having a policy document and actually enforcing that policy at runtime.

It evaluates every AI response against your defined rules, blocks violations, audits everything, and even tracks whether the AI’s behavior is drifting over time.

Quick Deployment with Docker

You can have it running in minutes:

docker pull amayanelson/safi:v1.2

docker run -d -p 5000:5000 \
  -e DB_HOST=your_db_host \
  -e DB_USER=your_db_user \
  -e DB_PASSWORD=your_db_password \
  -e DB_NAME=safi \
  -e OPENAI_API_KEY=your_openai_key \
  --name safi amayanelson/safi:v1.2

It requires a MySQL 8.0+ database and at least one LLM API key (OpenAI, Anthropic, Google, Groq, Mistral, or DeepSeek are all supported).

Using It with Your Existing Bots

The part that matters most for helpdesk and support teams: SAFi can run as a headless API. That means you don’t have to use its built-in chat interface. You can plug it into whatever bot you already have (Microsoft Teams, Telegram, WhatsApp, or a custom application).

Your bot sends the user’s message to SAFi’s API, SAFi runs it through the governance pipeline, and returns the governed response:

POST /api/bot/process_prompt
Headers:
  Content-Type: application/json
  X-API-KEY: sk_policy_12345...

Body:
{
  "user_id": "teams_user_123",
  "user_name": "John Doe",
  "message": "Can I approve this expense?",
  "conversation_id": "chat_456"
}

SAFi processes the message, enforces the policy attached to that API key, and returns the response. Users are automatically registered in the system so you can audit their interactions later.

What You Get Out of the Box

  • Policy enforcement. You define the rules. SAFi enforces them on every response.
  • Full audit trail. Every AI decision is logged: what was proposed, whether it was approved or blocked, and why.
  • Drift detection. SAFi tracks whether the AI’s behavior is shifting over time. Most guardrail tools only check each request individually. SAFi checks the trend.
  • Model flexibility. You can swap the underlying AI model (GPT, Claude, Llama, etc.) without losing your governance layer.

Who This Is For

If you’re in IT and your organization is deploying AI in any user-facing capacity, this is worth looking at. Especially if:

  • You need to prove to compliance or legal that your AI is following policy
  • You’ve had incidents where the AI said something it shouldn’t have
  • You’re managing multiple chatbots and want centralized governance
  • You want audit logs that go beyond “the user asked X and got Y”

The project is open source and free. Check out the GitHub repo for the full code, or visit selfalignmentframework.com for the documentation. 

Thanks,

Nelson


Posted on

How to configure OAuth2.0 using EWS on Microsoft O365

App registration

Upgrading from basic authentication to OAuth is a little harder for many small businesses to configure on the Azure portal. Here are the steps I have done to get our EWS service to get it working. You must have admin rights to do the following.

Create an app registration

You need to log in to your Azure portal: Go to Azure Active Directory>App registrations

Next, click on New registration

Next, fill in the info

This is where you choose your access options, based on the selection, the next screen will have different options, for us, we choose Single tenant and Redirect URI option for Public client/native, if you don’t have a URL you can leave it blank

In case you need to add or change the Authentication platform, you can click on Authentication>Add a platform>Select one that works with your Business needs

Based on your selection, you will need to select the URL option, or your custom URL

Then give API permission

This can be many permissions or just a few, also based on the type of application, you may get different options

Us, we are using EWS service, so we needed office 365 Exchange Online

Then you need to select the type of permission, we are using application permissions

The only thing we can get it working was by giving full_access_as_app

You need to give admin consent to your application, so once you have all permission added, click on Grant admin consent

To create client credentials, click on Overview>Add a certificate or secret

Click on the Clent secrets>New client secret

Enter the name, this could be anything and select the time when it Expires, then click on Add

Before you click out of this screen make sure to copy the value of your secret ID, which you will need for your app. Once you leave this screen, you will not be able to get this value back, so you may need to create a new one in case you have not copied it or you need to change it.

