🗼 Governance Control Plane · Solution

Put one governed gate in front of
every AI action you run.

Every agent, intake flow, and automation writes a proposed action onto one tamper-evident ledger — a deterministic gate classifies it, money and identity are capped at prepare-only, and a human approves the consequential ones. Runs on your infrastructure, with a signed audit trail your CISO can hand an auditor.

The business case

Every agent decides for itself, logs where it likes, and no one can prove a human approved

The problem

Your teams are wiring AI agents and automations into systems that move money, change identities, post publicly, and touch regulated records. Each one decides for itself when to act, logs — if at all — to its own scattered store, and pings whoever it feels like. There is no single place to see what was proposed, no proof a human approved the consequential ones, and no way to show a log wasn't edited after the fact.

So you cannot answer the two questions every auditor, CISO, and regulator now asks: 'Did a human actually approve this?' and 'Can you prove the record wasn't altered?' Rubber-stamped approvals and un-verifiable audit trails are exactly what EU AI Act Article 14 and the NIST AI RMF say is not enough. And the moment you let an agent execute a payment, a credit decision, or an access grant on its own, you have handed a model authority you cannot legally or operationally give away.

Who feels it

  • CISOs and Heads of AI Governance who own the agent-safety mandate and have to answer for every autonomous action
  • Risk, Compliance, and Internal Audit who must produce evidence that humans, not agents, made the consequential calls
  • Finance controllers who refuse to let an agent post a journal or release a payment unwatched — and platform leads who won't re-implement guardrails in every agent
Time to value

Days, not a platform build. The gate, ledger, violation sweep, and dashboard are pre-built flow8 flows. Point your highest-consequence producer at the shared ledger with the kill-switch on and run it shadow-first — you watch it classify real proposed actions and see the quality of every verdict before a single approval task reaches a person.

What you get

Provable oversight — AI prepares, humans execute, and the record proves it

One control plane every AI or automation action runs through — one producer today, every agent you own tomorrow.

🔒

Money and identity cannot auto-execute

An agent literally cannot fire a payment, a credit decision, or an access grant on its own. The gate forces every money or identity action to prepare-only, the platform returns proceed=false, and it routes to a human — structurally, not by policy.

📒

One tamper-evident ledger for every agent

Every proposed action across every agent and team lands on one shared ledger — hash-chained and HMAC-signed, so a post-hoc edit is detectable, not deniable. No more scattered, un-verifiable per-agent logs.

🙋

Exactly one human task per consequential action

The one action that needs a decision surfaces as a single approval task on the surface your reviewers already use — no new console to babysit, and never a duplicate across re-runs or overlapping fires.

📊

Auditor-grade evidence, not rubber-stamping

A weekly dashboard shows %prepared-vs-committed, an itemized money and identity log, violation trends, and live chain-integrity — the exact evidence Article 14 and NIST AI RMF auditors ask for.

🎛️

Policy is swappable data, not buried code

Change a threshold, a hold-list, or a deny-rule without redeploying a single agent. The rules the gate enforces live as data your risk team owns — not logic frozen inside code.

🔎

It catches the escapes

A continuous reconciler sweep re-verifies every signature and flags any action that committed without preparing, slipped the gate ungoverned, or sits abandoned past SLA — and opens a ticket, so governance gaps surface instead of hiding.

How it works

One governed spine, from proposed action to human approval

The model proposes; a human executes; nothing touching money or identity ever auto-fires. It is the same secure spine every flow8 Solution runs — here worn as the control plane every other action passes through.

Every action from every agent runs the identical sequence. The LLM is permanently demoted to an advisor that can only tighten the verdict; the consequential output is a classified proposed row on a shared, tamper-evident actions ledger — not an action.
01
📨
Proposed-action intake Every agent and automation writes its intended action as a proposed row onto one shared ledger — write-only, they never act. IMAP · OCR
02
🧪
Injection pre-scan A deterministic Code heuristic treats the untrusted payload as data, before any verdict-influencing model sees it. data, not instructions
03
🧩
Classify & extract A schema-locked LLM may suggest a risk read; the action's category, amount, and metadata are computed in Code. model suggests
04
⚖️
Code decides the verdict A deterministic hard floor — money, identity, deny-rule, hold-list — sets the binding verdict; the model can only tighten it, never loosen. Code authoritative
05
📝
Verdict on the ledger The policy decision is written onto the same proposed row, then hash-chained and HMAC-signed at commit. draft, not act
06
🚦
Policy gate Money and identity are capped at prepare-only by construction; the platform returns proceed=false and refuses to auto-act. prepare-only
07
🙋
One human task Exactly one approval task is opened per consequential action, bound to its ledger row only after a full evidence record is written. audit-before-effect
👤
Human reviews & approves A person approves in one click. The payment, posting, or grant executes under their authorship, recorded on the signed ledger. human-gated
Safe output A classified, signed, approved action approved by a human · recorded on a signed ledger · reversible

