How Posit Team governs AI for public sector and government

How does Posit Team govern AI in public-sector and government environments? Posit Team is the bundle of our most popular products: Workbench, Connect, and Package Manager. The same controls that already enforce reproducibility and security for human work apply to AI work too. Posit Team governs the IDE, the packages, and the deployments your team already uses, so there is no separate control plane to stand up, accredit, and maintain.

The governance we build into Posit Team is a structural part of the workflow rather than above it, spanning code, packages, sessions, and deployments across Posit Workbench, Posit Package Manager, and Posit Connect.

Public sector teams are adopting this model on-premises, in air-gapped networks, and in cloud-based environments. Today, our public sector and government customers are using Posit solutions in most government environments, including FedRAMPed and classified networks.

NASA is using Posit Team to prepare for future missions to the Moon & Mars with dynamic workforce scenario planning.

Governing AI tools inside the IDE with Posit Workbench

Workbench gives administrators enforced settings over Posit Assistant, our data science AI agent that lives in RStudio and Positron sessions:

• which providers are reachable
• which models are allowlisted
• what defaults apply per provider
• whether the assistant is enabled at all

Because these settings are applied at the platform layer, they hold whether an analyst is typing code, running a notebook, or letting an AI agent do the work. Read about why your data teams love Posit Assistant.

Managed Credentials give administrators centralized control over the credentials the assistant uses, with support for AWS Bedrock IAM, Snowflake Cortex, and Azure delegated credentials. Keys stay out of user code, and assistant traffic flows directly from the client to the chosen provider. Because the products run in your networks, Posit collects no AI traffic and stores no prompts, code, or conversations. Read more about our privacy policies.

Posit Assistant also carries its own guardrails that an agency can enforce. Shell commands can run inside operating-system sandboxing that restricts writes to the workspace, blocks network access, and prevents reading sensitive paths. The assistant blocks reading secret files such as .env and .Renviron by default, and an administrator can set non-overridable file-exclusion patterns that keep sensitive files out of AI reach. Per-tool permissions let a team allow, ask, or deny each action the assistant can take. Posit Assistant’s autonomy matches your agency's risk tolerance. In plan mode, the assistant explores with read-only tools and writes out its approach for review, changing code only after a person approves, so an analyst stays in control of every step.

On the Enhanced and Advanced license tiers, Workbench also writes R and Python console and notebook inputs to a central audit directory, tagging each entry to distinguish human-initiated from agent-initiated execution.

Use case: a federal agency's data science team must show an auditor exactly where an AI agent contributed to an analysis that informed a published figure. Their security office enables console auditing with human-versus-agent attribution, restricts the assistant to an approved on-network model through enforced settings, and routes credentials through Managed Credentials. When it's time to audit, the record answers the question directly, and the data and research teams keep working in the IDE they already know and love.

For configuration details, see the Workbench administration documentation.

Governing the package supply chain with Posit Package Manager

Package Manager has governed R and Python package consumption for years, and that same governance now extends to CS Code extensions and AI agents. Administrators host curated CRAN, PyPI, Bioconductor, and Open VSX mirrors with approved subsets, so analysts and agents alike draw from a vetted set of packages rather than the open internet.

On the Advanced tier, preset and custom blocklist rules let administrators block packages by CVSS severity, specific CVEs, license type, version range, and deleted-package status, with allowlist overrides where needed. Open Source Vulnerabilities (OSV) data appears as metadata on each package, giving administrators what they need to set vulnerability policy. Date-based snapshots pin a repository to a known-good state, which is what reproducibility and audit reviews need.

The Package Manager MCP server, on the Enhanced and Advanced tiers, makes this policy apply to AI assistants. It shows an agent what is approved, which versions are pinned, and which vulnerabilities apply, so the same policy that governs a human researcher governs the agent querying for packages. For networks without internet access, an offline downloader brings packages, binaries, extensions, and vulnerability metadata across the air gap, with offline license activation.

Use case: an agency running an air-gapped network wants its AI assistant to suggest only packages that have cleared review. The administrator mirrors approved repositories, sets blocklist rules by license type and CVSS severity, and exposes the curated repository through the MCP server. Inside the offline environments, the assistant draws from the governed set, and the team's reproducibility requirements keep the teams' analyses running into the future.