For your application, you will need the following info, which you can find it, here

  • Application ID
  • Directory (tenant ID)
  • Endpoints: authorize and token
    • If you have selected the multi-tenant option, your Endpoints URL will be generic, like these:
      https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
      https://login.microsoftonline.com/organizations/oauth2/v2.0/token
  • Value of secrets from the step above

That’s all, hope this helps someone out there who is going through these changes in technologies


Posted on

The trust relationship between this workstation and the primary domain failed

AD trust failed

it’s not common, but once in a while you will come across an error like this “The trust relationship between this workstation and the primary domain failed“, causes of this are very, it’s very easy to fix it too, here are some list of reasons:

  • Admin deleted Computer object in AD
  • System restored, which is a different machine account password than AD
  • Machine imaged and restored
  • object corruption in AD
  • AD policy disables a computer after x number of days

You will get a message like this:

If you are logged into the computer local user, you can test by running the PowerShell command

command: Test-ComputerSecureChannel -Server NameOfDomainController

In this example, it’s showing true, but if you are having an issue you would get false

To fix it:

You can reset it by running a PowerShell command:

Command: Reset-ComputerMachinePassword -Credential YourDomainName\YourDomainAdmin

or you can rest from Domain Controller

Another way is to disjoin from the domain and re-join it

If you get this on your network status: Unauthenticated

That means your PC to domain controller lost trust

You can try running the repair command to fix it

When you run Test-ComputerSecureChannel and get the result False, which means your computer lost trust in your domain controller

The repair command will fix, it without restarting your computer, it will prompt you for domain admin credential:

Test-ComputerSecureChannel -Repair -Credential (Get-Credential)

You may need to restart the network adaptor to take effect

command: Restart-NetAdapter *

note: * means all networks will restart, if you have more than one you can use -Name and Name of your adaptor

Hope that helped you out with your issue


Posted on

How to Compact Virtual Hard Disk

These days most of us using virtual storage drives for a server, most of the time these virtual storage disks are configured dynamically, so it grows as we use it, but does not shrink when you delete data unless you do compact. If you are using Hyper-V servers, it’s very easy to do, other hypervisors also offer similar compacting, you may just have to look around.

Here is screenshot of before compacting drive:

To compact in Microsoft Hyper-V hypervisor:

Open the Hyper-V Manager
Select the VM
Right-click on VM, click Settings
Select the Hard Drive that you want to compact, then click Edit
It will give you the location of the Disk and warning, please make sure you have a good backup, just in case something goes wrong
Click Next

If you only see Expand option, that means your VM is running, you can’t Compact
Click Next

Summary of Disk, click Finish and it will start compacting, time it takes to compact are depends on speed of drive and how much data you have deleted.

This is what it looks like after compacting, the size will vary depends on how much of your data being deleted.

After Compacting:

That’s it, if you don’t get the drive space back, make sure to do the Drive Optimization first then re-do the compacting

To drive Optimize:

Login into server and right click on the drive select Properties

Click on Tools tab
Click on Optimize

Then select the drive if you have more then one and click on Optimize


Posted on

Share files with encryption via Firefox send

Sharing files is very common these days, but is it safe and secure? Firefox has been testing for a while and now it’s an officially released a couple of days ago at https://blog.mozilla.org, it’s free up to 1GB without setting up an account, with a free account it gives 2.5 GB. It’s very easy to use for anyone who is looking to share big files that can’t be sent via email. Best thing is it doesn’t stay on the server forever, so no need to worry about, your data out there, it automatically generates a link and you choose how long it should stay shared then deletes it automatically. It’s a free encrypted file transfer service that allows users to safely and you can use any browser, you can use Firebox browser.

Here is how it looks like, all you have to do is go to URL: https://send.firefox.com Then drag and drop files or click on the select file to upload

Once the file is uploaded, you will get default option for your files to be Expires after 1 download or 1 day. You can change to up to 100 download or 7 days. Also, you get an option to put a password as well. Then click on Upload to generate the link.

It will generate the link to be share, which you can copy and paste it to your email whom you want to share your files with.

Based on your selection, you will see options, when your files will be expires. You will have option to copy link in case you forget to copy.

That’s it, very easy secure way to share big files, you can read about Firefox Privacy Notice for more info your secure files share via Firefox.