Compliance-Certified Launch Gate

also known as Regulator Pre-Launch Certification, Pre-Deployment Filing Gate, 备案

Require an external regulator to certify the generative service against a published content-safety standard before it may serve the public, forcing the standard's controls into the build as a re-certifiable artifact.

Context

A generative or agent service is to be offered to the public in a jurisdiction whose regulator gates public availability on prior approval, not on after-the-fact enforcement. China is the worked example: an interim regulation and a national standard require every public-facing generative service to file with the authority and meet measurable content-safety thresholds before launch, and to re-file when the model or its safety surface changes. The operator cannot ship first and remediate later; the regulator's sign-off is a precondition for the service existing at all.

Problem

Runtime guardrails sit inside the running system, but a regulator that gates launch must inspect evidence before any user is served, and that evidence is concrete machinery the standard enumerates rather than a promise of good behaviour. The operator must produce, document, and keep current a specific set of controls — a keyword-interception library covering named risk categories, a measured refusal rate on sensitive queries, corpus filtering of the training data, and a classified bank of test questions with a passing spot-check rate — and must be able to re-present them on demand. Treating compliance as a runtime concern fails the gate, because the artifacts that satisfy it have to exist and be measured at build time.

Forces

A pre-launch regulatory gate moves the cost of compliance entirely before release, where there are no users to learn from yet, in exchange for legal permission to operate.
The standard names exact thresholds, so a control that is merely present is not enough; it must be measured against the published bar and the measurement retained.
Re-certification on model or corpus change makes the gate a recurring tax, which pushes the controls into the build pipeline rather than a one-time filing.
The certified artifacts overlap with controls a careful operator would build anyway, but the gate fixes their shape and minimum strength rather than leaving them to judgement.

Example

A company wants to launch a public chatbot in a market where the regulator must approve any generative service before it goes live. Instead of shipping and watching for complaints, the team builds a list of at least ten thousand blocked terms across the official risk categories, filters the training data, and runs the bot against a graded set of sensitive questions until it refuses at least ninety-five percent of them. They submit the results, wait for sign-off, and only then open the bot to the public — and when they later swap in a new model, they repeat the whole filing.

Diagram

flowchart TD A[Build pipeline] --> B[Keyword-interception library >=10000 terms] A --> C[Corpus filtering of training data] A --> D[Classified question bank: refusal + spot-check measured] B --> E[Compliance filing] C --> E D --> E E --> F{Regulator certifies?} F -- no --> A F -- yes --> G[Public availability] H[Model or corpus change] --> A

Solution

Therefore:

Treat the regulator's content-safety standard as a release contract and instrument the build to produce its evidence. Assemble a keyword-interception library that covers every risk category the standard names, and size it to at least the mandated term count. Maintain a corpus-filtering step that screens the training and retrieval data for the prohibited content the standard lists. Hold a classified bank of test questions, run the candidate service against it, and record the refusal rate on sensitive queries and the spot-check pass rate, each measured against the standard's published threshold. Bundle these measurements into a filing, submit it to the regulator, and block public availability until the filing is accepted. Version every artifact so that a model swap, a corpus refresh, or a threshold change triggers a fresh measurement and a re-certification rather than a silent drift past the bar.

What it gives you

Public availability is gated on documented, measured controls rather than on the operator's assurance, so the service launches with evidence the regulator already accepted.
The enumerated thresholds give the team a concrete, testable definition of done for content safety instead of an open-ended judgement call.
Versioned artifacts make every model or corpus change visibly re-certifiable, so safety regressions surface as a failed re-filing rather than as an incident in production.

What it costs you

Compliance cost lands entirely before launch, lengthening time-to-market and front-loading work that delivers no user value if the service is never approved.
The standard's thresholds can lag the actual risk surface, so a service can pass the gate and still mishandle harms the bank of test questions never probed.
Re-certification friction discourages frequent model upgrades, freezing the service on an older, already-certified model longer than is technically wise.
The certified controls are tuned to one jurisdiction's enumerated categories and do not transfer to a regulator that gates on different criteria.

What this pattern forbids. The service must not be made available to the public before the regulator certifies the filing, and any change to the model, corpus, or safety controls requires re-certification before the changed service may serve users; certification cannot be deferred to runtime or remediated after launch.

The smaller patterns that complete this one —

usesInput/Output Guardrails★★— Validate inputs before they reach the model and outputs before they reach the user.

And the patterns that stand alongside it, or against it —

alternative-toEval as Contract★★— Treat the eval suite as the contract the agent must satisfy; releases ship only if evals pass.
complementsDual Evaluation (Offline + Online)★— Run two parallel evaluation tracks — offline benchmark gates before deploy AND online production-traffic monitoring after — so drift is caught even when pre-deploy benchmarks pass.
complementsSovereign Inference Stack★— Run the entire agent stack (model weights, inference, tool layer, vector stores, logs) inside a jurisdictional and operational boundary the operator controls, so no request, prompt, or output crosses into a third-party API.
conflicts-withSilent Pilot-to-Production Promotion★— Anti-pattern: let a well-performing pilot quietly expand in scope until it is a de facto production decision system, while keeping the 'pilot' label so it never trips the go-live governance gate.
complementsFormal-Proof Compliance Gate·— Require every agent-proposed action to ship a machine-checked proof that it satisfies the binding regulatory invariants, and reject deterministically any action whose proof does not check.