Projects
Projects are the top-level organizational unit in Control Zero. A project groups together policies, API keys, and audit logs for a specific set of AI agents.
What Are Projects?
A project represents a logical boundary for governance. Typically, you create one project per environment (e.g., production, staging) or per application (e.g., customer-support-agent, data-pipeline-agent).
Each project has:
- A unique Project ID (e.g.,
proj_abc123). - One or more API keys for SDK authentication.
- A set of policies that define the governance rules for agents in this project.
- An audit log of all policy decisions made by SDKs connected to this project.
Creating a Project
You can create projects through the Control Zero dashboard or via the API.
Dashboard
- Navigate to Projects in the sidebar.
- Click Create Project.
- Enter a name and optional description.
- Click Create.
API
curl -X POST https://api.controlzero.ai/v1/projects \
-H "Authorization: Bearer YOUR_ORG_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "production-agents",
"description": "Production AI agent governance"
}'
Response:
{
"id": "proj_abc123",
"name": "production-agents",
"description": "Production AI agent governance",
"created_at": "2026-03-01T00:00:00Z"
}
API Keys
Each project has API keys that SDKs use to authenticate and download policy bundles.
Key Types
| Type | Prefix | Purpose |
|---|---|---|
| Live | cz_live_ | Production use. Full policy enforcement and audit logging. |
| Test | cz_test_ | Development and testing. Policies are evaluated but actions are never blocked (log-only mode). |
Managing Keys
You can create, rotate, and revoke API keys from the project settings page.
- Create: Generate a new key for the project. You can have multiple active keys simultaneously.
- Rotate: Generate a new key and set an expiration on the old key. This allows for zero-downtime key rotation.
- Revoke: Immediately invalidate a key. Any SDK using the revoked key will lose access on its next policy refresh.
API keys are shown only once at creation time. Store them securely. If you lose a key, you must create a new one.
Using Keys in SDKs
Pass the API key when initializing the SDK:
# Python
from controlzero import Client
client = Client(api_key="cz_live_your_api_key_here")
// Go
client, err := controlzero.New(
controlzero.WithAPIKey("cz_live_your_api_key_here"),
)
You can also set the API key via environment variables:
export CONTROLZERO_API_KEY="cz_live_your_api_key_here"
export CONTROLZERO_PROJECT_ID="proj_abc123"
Policy Assignment
Policies are assigned at the project level. When you create or modify a policy within a project, it is automatically included in the next policy bundle compiled for that project.
Active Policies
Only published policies are included in policy bundles. Draft policies are not enforced.
A project can have multiple active policies. All active policies are evaluated for every action check. The rules from all policies are combined and evaluated together using the standard evaluation order.
Policy Versioning
Each time you publish a policy, a new version is created. You can:
- View the history of all policy versions.
- Roll back to a previous version if needed.
- Compare versions to see what changed.
Project Settings
| Setting | Description | Default |
|---|---|---|
| Default Effect | The effect applied when no policy rule matches an action. | deny |
| Bundle Refresh Interval | How often SDKs poll for new policy bundles (in seconds). | 60 |
| Audit Log Retention | How long audit log entries are retained. | 90 days |
| Log-Only Mode | When enabled, policies are evaluated and logged but actions are never blocked. | false |
Organizing Projects
Here are common patterns for organizing projects:
By environment: Create separate projects for production, staging, and development. This lets you apply strict policies in production while keeping development more permissive.
By application: Create a project for each distinct agent application. This isolates policies and audit logs per application.
By team: Create projects per team to delegate policy management while maintaining organizational oversight.
You can combine these patterns. For example, customer-support-production and customer-support-staging give you both application and environment isolation.