Customer Spotlight

Unity Health Toronto works this way today: its CHARTWatch early-warning system runs inside hospital air-gap requirements, with internal R packages distributed through Package Manager and historical version access for reproducible deployments. A study in the Canadian Medical Association Journal found CHARTWatch associated with a 26% reduction in unexpected patient deaths. Read their success story!

For product details, see the Package Manager documentation.

Governing deployments and access with Posit Connect

Posit Connect is the easiest and safest way for your data and research teams to publish reports, apps, models, APIs, and MCP servers that any other team or decision maker requires. Connect governs who can reach published content and the AI services behind it. It provides single sign-on via SAML, OAuth, and OIDC across Okta, Entra ID, Google, OneLogin, and similar providers, along with role-based access, per-content user and group permissions, and access-request workflows.

Connect MCP server hosting, on the Enhanced and Advanced tiers, adds OAuth-based authentication, credential proxying for third-party services, and sandboxed tool execution. An MCP tool can reach an internal database or shared file system that users cannot touch directly from their own machines, with the tool itself running in a controlled environment on the Connect server. Connect's immutable audit logging records logins, deployments, permission changes, role elevation, failed logins, and content sharing, building the evidentiary record that compliance reviews require.

Use case: an agency wants AI clients across several teams to query an internal case-management database without granting anyone direct database access. A developer publishes an MCP server to Connect that exposes a small set of governed queries. Connect handles authentication and runs the tool in its sandbox, and every deployment and permission change gets recorded in the audit log. Analysts get the answers they need, and the data stays behind the controls the agency already trusts.

For details, see the Connect documentation.

Additional protections for regulated environments

• FIPS support: Connect and Package Manager support FIPS via opt-in AES-256-GCM encryption, and Workbench adapts its login encryption when the operating system runs in FIPS mode.
• On-premises and air-gapped deployment: Posit Team runs entirely within your own infrastructure, including networks with no internet access, supporting Authority to Operate processes on your terms.
• Partners: All of Posit Team also runs as a managed service in Snowflake. If you are in AWS SageMaker or Palantir, a lite version of Workbench, just the RStudio IDE, runs as a managed service. If your data is governed by Databricks, Posit Team has built-in integrations to simplify connecting to and running jobs on Databricks clusters.

What's coming next

Posit continues to invest in governance for AI work, and a few capabilities are in preview today. A Microsoft Azure Foundry provider is maturing for teams standardizing on Azure, and the unified Posit Assistant is still on track to replace Positron Assistant and Databot in Q3 2026.

Common questions about AI governance in regulated environments

Is Posit FedRAMP certified? Posit does not hold a FedRAMP product certification because our products are hosted in others' environments. Customers are using Posit solutions in regulated environments, including FedRAMPed and classified networks.

Does Posit store the prompts or code sent to AI assistants? No. Posit Assistant traffic flows directly from the client to the chosen provider, and Posit collects no AI traffic and stores no prompts, code, or conversations. Posit AI operates under a Zero Data Retention agreement with Anthropic, so a prompt or code snippet is used only to generate a response and is then deleted.

Can Posit Team run in an air-gapped network? Yes. Posit Team runs entirely within your own infrastructure, including networks with no internet access. Package Manager includes an offline downloader for packages, binaries, extensions, and vulnerability data, with offline license activation.

How does Posit show an auditor where an AI agent contributed to an analysis? Workbench writes R and Python console and notebook inputs to a central audit directory on the Enhanced and Advanced tiers, tagging each entry to distinguish human-initiated from agent-initiated execution.

Which controls require a specific license tier? Console auditing with human-versus-agent attribution, Package Manager blocklist rules, and the Package Manager and Connect MCP servers are available on the Enhanced and Advanced tiers, with blocklist rules on Advanced. Enforced AI settings and Managed Credentials are configured in Workbench administration.

Getting started

Posit Team brings AI governance into the workflow your data scientists and researchers already use, producing the artifacts reviewers ask for: reproducible environments, immutable audit logs, and human-versus-agent attribution.

Existing customers can enable these capabilities through their Workbench, Package Manager, and Connect administration settings. Public sector and government teams evaluating Posit can contact our team to scope a pilot around current capabilities. For a complete view of what is shipped, see each product's release notes.