Governance

Autonomy with boundaries

The right level of autonomy depends on the action's risk and reversibility. Reading internal documentation: usually autonomous. Filing an issue: typically autonomous. Sending an external email, modifying production data, completing a financial transaction: gated. Risk levels are declared per tool in the registry and per workflow in the runtime, not left to model judgment.

What is enforced

Data access (which sources an agent or principal can see), tool permissions (which actions are exposed and at what scope), approval gates (which calls require a human), audit retention (how long traces are kept and who can read them), tenant isolation, secret boundaries, and deployment promotion paths. Each rule is declarative; the runtime is what makes it real.

• Access controls inherited from the source graph
• Tool scopes pinned in the MCP registry
• Approval routing for high-risk actions
• Tenant isolation and per-tenant retention

Standards we map to

SOC 2 Common Criteria for security and confidentiality controls, the NIST AI Risk Management Framework for risk identification and mitigation, ISO/IEC 42001 for AI management systems, and sector-specific overlays (HIPAA, PCI DSS, Quebec Law 25 / Canadian PIPEDA / GDPR) when the engagement requires them.

What it works with

Enforces access boundaries declared in the Source Graph, scopes in the MCP Tool Registry, routes in Model Routing, and approval rules in Human Approval. Reads audit events from Observability. Sets retention rules on the conversation tables Conversation Intelligence writes. Without governance the other layers are unaudited; without the other layers governance is a document nobody enforces.

When you need it

Signals: an internal audit asking 'who can see what'; a regulator asking which data left your network and to which model provider; a sector overlay (healthcare, finance, public sector) that requires documented controls; a customer asking for SOC 2 evidence on AI workflows.