Shadow → Active Rollout
Safely roll out NjiraAI from observe-only to active enforcement.
Overview
NjiraAI supports a shadow mode that logs verdicts without blocking traffic. This lets you validate policies against real traffic before switching the binding to active.
Recommended rollout: Shadow (observe) → Review traces → Active (active) → Monitor
Step 1 — Start in shadow mode
Enable shadow mode from the NjiraAI Console:
- Navigate to Settings → Enforcement
- Set Mode to Shadow
- Ensure Fail Closed is enabled (recommended)
- Click Save
What happens in shadow mode
- All requests are forwarded regardless of verdict
- Verdicts are logged to the audit trail
- Response headers include shadow verdict info:
X-Njira-Shadow-Verdict: BLOCKX-Njira-Shadow-Reason: PII_DETECTED
Step 2 — Review traces
Open the NjiraAI Console and navigate to the Traces page to review:
- Which requests would have been blocked
- Reason codes and confidence scores
- Policy pack and rule that triggered
# Or query traces via API:
curl -s https://api.njira.ai/v1/traces \
-H "Authorization: Bearer nj_live_YOUR_KEY" | jq '.traces[] | {action, reason_code, tool_name}'
Expected output
{
"action": "BLOCK",
"reason_code": "PII_DETECTED",
"tool_name": "chat_interface"
}
Look for:
- False positives — safe requests marked BLOCK (tune policies)
- Missed risks — unsafe requests marked ALLOW (add rules)
Step 3 — Enable enforcement
Once satisfied with shadow results, switch to active mode:
- In the Console, navigate to Settings → Enforcement
- Set Mode to Active
- Click Save
Changes take effect immediately — no restart required.
Verify enforcement is active
# This should now return 403 (not 200 with shadow headers):
curl -s -w "\nHTTP %{http_code}\n" \
https://gateway.njira.ai/v1/chat/completions \
-H "Authorization: Bearer nj_live_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"model":"gpt-5.2","messages":[{"role":"user","content":"My SSN is 123-45-6789"}]}'
Expected output
{"blocked":true,"reason":"SSN pattern (XXX-XX-XXXX) detected","reason_code":"PII_DETECTED",...}
HTTP 403
Step 4 — Rollback (if needed)
To revert to shadow mode, switch the Mode back to Shadow in the Console under Settings → Enforcement. No data is lost — all previous traces remain in the audit log.
Configuration reference
| Setting | Values | Default | Description |
|---|---|---|---|
| Mode | Shadow / Active | Active | Log verdicts without enforcing (Shadow) or enforce verdicts inline (Active) |
| Fail Closed | On / Off | On | Deny requests when the Intelligence service is unavailable |
Success criteria
| Check | Expected |
|---|---|
Shadow mode: PII request returns 200 with X-Njira-Shadow-Verdict: BLOCK |
✅ |
| Active mode: PII request returns 403 | ✅ |
| Traces appear in Console on the Traces page | ✅ |
| Rollback to shadow mode restores 200 for all requests | ✅ |
Next steps
- Policy packs — customize what gets blocked
- Troubleshooting — common issues