Reference Architecture · Simulated Scenario
Preventing LLMs from Introducing Security and Compliance Violations
Enforce encryption standards, auth requirements, PII handling rules, and secrets policies — before the LLM generates a single line of non-compliant code.
The Problem
AI coding assistants don't know your compliance posture.
They don't know that your SOC 2 audit requires auth middleware on every endpoint. They don't know that GDPR prohibits logging user email addresses. They don't know that your secrets management policy was updated after last year's incident.
Security teams are discovering that standard code review is no longer sufficient when AI generates 10× more code at 10× the speed. You need enforcement earlier in the loop.
Without Mneme HQ — assistant suggests:
Prompt: "Add a debug logging endpoint that dumps recent user actions"
I'll create a POST /admin/debug endpoint that queries the user_actions table and returns the last 50 entries including user_id, email, and action_type...
With Mneme HQ — pre-flight check:
mneme check --mode strict
✗ FAIL decision/no-pii-in-logsRule: Never log or expose user email, name, or address.
Context: GDPR Article 5 compliance. Violations require DPA notification.
✗ FAIL decision/auth-middleware-required
Rule: All API endpoints must use AuthMiddleware.
Context: SOC 2 CC6.1 — unauthenticated endpoints are a critical finding.
→ Surfaced 2 violations before code generation.
Why Existing Tools Fall Short
SAST and code review catch violations too late.
| Approach | Limitation | With Mneme HQ |
|---|---|---|
| SAST / linters | Find known vulnerability patterns; can't encode business-specific compliance rules | Business-specific rules encoded as decisions with rationale and enforcement |
| Security review | End-of-sprint bottleneck; too late to prevent; expensive | Pre-flight check at prompt time, before a line of code exists |
| Security training | Periodic; not actionable at the point of code generation | Rule surfaced exactly when relevant — during coding |
| Static policy docs | Not queryable; not enforced; go stale | Structured, retrievable, CI-gated |
How Mneme HQ Solves It
Security rules enforced at the earliest possible moment.
1
Encode your security and compliance rules as decisions
Translate your security policies, GDPR obligations, and SOC 2 controls into structured YAML decisions with explicit rationale.
2
Run mneme check before prompting
Every AI-assisted change is checked against relevant security decisions before code is written — not after it's merged.
3
Generate assistant rules files with security context
mneme cursor generate produces a rules file that includes your security constraints, so assistants are compliance-aware in every session.
4
Gate CI with an audit trail
All violations are logged. In strict mode, CI fails on non-compliant code. Security teams get an auditable record of what was checked and when.
Technical Implementation
What security decisions look like.
decisions/security-pii.yml
id: no-pii-in-logs title: Never log PII in any endpoint or background job status: accepted rule: User email, name, phone, and address must never appear in log output or API responses not explicitly requesting them. rationale: GDPR Article 5(1)(f) — data must be processed securely. Violation requires DPA notification within 72 hours. enforcement: strict tags: [security, gdpr, pii, compliance]
decisions/security-auth.yml
id: auth-middleware-required title: All API endpoints must use AuthMiddleware status: accepted rule: No endpoint may be registered without AuthMiddleware in the middleware chain. rationale: SOC 2 CC6.1 control requirement. Unauthenticated endpoints are a critical audit finding. enforcement: strict tags: [security, soc2, auth, compliance]
Terminal — scoped check with security tag filter
$ mneme check "add debug endpoint for user actions" --tags gdpr,soc2 Checking against 6 security/compliance decisions... ✗ FAIL decision/no-pii-in-logs Reason: Endpoint returns user_id, email — PII exposure detected. ✗ FAIL decision/auth-middleware-required Reason: No auth middleware referenced in proposed endpoint. ✓ PASS decision/no-secrets-in-frontend ✓ PASS decision/encrypt-at-rest-required Result: FAIL (2 violations, strict mode)
Simulated Outcome
What security teams see after enforcement goes live.
100%
of captured security rules enforced at prompt time, not post-review
2 min
average time to encode a new security rule as an enforceable decision
0
PII or auth violations in AI-generated code after enforcement
⚠ These figures are based on a simulated reference scenario — not live customer data.
FAQ
Common questions.
Can security teams manage decisions without engineering access?
Yes. The decisions YAML files are plain text, stored in version control. Security teams can open PRs to add or update rules like any other change — no code required.
Does Mneme HQ replace a SAST tool?
No — they're complementary. SAST finds known vulnerability patterns in written code. Mneme HQ enforces business-specific compliance rules before code is written. Use both.
How do we handle rules that vary by region or environment?
Use tags and separate decision files per context. You can scope checks with
mneme check --tags gdpr for EU-specific rules or --tags soc2 for audit controls.What happens if a developer overrides a strict violation?
In strict mode, the CI gate fails and the override is explicit — it must be merged with a documented exception. All violations are logged, creating an audit trail for security reviews.