Enterprise · CISO

The Governance Fabric for Autonomous AI

Governance is not a feature you bolt on after launch. In V2, every agent action flows through append-only events, evidence-based gates, and immutable release decisions.

GOVERNANCE CONTROLS

Defence in Depth for Agent Systems

Four layers of governance — from immutable event streams to in-VPC data residency.

Append-Only Event Streams

WorkflowEvent is insert-only — enforced at the database level via trigger + REVOKE. No handler deletes, no repository methods, no routes. The audit trail is immutable by design, not by policy.

RBAC / ABAC Parity

6 roles (Owner, Admin, Analyst, Auditor, Developer, ServiceAccount), 22 API scopes, attribute-based access control with 7 rule conditions. JIT privilege escalation for time-bounded access. Agent capability grants with table allowlists.

Human Gate Evidence Chains

Every ReviewRequest carries its full evidence bundle — which model decided, what confidence was measured, which validations ran, and the complete lineage path. Reviewers see context, not just a binary approve/reject.

In-VPC Architecture

Data plane runs in your VPC via PrivateLink. Control plane connects over encrypted channels. No data leaves your network. CMEK for encryption at rest, SAML/OIDC for identity federation.

COMPLIANCE COVERAGE

Regulation-Ready by Design

V2 runtime entities map directly to compliance controls — not as a bolt-on, but as the architecture itself.

Regulation	Status	Key Controls	V2 Entity
SOC 2 Type II	In audit	Append-only events, RBAC, audit log, encrypted at rest	WorkflowEvent, IAM Audit
GDPR	Compliant	Data residency (in-VPC), right to deletion, consent logging	Tenant isolation, RecoveryAction
HIPAA	Ready	PHI encryption (CMEK), access audit, minimum necessary	Column masking, ABAC, Audit trail
PCI-DSS	Ready	Network segmentation (PrivateLink), key management, access control	In-VPC, CMEK, ScopeSet
EU AI Act (Article 14)	Mapped	Human oversight, transparency, record-keeping for high-risk AI	ReviewRequest + evidence bundles

EU AI Act Article 14 — Human Oversight: V2's ReviewRequest + evidence bundle pattern directly satisfies the requirement for human oversight of high-risk AI systems. Every gate decision is recorded as an immutable ReleaseDecision with full causal context.

HUMAN GATES

Human Oversight as a Platform Entity

ReviewRequest is not a Slack message — it's a governed entity with evidence bundles, SLA enforcement, and immutable release decisions.

// Publish artifact with human gate
const artifact = await hd.v2.publishArtifact({
  attemptId: attempt.id,
  kind: "loan_approval",
  contentHash: "sha256:a8f2c901...",
  confidence: 0.72,
});

// Gate triggers automatically when confidence < 0.80
// Assigned to compliance team with 4-hour SLA
// → ReviewRequest created with full evidence bundle

Gate Triggers

Confidence below threshold or policy match → ReviewRequest created automatically

Evidence Accumulates

Full lineage chain, model decisions, validation results attached to the review

Decision Recorded

Approve or reject → immutable ReleaseDecision with rationale and timestamp

Schedule a Security Review

Our security team will walk through the V2 governance architecture, compliance mapping, and deployment options for your specific regulatory requirements.

Request Security Review

Ship Smarter Agents. Start in 60 Seconds.

Persistent memory. Isolated state. Verifiable reasoning. Through standard SQL.

Try the Playground →Calculate Your Savings →