Your AI Control Plane
Not a network firewall — a governance layer. Data whitelists, tool controls, approval chains, audit exports, and event replay. Every action controlled, every decision auditable.
Eight Layers of Governance
Our minimum security baseline — applied to every client deployment, no exceptions.
Isolated Client Workspaces
Every client receives a fully independent workspace with separate gateway instances, secrets management, and configuration. Zero cross-tenant data sharing.
Tool Whitelisting & Blacklisting
tools.allow and tools.deny configurations ensure AI can only access explicitly approved tools. High-risk tools are disabled by default.
Execution Approval Chains
Commands and write operations are restricted to allowlists or require explicit human approval. No autonomous execution of destructive actions.
Read-Only First Principle
AI begins with read-only data access. Write, publish, and send permissions are only enabled after explicit approval chains are configured.
Context Isolation
Per-user and per-channel context boundaries prevent information leaking between conversations in multi-user environments.
DM Pairing & Allowlists
Direct messaging uses pairing or allowlist modes only — not open access. Group interactions require @mention to trigger responses.
Sanitised Audit Streams
All actions are logged to sanitised audit streams. Raw file logs are never used as compliance reports — they receive separate treatment.
Patch & Update Management
Regular patch cycles aligned with security advisories. Version updates are tested in staging before production rollout.
What We Get Right About AI
We don't oversell. Here's exactly what our service does and doesn't provide.
What We Provide
- Your own accounts & tenants — you hold the billing and ownership
- A local governance layer with access controls and audit
- Human approval gates before any external action
- Minimum data exposure architecture
- Regular patch management and security reviews
What We Don't Claim
- We don't claim all AI inference runs on your local hardware — it depends on your chosen tier
- We don't claim prompt injection is completely solved — we mitigate, log, and monitor
- We don't resell subscriptions — you pay providers directly
- We don't guarantee zero risk — we reduce, control, and audit risk
Every Deployment Fully Documented
Documentation-first delivery. Every engagement produces a complete set of records for your compliance files.
Business & Legal
- NDA / Confidentiality
- Master Service Agreement
- Statement of Work
- SLA / Support Terms
- Change Order Templates
Discovery & Risk
- Discovery Questionnaire
- Current-State Workflow Map
- System Access Matrix
- Data Inventory
- Privacy Impact Assessment
- Human Review Policy
- Incident Response Plan
Technical & Handover
- Solution Architecture Diagram
- Configuration Register
- UAT / Acceptance Checklist
- Runbook / Admin Guide
- Training Materials
- Handover Checklist
- Patch / Change Log
Designed for NZ Compliance
Our governance framework is informed by NZ Privacy Act requirements, FMA guidelines for financial services, and AML/CFT obligations. We build compliance into the architecture — not as an afterthought.
Data minimisation, security safeguards, breach notification
No automated financial advice, human review required
Audit trails, access controls, incident reporting
Want to See Our Governance in Action?
Book a workflow review and we'll show you exactly how we secure a real workflow from your office — permissions, approvals, audit, and all.