Policy compliance applications to embeddings

[joshcornejo]

Embeddings are part of the new era of LLMs:

• It is impractical to associate the embeddings to each policy and/or rule (and not scalable).
• For use cases in RAG/*AG, assets can be separated as embeddings.
• These embedding processes can happen several times and generate different sets.
• They do exist at "one level removed" within the asset.
• Each embedding inherits all the permissions, obligations and prohibitions from its origin.
• To extend the concept of [ actor, action, asset ] triple, an attribute should be added to the resource property.

 "resource": {
    "id": "some_embedding_uuid"
    "embedding": "true|false",
  }

• If the attribute is missing, the asset is not considered an embedding (false by default)
• When true, the processor (validator, evaluator or compliance checker) is responsible of finding the asset and replacing the enquiry with the uuid present in the policy.

[joshcornejo]

It is tempting to think of the alternative:

Embedding isA Asset 
Asset isA AssetCollection
Create a refinement.

Implies:

• Every Asset will need to change to AssetCollection
• Every Rule in every active Agreement that has this Asset will need changing
• Every agreement will also need to 'revert' (double change) if the embeddings are removed

Creates potential issues for compliance, adds unnecessary burden for traceability, and bloats the agreements.