BYOK
AI by exception should stay visible, bounded, and governed.
Refinery’s approach is deterministic first. AI is used where ambiguity requires judgment, and BYOK helps customers keep model runtime choices under their own governance posture. Models advise; policy and verification remain sovereign.
What BYOK means for Refinery
BYOK means a customer can bring their own model/runtime key for AI judge use cases instead of treating the model as an opaque default. This matters for teams that need control over vendor choice, model access, logging, procurement, or internal AI governance.
What data may be sent to models
When AI judge is enabled, Refinery may send field values and evidence snippets required for ambiguity resolution — bounded by policy and tenant configuration. Full record dumps are not the default posture.
What is never sent by default
- Marketing form secrets or credentials
- Unscoped production payloads outside the governed path
- PII beyond what policy requires for the specific judgment
Prompt masking and tenant AI policy
Tenants can configure which fields may enter model context, which require human review, and whether external AI is disabled entirely for regulated modes.
AI decision receipts
When AI contributes to a decision, the receipt records model involvement, policy version, and outcome — AI does not override policy or verification.
External AI disabled by default for regulated modes
Enterprise deployments can require human-only review or disable external model calls until BYOK and policy are explicitly configured.
Where AI belongs
Ambiguous duplicate identity, conflicting enrichment, source disagreement, contextual classification, and evidence summarization.
Letting a model silently overwrite production CRM, ERP, or customer data without policy, review, or verification.
Judge visibility
When an AI judge is involved, operators should be able to see the input context, rationale, confidence posture, policy constraints, and final decision path. AI output is advisory. Policy and verification remain sovereign.
Secret handling posture
Do not submit API keys or secrets through marketing forms. Runtime secrets should be configured through protected product surfaces, not email or static website forms. The baseline request only captures commercial discovery data.
Model runtime trust
BYOK deployments should make model vendor, region, logging, and key rotation visible to security and procurement teams. Refinery treats the model as a bounded judge — not a silent authority that can override policy, skip verification, or write to production without receipts.
Tenant AI policy examples
- Disable external model calls entirely for regulated tenants
- Allow AI only for duplicate-review and enrichment-conflict classes
- Require human approval when confidence is below threshold
- Mask specific fields from model context (tax IDs, health data, free-text notes)
Operational visibility
Operators should see when a model contributed to a decision, which policy version applied, what evidence was considered, and whether writeback was blocked pending review. This supports AI governance programmes that need explainability without pretending the model is infallible.
Procurement and governance fit
Teams evaluating AI for operational data often need answers procurement can audit: which model vendor, which region, who holds the key, what logging exists, and whether external AI can be disabled. BYOK posture supports those questions without pretending every deployment mode is identical on day one.