📋 Governance Control Plane · Solution

Every AI decision becomes
evidence an auditor can trust.

Model, prompt version, sources, confidence, and the pre-act verdict recorded before any side-effect fires — on a tamper-evident, hash-chained, signed ledger you can hand to a regulator. Runs on your infrastructure, with your own keys.

The business case

When the regulator asks 'prove what your AI did', logs are not an answer

The problem

You are deploying AI that influences real decisions — prices, claims, repairs, access, sign-off — and you cannot prove, on demand, what the model saw, which version produced the output, what it was grounded on, how confident it was, and that a human, not the machine, executed anything irreversible. The EU AI Act makes automatic record-keeping a legal obligation for high-risk systems, with the deployer accountable even when the model is someone else's, at least six months of retention, and fines reaching the millions.

Ad-hoc application logs are not an audit trail: they are mutable, ungoverned, and prove nothing about tamper. The moment you let an off-the-shelf agent both decide and record its own actions, the evidence is written by the same thing it is meant to hold accountable. That is exactly the authority you cannot hand a model.

Who feels it

  • The CISO, Head of AI Governance / Responsible AI, and Compliance & Risk officers who have to answer 'show me the evidence'
  • Internal audit and the regulated business owner — lending, claims, clinical, engineering sign-off — accountable for every automated decision
  • The platform and ML team that owns the producing flows and gets the 3am 'why did the AI do that' page
Time to value

Fast — there is no new store to build and no second source of truth to reconcile. The trail extends the one shared actions ledger flow8 already uses; a pilot retrofits one reversible-only flow with the kill-switch on and runs shadow-first, so you see signed evidence rows before anything consequential is wired.

What you get

'Are we Article-12 ready?' stops being a project and becomes a query

The same evidence contract covers every producing flow across your estate — one decision or ten thousand.

📑

Every decision carries its own evidence

Before any side-effect fires, each AI decision writes a row with model, prompt version, retrieved sources and scores, per-output confidence, injection flag, and the pre-act policy verdict — the full context, not a stack trace.

🔗

Tamper-evidence you can defend

A per-actor hash chain plus an HMAC signature, continuously re-verified. An attacker who edits an outcome and recomputes a self-consistent chain still fails the signature check, because the signing key never left your key store.

👤

Structural proof that a human executed

Money and identity actions are recorded prepare-only with proceed=false, and the dashboard reports the exact prepared-vs-committed ratio — so the trail that satisfies the regulator also proves the autonomy boundary held.

📊

A weekly evidence surface that self-heals

One auditor and CISO dashboard — actions by actor, prepared-vs-committed, itemized money/identity log, violation trend, chain-integrity status — recomputed every run instead of going stale between audits.

🔒

Sovereignty by construction

The ledger and corpus live in your own database and vector store, on-prem-capable; the embedding and LLM provider is swappable via config; the signing key never leaves your key store and is never written to a report.

⚖️

Maps straight onto the Act's fields

Timestamp, operator and actor id, model version, input, output, governance policy applied, policy flags — the required fields land as columns, so evidence retrieval is a filter, not a forensic reconstruction.

How it works

One governed spine, from a decision point to a signed evidence record

The model proposes; a human executes; nothing touching money or identity ever auto-fires. It is the same secure spine every flow8 Solution runs — here worn as a signed, queryable audit trail.

Every AI side-effect across your estate runs the identical sequence. The LLM is permanently demoted to an advisor over deterministic facts; the consequential output is a proposed row written and signed on a shared, tamper-evident ledger — before the act, not after.
01
📨
Decision-point intake A producing flow reaches the moment it is about to act and gathers the full decision context on a cursored, scoped read. IMAP · OCR
02
🧪
Injection pre-scan A deterministic Code heuristic flags and sanitizes untrusted outcome text as data, before it is hashed, rendered, or seen by any model. data, not instructions
03
🧩
Extract & ground A schema-locked LLM suggests structure and cites its sources; the grounding, scores, and confidence are captured in Code. model suggests
04
⚖️
Code decides The binding pre-act verdict is computed in deterministic code, never by the model. Code authoritative
05
📝
Signed evidence row The decision is written as a proposed row — model, version, sources, confidence, verdict — hash-chained and HMAC-signed on the shared ledger. draft, not act
06
🚦
Policy gate A deterministic gate classifies each row; money and identity are forced to prepare-only with proceed=false by construction. prepare-only
07
🙋
One human task Exactly one task is opened per consequential decision; the full evidence record is already committed before any side-effect. audit-before-effect
👤
Human reviews & commits A person approves in one click. The act fires under their authorship, and the row is confirmed and signed on the chain. human-gated
Safe output A signed, queryable evidence record approved by a human · recorded on a hash-chained, signed ledger · reversible

Audit-Ready Compliance Trail turns every AI side-effect across your estate into a signed, queryable evidence record. At the moment a producing flow is about to act, it runs the injection pre-scan, lets a schema-locked LLM suggest structure while grounding and confidence are captured in code, and writes a prepared row carrying the full decision context — model, prompt version, the exact source chunks and scores it was grounded on, output confidence, an injection flag, and a deterministic pre-act verdict — into one shared, append-only ledger before the act.

