AssuranceOps sits between your applications and every model provider — enforcing policy, blocking what isn't approved, and recording an immutable audit trail. Self-hosted. Fails closed by default.
Apache-2.0 · self-hosted · deploy in your own infrastructure
A live policy denial — before any tokens are spent.
Any team can call any model provider, enable any tool, or connect any MCP server — with no central record.
When compliance asks who used AI, for what, and at what cost, there is no answer to give them.
Approved-model lists live in a wiki. Nothing in the request path actually stops a violation.
Clients hold virtual keys. Real provider credentials never leave the gateway.
Providers, models, tools, MCP servers, input size, and budgets are evaluated per request.
Allowed requests pass through unmodified. Denied requests fail before a token is spent.
Every request is written to an immutable trail, priced, and attributed by activity.
Allow/deny rules over providers, models, tools, and MCP servers — per team. Deny always wins; default-deny allow-lists.
Structured logs, append-only JSONL, and optional Postgres. Every request recorded, nothing overwritten.
Per-request USD attribution from a config-driven price model, with daily or monthly caps enforced inline.
Agents connect through the gateway. Tool lists are filtered, and every call is policy-checked, audited, and PII-scanned.
Pattern-based scanning on request input and, optionally, the model's response — SSN, card numbers, email, phone. Only the kind is recorded, never the value.
Versioned, policy-gated templates with typed variables, static lint scores, and runtime quality metrics.
Azure OpenAI, AWS Bedrock, and Google Vertex AI — plus self-hosted vLLM, Ollama, Together, and Groq — governed identically to OpenAI and Anthropic.
Every record is SHA-256 hash-chained to its predecessor. One endpoint proves the chain intact; another exports an archivable evidence attestation.
Entra ID, Okta, Google Workspace, and ADFS JWTs, with directory groups mapped to policy. Every record carries the actual user, not just a key.
An approved-app catalog enforced by an inline forward proxy and decision API, with a shadow-IT discovery feed for what is not yet catalogued.
Webhook notifications to Slack, Teams, or a generic endpoint on budget breaches, denial spikes, and sensitive-data blocks — with per-rule cooldowns.
An optional cap per key or user on top of the policy budget, plus token-bucket rate limits — over-limit requests get 429 before any upstream call.
Every request runs the same ordered gates. Deny always wins, and each allow-list is default-deny — anything not explicitly permitted is rejected.
The gateway, your policy, and the entire audit trail run inside your own infrastructure. Provider credentials and request data never leave it.
The built-in dashboard at /admin — shown with sample data.
Three starter packs pre-wire policy controls to named regulatory requirements. Every allow-list ships empty or as a placeholder — your team names the approved providers, models, and prompt templates before it goes live.
Restrictive-by-default baseline for protected health information — provider and model allow-lists scoped to your BAA, PHI detection that blocks on match, and minimum-necessary limits on prompt templates and input size.
Baseline for personal data of EU/EEA subjects — provider and model allow-lists pinned to adequacy- or SCC-covered endpoints, with detection set to flag rather than block so lawful-basis processing isn't rejected outright.
Baseline for nonpublic personal information and cardholder data — Luhn-validated card detection, vendor-scoped provider allow-lists, and an optional full-transcript mode for books-and-records retention.
Pattern-based detection on request input, reported by kind and count only — the matched value itself is never logged or stored anywhere.
Every request — allowed or denied — writes one audit record: who made it, which policy applied, the disposition and matched rule, PII flags, and latency.
One line in the append-only audit trail — attributed, priced, and policy-tagged. Denied here before a token was spent.
Compliance packs and detection accelerate the work — they are scaffolding, not legal advice or a certification. Full control mapping in docs/COMPLIANCE.md ↗.
Reverse proxy, virtual keys, policy enforcement, and an immutable audit trail. Fails closed.
Cost attribution, spend budgets, the analytics API, the built-in dashboard, and shared counters across gateway replicas are all live.
Versioned templates and policy-gated rendering are live; approval workflows and change history are next.
Static lint scores and runtime metrics are live; LLM-as-judge scoring and refusal detection are next.
Framework packs, input and response PII/PHI detection, transcript capture, and MCP proxy governance are live; inline redaction and data-residency controls are next.
OIDC/IdP integration, per-user budgets, per-principal rate limits, and proactive alerting are live; SCIM sync, live policy editing, and RBAC are next.
The hash-chained audit trail is verifiable and exportable as evidence today; scheduled export to external immutable storage is next.
The approved-app catalog, forward-proxy enforcement, decision API, and shadow-IT discovery are live; payload inspection on the forward-proxy path is next.
Join early access to self-host the gateway, shape the roadmap, and govern your organization's AI traffic from day one.