Last updated on February 12th, 2025 at 11:42am
Kion has expanded its AI policy library – known as the Kion AI Jumpstart – to support new policies and compliance checks that can detect and control use of the open source DeepSeek model when used on AWS. AWS recently added support for DeepSeek-R1, which can be deployed in the AWS Bedrock and AWS SageMaker AI services, across selected commercial cloud regions.
While DeepSeek offers potential reductions in the computing resources required for generative AI use cases, some organizations in highly regulated industries (ex: government contractors supporting the defense and national security industries) may have concerns about the use of this model inside of their cloud environments due to its origin. While today this model has not been made available within AWS GovCloud or isolated regions, many sensitive but not classified workloads are built within AWS commercial regions. With Kion, CloudOps and AI teams can drive consistent, safe use of AI models quickly and efficiently through the use of existing Cloud Rule or Cloud Access Role functionality.
Here’s a summary of what is now available in the Kion AI Jumpstart:
New IAM Policy for denying use of AWS Bedrock’s InvokeModel functionality for DeepSeek
Using IAM policies, organizations can block execution of DeepSeek via AWS Bedrock by denying use of the InvokeModel functionality. The InvokeModel function permits running inference against popular AI foundational models. While the IAM policy included in the AI Jumpstart is configured for DeepSeek, it’s possible to extend this policy for other models that the organization wishes to restrict.
New IAM Policy for broadly denying subscription access to AWS Bedrock Marketplace
Some organizations may want to limit or deny access to AI models available in the AWS Bedrock Marketplace, such as DeepSeek. Typically, this policy can be applied broadly to one or many Organization Units (OUs) in Kion, such as divisions of a business that host workloads containing sensitive customer information. Additionally, due to Kion’s flexible policy exemption workflows, if a user wants to get access to the AWS Bedrock Marketplace, they could explicitly request an exemption through Kion’s built-in functionality or through integrations with other third-party ITSM tools.
New compliance check for identifying any AWS SageMaker models based on data source naming
It’s difficult to identify the contents of underlying data sources used by AWS SageMaker. Kion has introduced a new compliance check that will report a finding for any data sources named ‘deepseek’ to help determine where within the organization a model is being used. This can also be modified for detection of other underlying models.
Today, Kion supports a number of out-of-the-box AI policies and guardrails for both AWS and Azure, enabling companies, universities, and federal agencies to make safe use of AI and related cloud services. Kion’s policies can be used to deny use of AI services at various levels across an organization to ensure consistent application of GenAI content guardrails, as well as detect use of specific models like DeepSeek-R1. Kion’s robust compliance jumpstarts can also be used to enforce compliance with standards like FedRAMP, HIPAA, and other NIST 800-53 based frameworks, saving organizations months of technical work.
These new policies are available to all existing Kion customers to make it easy for CloudOps teams to quickly adjust access across all AWS accounts.
For more on mitigating risks through proactive AI governance, read this blog.
Organizations interested in seeing how Kion makes safe use of the latest AI models in AWS and Azure can request a demo here.