Approvals & Action Governance is the cross-cutting control plane every AI or automation action runs through before it touches the real world. Your producers — agents, intake flows, pricing engines, ERP connectors — never act on their own; they write a proposed action onto one shared, tamper-evident ledger. A synchronous, deterministic gate classifies each one with hard rules first: anything that moves money or changes identity, anything flagged for injection, anything hitting a deny-rule or hold-list is forced to prepare-only and handed to a human. An optional LLM may only tighten that verdict, never loosen it — most-restrictive-wins.

Because the deterministic floor decides and the model can only advise, because money and identity are capped at prepare-only by construction, and because the verdict is written and signed before any side-effect on a hash-chained ledger, you get provable oversight without re-implementing guardrails in a single agent. Off-the-shelf agents give a model authority first and bolt on approval later — flow8 makes the gate the architecture every action already runs through.

Why it's safe to run

Secure and efficient by construction — not by policy

Secure by construction

The guardrail is the architecture, so putting AI in front of money and identity stops being a risk-underwriting exercise.
  • Deterministic injection pre-scan. A Code heuristic (control / zero-width / bidi chars + imperative-override markers) runs before any verdict-influencing LLM; the model sees only redacted payload as data and can only tighten the deterministic floor, never loosen it. There is no security module pretended.
  • Never auto-act on money or identity. Money, identity, and hard-irreversible actions are judged by deterministic Code only and clamped to prepare-only — the ledger returns proceed=false, so an agent is structurally prevented from auto-executing a payment, credit, or access change.
  • Audit before side-effect. The proposed row and its policy verdict are written before the human task or any external call; the gate refuses to decorate a row that doesn't already own its action — never act without an owning row.
  • Tamper-evident ledger. Each committed row is hash-chained over a frozen canonicalization and HMAC-SHA256-signed under a key held in KV — an attacker who recomputes a self-consistent chain still fails the signature check, and a read-only sweep re-verifies every signature.
  • Sovereign and provider-swappable. The signed ledger lives in your own f8db; the HMAC key, thresholds, and hold-lists live only in KV, never inlined; the AI provider is a swappable setting. Nothing is locked to one vendor or jurisdiction.

Efficient by construction

The same properties that make it safe make it cheap to run across every agent you own.
  • Idempotent by construction. A content-derived action key is the upsert conflict key, so every gate pass, sweep, and dashboard re-run is safe to repeat — a crashed run resumes the exact same window and never double-acts.
  • Draft-not-act removes rework. Nothing consequential happens until a human clicks, so there is no compensating clean-up loop — you never detect-and-reverse a bad automated payment, because it was never fired.
  • Scoped, cursored sweeps. The reconciler drains a bounded, seq-windowed backlog each run (scoped queries, hard-capped limit, advance-cursor-after-persist) instead of re-scanning the whole ledger.
  • Human attention spent only on exceptions. Clean, in-policy, low-value actions pass the floor automatically; the gate escalates only money, identity, low-confidence, hold-list, and threshold breaches — reviewers see the few that matter.
  • Self-healing dashboards. The weekly rollup recomputes and overwrites keyed rows every run, so late data re-aggregates, and the digest is throttled to one per window — reporting never freezes and never spams.
Built from

Assembled from proven, hardened capabilities

Not rebuilt from scratch — composed from the same governed building blocks every flow8 Solution shares, so it ships in days.

The capabilities it composes
Shared proposed-action ledger Injection pre-scan Deterministic policy gate Money & identity prepare-only clamp Hash-chain & HMAC signing One-task approval routing Continuous violation sweep Auditor-grade evidence dashboard
Connects to your stack
Any producer over REST / webhook ERP & CRM systems of record Enterprise task & workflow queues Jira & ServiceNow ticketing Team chat & alerting channels Reporting & BI dashboards Secrets & policy vault (HMAC keys, thresholds)
Where it fits

The same gate serves every action with a consequence

Any team whose agents and automations touch money, identity, or regulated records — and must prove a human approved before anything fired.

Composes with

Every prepared row from another solution is an action this gate governs

Adopt this one and it classifies, signs, and routes the drafts the others already write to the shared ledger.

Point it at your highest-consequence agent. Kill-switch on. Shadow-first.

Point your riskiest automation — payments, identity changes, ERP postings — at the shared ledger and watch it classify a week of real proposed actions: drafts only, no tasks, full signed audit trail. When you're ready, flip on the approval queue, and every additional agent just writes a prepared row — no per-agent guardrail code to build.

Book a demo →
All solutions