Ways to deploy
Same enforcement. Different environments.
Deployment is driven by governance context, not technical preference. The evaluation engine is identical across every mode. The choice is about where the runtime sits, who controls the infrastructure, and what data residency requirements apply.
OBEXGATE runs inside your execution environment, not outside it.
Policy evaluation occurs in the execution path before actions are allowed to run.
If an action violates policy, it does not execute.
Observer Mode allows deployment without risk. Systems are evaluated before enforcement is activated.
When enforcement is enabled, the same evaluation layer determines what is allowed to execute.
Principle
Deployment is a governance decision, not an engineering preference.
The mode you choose depends on data residency, regulatory scope, and the level of infrastructure control your governance posture requires. Every mode runs the same enforcement engine and produces the same evidence artefacts. What changes is where the runtime sits and who controls the surrounding infrastructure.
SaaS multi-tenant
Fastest path to enforcement.
OBEXGATE-hosted, shared infrastructure. The default mode for organisations that want the runtime running in days rather than weeks. You configure governance, OBEXGATE operates the platform.
- Hosted by OBEXGATE on shared cloud infrastructure
- Multi-tenant isolation at the application layer
- Configuration, governed actions, and audit access controlled by you
- Operational maintenance and updates handled by OBEXGATE
SaaS dedicated
Single-tenant managed deployment.
OBEXGATE-hosted, but the runtime sits on infrastructure dedicated to your organisation. The right choice when isolation requirements rule out shared infrastructure but you still want OBEXGATE to operate the platform.
- Hosted by OBEXGATE, single-tenant infrastructure
- Custom rules and dedicated support
- Tenant-level isolation at the infrastructure layer
- Operational maintenance and updates handled by OBEXGATE
SDK / library mode
Embedded inside your application stack.
The OBEXGATE runtime is delivered as a library that you import directly into your application. Enforcement happens in-process. The right choice for organisations that need governance integrated at the code level rather than at a network boundary.
- OBEXGATE library imported into your application
- In-process enforcement at the function call boundary
- Full integration control retained by your engineering team
- Distribution runpacks available for Claude, GPT, Grok, and other model targets
Partner cloud
Deployed inside your cloud account.
The runtime runs inside your own AWS, Azure, or GCP account. OBEXGATE operates the software, you operate the infrastructure. The right choice when cloud spend, network policy, or key management must remain inside your existing cloud agreement.
- Runs in your AWS, Azure, or GCP account
- Infrastructure, network policy, and key management controlled by you
- Software operation and updates managed by OBEXGATE
- Direct access to your existing cloud security controls
Federated
Distributed across business units or regions.
Multiple OBEXGATE runtimes operating in parallel, each governing a local data domain, with a central policy authority coordinating rule updates. The right choice for multinationals with strict data residency requirements per region.
- Local runtime per region or business unit
- Local data residency preserved
- Central policy authority for rule consistency
- Cross-runtime audit reconciliation built in
On-prem
Your data centre. Your LLM. Full air gap available.
The runtime is installed on infrastructure your organisation controls. Supports deployment alongside customer-owned LLMs. The right choice for environments where no external dependency is permitted, including classified, defence, and critical infrastructure contexts.
- Installed on your data centre infrastructure
- Supports your own LLM deployment
- Full air-gap option, no external dependency
- You control the entire stack
Sovereign cloud
Jurisdiction-bound, controlled encryption, in-region processing.
Deployment inside a sovereign cloud environment, with all data processing bound to a specific jurisdiction and encryption keys controlled by the deploying entity. The right choice for government, public sector, and regulated industries with hard sovereignty requirements.
Data does not leave its jurisdictional boundary unless explicitly configured to do so.
Control is maintained within your infrastructure boundary. No external system is required to enforce decisions.
- Jurisdiction-bound processing
- Customer-controlled encryption keys
- In-region operations and data storage
- Government and public sector certification paths
What does not change
The evaluation engine is identical across all modes.
Deployment topology does not change enforcement behavior. Only where it runs.
- Enforcement before execution
- Same evaluation logic across deployments
- Decision trace produced as a side effect
- Cross mapping operates on the same framework set
- Observer Mode available on every mode
Adoption pattern
Observer Mode first. Enforcement when ready.
Every paying tier ships with Observer Mode. Same evaluation engine runs, but verdicts surface as alerts rather than blocks. The team uses the alert stream to validate rules before flipping to enforce. Activation is a flag, not a redeploy.
EVF can be used before deployment to produce the diagnostic artefact your governance, legal, audit, and implementation teams need before enforcement is activated.
Discovery before enforcement
Visibility first.
OBEXGATE Shadow AI Discovery identifies unregistered agents, hidden workflows, and unmanaged dependencies before any enforcement is enabled. This allows the team to prioritise risk handling and bring discovered systems under governance before flipping the runtime to enforce.
See which mode fits your environment.
Six questions. Personalised regulatory map, three-year operational governance cost basis, statutory exposure. Or 30 minutes with the team to walk through deployment scoping.