How it works
Eight steps. One continuous system.
OBEXGATE does not run after the fact. It evaluates, enforces, records, and adapts in real time. Every governed action passes through the same pipeline, every time.
Not monitoring. Enforcement.
Step 1 · Discovery
Find what is actually running.
Most AI governance starts by assuming it knows what is in scope. That assumption is false in every environment we have looked at. OBEXGATE identifies AI agents and workflows in operation: registered systems, unregistered agents, embedded AI inside workflows.
Four surfaces are scanned continuously: cloud infrastructure, network traffic, log streams, and configuration stores. Unmanaged systems are surfaced and classified before they are governed.
Step 2 · Admission
Validate before operating.
Discovered systems and registered systems both pass through admission before they are allowed to operate under governance.
- Structural requirements: scope, owner, authority, data class
- Policy alignment: applicable frameworks, jurisdictional fit, control coverage
- Operational readiness: observability, contestation surface, decommissioning path
Non-compliant systems do not enter the governed surface. The same gate applies whether the system was discovered or formally registered.
Step 3 · Evaluation
Every action checked against every applicable rule.
Every governed action is submitted for evaluation before execution. Three layers run simultaneously:
- Regulatory frameworks: every regulation that applies to the action, mapped to the article or principle that governs it
- Internal policy: organisational rules, role authority, exception handling
- Control logic: technical conditions, data class constraints, environmental requirements
Evaluation completes in real time. Cross mapping ensures one decision is checked against multiple frameworks simultaneously, not sequentially.
Step 4 · Enforcement
If it does not meet requirements, it does not execute.
The verdict is the gate. There is no fallback path. There is no silent failure. The action either passes the gate or does not commit. The architecture is non-bypassable: a runtime-owned commit authority, no state mutation outside the verification gate.
Adoption note. Observer Mode runs the same evaluation engine and shows how decisions are evaluated before enforcement is activated. Actions are not blocked in this mode. When enforcement is enabled, actions that violate policy do not execute. Activation is a flag, not a redeploy.
Step 5 · Decision trace
Every decision produces a structured record.
Per-action record of what was evaluated, which frameworks applied, which rule was determinative, why the decision was made. Tamper-evident. Article-mapped. Continuously produced.
Both executed and refused actions are recorded. The system does not log selectively.
No system component can verify its own output. Evidence is produced independently of the actor that generated the action.
This becomes the audit-grade evidence regulators ask for, assembled as a side effect of operation rather than reconstructed later.
Step 6 · Continuous monitoring
Conditions remain valid, or they do not.
The system tracks behaviour, system state, and compliance alignment continuously. Conditions that were valid at admission can become invalid as the system runs. Monitoring catches that shift before the next governed action executes.
Step 7 · Reflect
Drift detection that informs policy without interrupting enforcement.
Post-execution intelligence runs alongside the enforcement loop. It identifies behavioural drift, inconsistencies between intent and execution, and policy gaps. The output feeds policy updates and governance review.
Reflect continuously observes system behavior against expected baselines. Drift is identified before it becomes an incident. Reflect does not interfere with the runtime gate but feeds back into policy over time.
Step 8 · Decommissioning
Structured retirement, not deletion.
When a governed system is retired, OBEXGATE executes a sequenced teardown: credentials revoked, access removed, retained data purged where required, audit trail closed and sealed, identity record decommissioned. Every phase is recorded as part of the audit lineage.
This satisfies regulatory requirements for AI system disposal under EU AI Act lifecycle obligations, ISO 42001 lifecycle documentation, GDPR Article 17 right-to-erasure flows, and SOC 2 asset decommissioning controls.
Continuity
One continuous system, not eight separate stages.
Discovery feeds enforcement. Enforcement produces evidence. Evidence informs policy. Policy updates the rules that the next discovery match will be evaluated against. Governance is active at every decision point, not at audit time.
See it running on your environment.
Observer Mode shows how your system behaves. Enforce Mode determines what is allowed to run.
If an action violates policy, it does not run.
Six questions. Personalised regulatory map, three-year operational governance cost basis, statutory exposure. To your inbox.