For General Counsel
The proof a regulator asks for, before they ask.
Article-mapped evidence. Decision provenance produced continuously. Contestation workflow that satisfies the right-to-challenge requirements emerging across jurisdictions. The artefacts a regulator actually wants, in the format their statutory framework requires.
If the system verifies itself, the evidence will not hold.
Not documentation. Evidence that holds.
Observer Mode shows how your system behaves
Enforce Mode blocks actions before execution
If an action violates policy, it does not run
The legal problem
Documented intent does not satisfy enforcement requirements.
Most AI governance produces declared posture: policies, attestations, periodic audits. Regulators are increasingly asking for something different: evidence that the control was active at the moment the decision was made, that the decision is traceable, and that the affected individual can challenge it.
OBEXGATE produces those artefacts as a side effect of operation. Not assembled later. Not reconstructed from logs.
What it produces
Three classes of artefact, every governed decision.
→ Decision provenance
Per-action record of what was evaluated, which frameworks applied, which rule was determinative, why the decision was made. Tamper-evident.
→ Article-mapped evidence packs
Evidence is mapped to the article, principle, or control reference inside the source regulation. Cross-mapped where a single event triggers multiple frameworks.
→ Audit lineage
Continuous, verifiable chain across every governed event. Cryptographically linked. Discoverable in regulatory inquiry.
Frameworks covered
Eighty-eight enforcement engines across eight jurisdictions.
Each engine maps to specific articles inside its source regulation. Cross-mapping handles the case where a single decision is governed by multiple frameworks simultaneously.
| Jurisdiction | Frameworks (selection) |
|---|---|
| European Union | EU AI Act (Article 99 tiers, SME proportionality applied), GDPR, DORA, eIDAS, NIS2 |
| United Kingdom | UK GDPR, Data Protection Act 2018, UK DUAA, FCA, PRA |
| United States | HIPAA, FDA, CCPA, NIST AI RMF, FedRAMP, CMMC, SOC 2, ISO 27001 |
| Brazil | LGPD (Article 52, BRL 50 million cap per violation) |
| Australia | Privacy Act 1988 (s13G greater-of structure, AUD 50M floor for serious interference) |
| New Zealand | Privacy Act 2020 (Section 212 criminal fines, Human Rights Review Tribunal damages) |
| Canada | PIPEDA, AIDA, Ontario Bill 194 |
| Singapore | PDPA, Model AI Governance Framework |
Contestation
Right to challenge an automated decision.
The EU AI Act, GDPR, and several other frameworks require a workable mechanism for affected individuals to challenge automated decisions. OBEXGATE includes a structured contestation workflow that produces the record of the challenge, the human review, and the resolution as part of the audit lineage.
This is a regulatory requirement under several frameworks. It is also the artefact that demonstrates substantive compliance, not declared compliance, in regulatory inquiry.
Decommissioning
Structured system retirement, not deletion.
When a governed system is retired, OBEXGATE executes a sequenced teardown: credentials revoked, access removed, retained data purged where required, audit trail closed and sealed, identity record decommissioned. Every phase is recorded as part of the audit lineage.
This satisfies regulatory requirements for AI system disposal under EU AI Act lifecycle obligations, ISO 42001 lifecycle documentation, GDPR Article 17 right-to-erasure flows, and SOC 2 asset decommissioning controls.
See the evidence your governance would produce.
Six questions. Personalised regulatory map across the frameworks you are exposed to, statutory exposure detail, three-year operational governance cost basis. Or 30 minutes with the team.