For CISO, Risk & Compliance

AI autonomy with cryptographic trust and full auditability

Nested policy envelopes define precisely what each pair may do. Every action passes a policy check, lands in an approval queue when required, and gets signed into an immutable audit log your internal auditor can export.

See policy model Governance kit

Policy envelopes nest from Org to Task

Every action is evaluated against all five layers. Any layer can allow, deny, or require approval.

Five nested policy envelopes from Org Policy to Task Action Org Policy Global denies, data residency, export control Department Policy Approval thresholds, budget caps, escalation paths Role Blueprint Policy Allowed action classes, tool whitelist, knowledge pack Pair Mode Policy Current autonomy mode gate (Shadow … Autonomy) Task Action Specific call: parameters, scope, risk class allow approve deny (any layer can deny)
Figure 1. Nested envelopes. Evaluation is short-circuit: any layer's deny wins; any layer's approval requirement wins.

What Risk & Compliance get out of the box

Four primitives assembled into a governance model auditors recognize.

Policy envelopes

Declarative rules for what is permitted, what requires approval, and what is denied at every layer.

  • Allow / deny / require-approval per action class
  • Tool, data, cost, and rate limits
  • Versioned — every change is a signed update

Approval workflows

Approvals routed by risk class to supervisor, ai_ops, or org_admin — with SLAs and out-of-hours fallbacks.

  • Multi-approver thresholds (e.g. 2 of 3)
  • Dynamic routing by cost, customer tier, or PII presence
  • Break-glass procedure with mandatory post-incident review

Audit trail

Every pair decision, approval, and mode transition is recorded in an append-only, hash-chained ledger.

  • Per-action request, reasoning, and approval record
  • Mode transitions with KPI snapshots
  • Exportable for SOC 2, ISO 42001, and internal audit

KPIs for the board

Governance translated into four monthly numbers any exec committee can read at a glance.

  • Accuracy / quality rubric pass rate
  • Approval TAT (turnaround time)
  • Mode progression (ladder distribution)
  • Incident rate and MTTR
≥ 95%
Rubric accuracy
≤ 4h
Approval TAT
≤ 0.5%
Incident rate
≤ 24h
Incident MTTR

Approval workflow, end to end

From requester through policy check to the final signed action — each swim-lane is logged.

Swim-lane approval workflow from requester to executed action Requester Policy engine Approval queue Approver Action & audit lanes t=0 t=executed Pair requests action Policy check env. evaluation allow denied → logged only requires approval Queue (SLA 4h) Supervisor / ai_ops approve or reject approved Action executed signed, hash-chained Log
Figure 2. Every path (allow, approve, deny) is logged with a signed record.

Governance review kit

Control matrix, envelope schema, audit-log sample, and a pre-filled internal-audit workbook.

Request governance review kit