After the act confirms, the same row is hash-chained to its predecessor and HMAC-signed, making the trail tamper-evident without forking the store, while a read-only sweep continuously re-walks the chain to catch tamper, ungoverned actions, and money/identity escapes. Because money and identity are recorded prepare-only and a human executes them, the guardrail is not a policy bolted on after the fact — it is the architecture. Off-the-shelf agents let a model act first and log later; flow8 signs the evidence before the side-effect ever fires.

Why it's safe to run

Secure and efficient by construction — not by policy

Secure by construction

The guardrail is the architecture, so proving your AI's decisions stops being a fire drill.
  • Deterministic injection pre-scan. A Code heuristic flags and sanitizes untrusted outcome and reference text (control / zero-width / bidi chars + imperative-override markers) before it is hashed or rendered. The sweep and dashboard run no action-influencing LLM at all, so poisoned ledger text is inert escaped data that cannot flip chain status or mute a red flag. There is no security module pretended.
  • Never auto-act on money or identity. A money-or-identity decision is forced to prepare-only with proceed=false at the deterministic gate. Money and identity are judged by Code only; an optional LLM may tighten the verdict, never loosen the hard floor.
  • Audit before side-effect. The evidence row — model id, prompt version, sources, confidence, injection flag, verdict — is written before the act and confirmed and signed after, so there is never a window of an unsigned committed action, and a re-run never double-acts.
  • Tamper-evident hash-chained ledger. A per-actor hash chain plus an HMAC-SHA256 signature under a frozen canonicalization, continuously re-verified by a read-only sweep. Reverse appends a compensating chained row — it never mutates a signed original, so history is immutable.
  • Sovereign and provider-swappable. The ledger is your own system of record; the vector index is a rebuildable derived copy; the AI provider is a swappable setting and the signing key stays in your key store. Nothing is locked to one vendor or jurisdiction.

Efficient by construction

The same properties that make it defensible make it cheap to run at estate scale.
  • One ledger, extended in place. Producers write the same shared actions row the Execution Layer already uses — the trail only adds signing and verdict columns, so there is no dual-write and no reconciliation between two sources of truth.
  • Idempotent by construction. A content-derived key is the upsert conflict key, so overlapping cron fires, retries, and backfills upsert the same row instead of duplicating evidence or re-signing an already-signed decision.
  • Resumable, bounded sweep. A stored cursor windows the chain by sequence, queries are always scoped and hard-capped, and the cursor advances only after each verification row persists — a crash re-processes one deterministic window, never the whole ledger.
  • Deterministic where it counts. The pre-act verdict, the money/identity floor, and the chain math are pure Code; neither the sweep nor the dashboard runs an action-influencing LLM, so the model is paid for once at the decision point and zero times to keep the trail honest.
  • Self-healing dashboards. The evidence surface re-renders the full keyed range every run, so late data for a closed week re-aggregates and a duplicate run produces byte-identical output instead of freezing a stale number.
Built from

Assembled from proven, hardened capabilities

Not rebuilt from scratch — composed from the same governed building blocks every flow8 Solution shares, so it ships in days.

The capabilities it composes
Signed evidence-row write Per-actor hash chain HMAC signature & verification Injection pre-scan Deterministic pre-act verdict Money/identity prepare-only floor Read-only chain-integrity sweep Self-healing evidence dashboard
Connects to your stack
ERP & CRM systems of record Signed system-of-record ledger Enterprise task & workflow queues On-prem vector store & knowledge base GRC & enterprise ticketing (Jira / ServiceNow) Reporting & BI dashboards Any REST / OData API
Where it fits

The same evidence contract serves every regulated, high-risk decision

Any business whose AI influences a consequential decision that a regulator can later demand you prove — with the model, the grounding, and who executed it.

Composes with

A signed row from one solution is the evidence another already speaks

Adopt this one and it plugs into the spine the others already write to.

Point it at one flow. Kill-switch on. Shadow-first.

Retrofit one reversible-only flow and watch it write signed, hash-chained evidence rows your team can query — no side-effects, full audit trail. When you're ready, light up the read-only sweep and the Article-12-shaped dashboard over it, then wire the producers you haven't touched yet on the exact same ledger.

Book a demo →
All solutions