Governance

Governance built into the architecture. Not bolted on top.

The directive hierarchy, quality gates, and actor identity model are enforced inside the pre-model reasoning layer — before any downstream model responds, before any output is produced. Governance is not an audit of what happened. It is a constraint on what can happen.

Most enterprise AI governance is a separate system — a policy document, a review committee, a spreadsheet of approved models. It sits outside the AI interaction and relies on humans to enforce it after the fact.

grāmatr's governance is structural. The directive hierarchy, quality gates, and actor identity model are enforced inside the pre-model reasoning layer — before any downstream model responds, before any output is produced. Governance here is not an audit of what happened. It is a constraint on what can happen.

Five tiers. No data flows between them automatically.

grāmatr scopes intelligence and enforces policy through a five-tier hierarchy. Every cross-tier promotion requires explicit authorization, logged with the authorizing operator's identity and timestamp.

System tier

Platform defaults enforced by grāmatr. The baseline that every deployment inherits.

Enterprise tier

Organizational policies and compliance rules set by enterprise administrators. Every promotion to this tier is logged with the authorizing operator's identity and timestamp.

Team tier

Shared conventions and standards explicitly shared by team administrators. Everything not shared stays private. Teams cannot inherit organizational intelligence without enterprise-tier authorization.

User tier

Individual interactions build individual intelligence, encrypted at rest, isolated by row-level security at the database level.

Project tier

Intelligence scoped to a specific codebase or initiative. When a project moves teams, the intelligence moves with it under the same governance.

The hierarchy is enforced at the database layer via row-level security — not the application layer. A misconfigured service cannot bypass it.

Every request generates a governance artifact before any model responds.

The contract is the governance artifact for that request. It is immutable once issued — it cannot be revised after the output is produced. The pre-classification routing architecture is patent-pending.

Effort level

1 of 7 tiers, from instant lookup to comprehensive project — right-sized compute on every request.

Intent classification

What kind of work this is, routed by trained classifiers running in under 100ms.

Behavioral directives

The specific rules and constraints relevant to this request, drawn from the appropriate tier of the hierarchy.

Quality gate criteria

Typed PASS/FAIL standards set before the work begins, not after. Every criterion produces an evidence artifact — not a judgment call.

Set before the work. Verified against evidence. Recorded permanently.

Quality gates are set before any model responds. They are not a post-hoc review mechanism.

Each gate defines typed criteria — specific, evaluable standards the output must meet. When the work completes, each criterion produces a PASS or FAIL with an evidence artifact: a file path and line number, a command output, a diff snippet. A passing verdict requires evidence, not a judgment call.

The gate log is queryable per-user, per-team, per-project, and per-time-range. Every governed output produces a verifiable record that ties the output to the governance contract that was in force when it was produced.

Who made every request — recorded at the infrastructure layer.

grāmatr records who made every request before any model responds. The authenticated actor is identified and logged at the infrastructure layer — not inferred from application context after the fact. This is the first question a regulator or auditor asks. grāmatr answers it before the question is asked.

actor
<agent>/<tier> for automated agents — authorizing operator email for any human-approved action
resource
The system or object affected
action
The specific operation
outcome
pass, fail, or warning
metadata
Structured JSON block linking the event to its change ticket and execution ID

Two distinct surfaces. One for SOC 2. One for the EU AI Act.

Infrastructure audit log — SOC 2 evidence stream

Every action in grāmatr infrastructure — by human operators or automated agents — is written to a tamper-resistant, append-only ClickHouse log with INSERT-only credentials. No UPDATE or DELETE permissions on the audit writer role. Records are retained for 2 years in hot storage and 7 years in cold archive. Queryable via ClickHouse SQL (JSON, CSV, or Parquet) or the compliance events REST API.

Platform intelligence telemetry — AI Act transparency layer

Every AI interaction generates a per-request telemetry record: actor identity, intent classification, model selected, directives applied, quality gate criteria set, quality gate verdict with evidence, token consumption, and cost. This is the audit surface that supports EU AI Act Article 13 transparency requirements — documenting not just who acted, but what governance contract was in force and whether the output met it. grāmatr keeps two retention clocks, deliberately different. The governance audit trail — classification outcome, directives applied, gate verdict, token consumption, and cost — is retained across hot and cold storage tiers measured in years, exceeding the EU AI Act's six-month minimum log-retention floor by design, with a customer-accessible export API. Session content — the context delivered and the interaction payload — is held separately and minimized to 60 days by default, configurable to your application's needs, preserving the GDPR data-minimization posture. The audit log is kept long for accountability; the content window short for minimization. On-premises and private cloud deployments extend audit-trail retention for MiFID II, DORA, and multi-year EU AI Act requirements.

grāmatr maps directly to the four NIST AI RMF functions.

Govern

Tiered directive hierarchy, org-level policy enforcement, version-controlled governance records

Map

Pre-classification of every request — intent identified, risk scope determined before models engage

Measure

Typed quality gates with PASS/FAIL evidence on every output

Manage

Append-only audit trail, out-of-band processing that keeps humans in the loop

NIST CSF alignment documentation available for enterprise review on request.

Where we stand today. Where we are headed.

SOC 2 Type I

Targeting Oct 15, 2026

Every control mapped, version-controlled, and reviewed through pull requests from the program's first commit. Evidence pack maintained continuously as code, not assembled the night before.

SOC 2 Type II

Targeting Apr 15, 2027

Data collection begins following Type I completion. Current compliance status and evidence pack available for enterprise due diligence under NDA.

NIST AI RMF

Full mapping

All four functions — Govern, Map, Measure, Manage — documented and mapped to grāmatr architecture. Available for enterprise review on request.

EU AI Act Article 13

Architecture supports Art. 13

Per-request telemetry supports the Article 13 transparency obligations that apply to providers of high-risk AI systems — actor identity, intent, directives applied, quality gate verdict, cost. Risk classification and applicability scoping available under NDA; audit export included.

HIPAA

Architecture aligned

PHI-covered workloads run on private cloud or on-premises only — infrastructure you control. BAA execution follows infrastructure ownership: your organization, or your implementation partner where they operate the deployment, executes the BAA. grāmatr does not process PHI on its cloud infrastructure and is never a party to the BAA. Current status available under NDA for healthcare prospects.

MiFID II / DORA

Configurable retention

Configurable multi-year retention on on-premises and private cloud deployments. Talk to us about your specific jurisdiction.

We do not claim certifications we do not hold. Current status and target dates are available under NDA — contact [email protected].

NIST AI RMF function mapping Available
NIST 800-53 to SOC 2 TSC control mapping Available
Intelligence contract specification Available
Quality gate framework documentation Available
EU AI Act Article 13 compliance brief Available
SOC 2 Type I audit report Oct 15, 2026
SOC 2 Type II audit report Apr 15, 2027

Contact [email protected] to request under NDA.

The governance architecture is built. The evidence is verifiable.

If your procurement, legal, or audit function needs to verify what grāmatr's governance actually covers — we will walk you through it.