### Problem to solve Organizations managing regulated projects or projects handling sensitive data currently lack a scalable mechanism to control GitLab Duo Agent Platform access based on compliance requirements. While [group-based access controls](https://docs.gitlab.com/administration/gitlab_duo/configure/access_control/) exist, they don't leverage the existing compliance framework infrastructure that organizations already use to classify and govern their projects. **Current limitations:** * Duo Agent Platform access is controlled through manual group assignment or instance/namespace toggles * No automatic relationship between a project's compliance posture and AI tool access * Organizations must maintain separate governance structures for compliance frameworks and AI access * No way to enforce "AI-free zones" for projects under specific regulatory requirements (e.g., HIPAA, PCI-DSS, SOC2, customer contractual obligations) **Example scenarios requiring this capability:** * A financial services company needs to disable Duo Agent Platform for all projects labeled with their "PCI-DSS" compliance framework due to contractual restrictions on AI tool usage * A healthcare organization wants to enable Duo Agent Platform only for internal tooling projects while restricting it from patient data systems marked with their "HIPAA" framework * An enterprise needs to phase Duo Agent Platform adoption by first enabling it only for projects without compliance framework requirements ### Intended users * [Compliance Manager](https://handbook.gitlab.com/handbook/product/personas/#cameron-compliance-manager) managing regulatory requirements across multiple projects * [Security Operations Engineer](https://handbook.gitlab.com/handbook/product/personas/#alex-security-operations-engineer) enforcing security policies at scale * [Organization Owner](https://handbook.gitlab.com/handbook/product/personas/#sidney-systems-administrator) governing AI adoption across their GitLab instance ### Proposal Extend compliance frameworks with the ability to control GitLab Duo Agent Platform availability at the project level. **Configuration Location:** Add a new "AI Tool Access" section when creating or editing compliance frameworks at: * Group level: **Secure \> Compliance center \> Frameworks** * Centralized compliance frameworks: Compliance and security policy group **New Settings:** `AI Tool Access (Optional) ○ Default (inherit from group/instance settings) ○ Enabled (allow Duo Agent Platform regardless of higher-level settings) ○ Disabled (block Duo Agent Platform for projects with this framework)` **Enforcement Logic:** 1. When a compliance framework is applied to a project, the framework's AI tool access setting takes precedence over group/namespace settings 2. A "Disabled" framework blocks Duo Agent Platform even if enabled at the group/instance level 3. An "Enabled" framework allows Duo Agent Platform if the user has proper permissions and it's enabled at instance level 4. "Default" inherits existing group-based and namespace settings 5. Multiple frameworks on a project: Most restrictive setting wins (Disabled \> Default \> Enabled) **Benefits:** * ✅ Leverages existing compliance framework infrastructure * ✅ Provides audit trail through compliance center reporting * ✅ Scales automatically as new projects are added to frameworks * ✅ Aligns AI governance with existing compliance workflows * ✅ Visible in compliance dashboards showing AI access status ### User experience goal As a Compliance Manager, I want to control AI tool access based on regulatory requirements so that I can ensure projects under specific compliance obligations don't use AI assistance when contractually restricted, while still allowing AI adoption for appropriate projects. **Example workflow:** 1. Create compliance framework "PCI-DSS Level 1" with AI Tool Access = "Disabled" 2. Apply framework to 50 payment processing projects 3. All 50 projects automatically block Duo Agent Platform access 4. Compliance dashboard shows: "50 projects with AI access restricted by compliance framework" 5. Developers see clear message: "Duo Agent Platform is disabled for this project due to PCI-DSS Level 1 compliance requirements" ### Permissions and Security * **Framework AI settings management**: Requires Owner role at the group level (consistent with current compliance framework permissions) * **No permission escalation**: Framework settings cannot grant access beyond what instance/group admins have configured * **Audit logging**: Framework-based restrictions logged in audit events ### Documentation Would require updates to: * [Compliance frameworks documentation](https://docs.gitlab.com/user/compliance/compliance_frameworks/) * [Configure access for the Agent Platform](https://docs.gitlab.com/administration/gitlab_duo/configure/access_control/) * [Compliance center documentation](https://docs.gitlab.com/user/compliance/compliance_center/) ### Availability & Testing **Tier**: Ultimate (aligns with compliance framework feature tier) **Feature flag**: `compliance_framework_duo_access_control` (enabled by default) **Testing plan:** * Unit tests for framework access logic * Integration tests for multi-framework inheritance * E2E tests for UI changes in compliance center * Access control verification in Duo Agent Platform features ### Related issues This complements existing access controls: * Group-based access controls: [Configure access for the Agent Platform](https://docs.gitlab.com/administration/gitlab_duo/configure/access_control/) * Role-based permissions (future): Mentioned in Duo Agent Platform GA documentation as planned enhancement