Features
What the system actually does.
Enforcement across the full AI lifecycle. Every feature below is shipped and running in production. Components do what they say. Status is as listed.
OBEXGATE provides runtime governance infrastructure for AI decision control.
OBEXGATE does not monitor systems. It determines whether actions are allowed to execute.
These guarantees are enforced in code, not policy.
Observer Mode shows how decisions are evaluated. Enforce Mode determines what is allowed to execute.
Not features. System behaviour.
System guarantees
If an action violates policy, it does not run.
Every action is recorded, including refused actions.
No system component can verify its own output.
Every action carries a named owner.
Behavioral drift is detected before it becomes an incident.
Every action is evaluated. Every action is recorded. Every action can be stopped.
EVF Diagnostic
Paid diagnostic intake that captures governance readiness, execution boundary ownership, risk signals, EU AI Act reference posture, and priority actions before runtime enforcement begins.
Independent verification
The Witness Tetrad: separation of duties, applied to compliance.
If the same system writes the rules, observes execution, and judges whether the rules were followed, the verdict is structurally meaningless. Every system passes its own test. That is not compliance. It is theatre.
OBEXGATE prevents this by splitting verification into four roles that no single component can perform alone.
The system enforces separation between action and verification. No actor can verify its own output.
→ Deed
The agent registers. It states who it is and which rules apply to it. Registration is a claim. Claims are not proof.
→ Witness
An independent component observes what the agent actually does. The Witness does not make policy. It does not decide what is right. It reports what it sees.
→ Testimony
Observations are preserved as a structured record. Tamper-evident. Cryptographically chained. Nothing is judged here. Only preserved.
→ Arbiter
Only now does anyone decide. The Arbiter reviews the Deed against the Testimony and renders a verdict. It does not collect data. It does not observe behaviour. It decides.
Why this matters. When one component deploys, monitors, and judges, there is no independent check. Mistakes get missed. Shortcuts get taken. Problems get hidden until they become public. Splitting these roles means every verdict rests on evidence a third party can verify. That is the difference between compliance and trust.
Admission
Validates what enters the governed surface.
Before any system operates under governance, OBEXGATE checks structural requirements, policy alignment, and operational readiness. Non-compliant systems do not enter. The same gate applies whether the system was registered formally or discovered automatically.
Runtime enforcement
Every governed action evaluated before execution.
The verdict is the gate. Non-compliant actions do not commit. There is no fallback path. There is no silent failure. Enforcement is a topological property of the runtime, not a configuration setting.
Enforcement occurs before execution, not after the fact.
Distinct from advisory or monitoring tools that observe outputs after they have already executed.
Decision trace
Audit-grade reasoning record, every governed decision.
Per-action record of what was evaluated, which frameworks applied, which rule was determinative, why the decision was made. Article-mapped. Tamper-evident. Produced as a side effect of operation rather than reconstructed from logs.
Refused actions are recorded alongside executed actions. The system does not log selectively.
Observer Mode
Same evaluation engine. Verdicts surface as alerts, not blocks.
For environments where switching enforcement on requires weeks of testing (typical in regulated enterprise), Observer Mode produces the same verdicts as full enforcement but does not block the action. The team uses the alert stream to validate rules before flipping to enforce.
Activation is a flag, not a redeploy. No second integration. Available on every paying tier.
Adoption cost. The cost of testing enforcement is the cost of enabling a flag, not the cost of a parallel deployment. This is the difference between an eight-week rollout and an eight-month one.
Reflect · Drift detection
Behavioural shift detected without interrupting enforcement.
System behavior is continuously evaluated against expected baselines. Drift is detected before it becomes a compliance event.
Drift triggers reclassification under EU AI Act Article 25 substantial-modification doctrine where applicable.
Cross mapping
One event, multiple frameworks, simultaneous evaluation.
A single governed decision is checked against every regulation that applies to it at the same time. Not sequentially. Not by selecting the most restrictive. The decision passes only if it satisfies the union of applicable obligations.
Decommissioning
Structured system retirement, fully auditable.
When a governed system is retired, OBEXGATE executes a sequenced teardown: credentials revoked, access removed, retained data purged where required, audit trail closed and sealed, identity record decommissioned. Every phase is recorded as part of the audit lineage.
| Framework | Decommissioning requirement satisfied |
|---|---|
| EU AI Act | Lifecycle obligations including post-market monitoring closure and high-risk system deregistration |
| ISO/IEC 42001 | AI management system lifecycle documentation and decommissioning controls |
| GDPR | Article 17 right-to-erasure flows, retention policy enforcement, data subject notification |
| SOC 2 | Asset decommissioning controls under common criteria, with evidence trail for auditor review |
| HIPAA | Covered entity disposal requirements where applicable, including PHI retention and destruction logs |
Shadow AI discovery
Continuously identifies what the inventory does not show.
Four surfaces scanned continuously: cloud infrastructure, network traffic, log streams, configuration stores. Discovered agents are automatically registered onto the compliance surface and become subject to evaluation, drift detection, enforcement gates, and audit trail.
Contestation
Right to challenge an automated decision.
Workflow that lets affected individuals challenge an automated decision, triggers human review, and produces a record of the challenge, the review, and the resolution as part of the audit lineage.
Required under EU AI Act, GDPR Article 22, and several other frameworks. Produces the artefact that demonstrates substantive compliance under regulatory inquiry.
See the features running on your environment.
Six questions. Personalised regulatory map, three-year operational governance cost basis, statutory exposure. To your inbox.