Early access

The control point for every AI request in your organization.

AssuranceOps sits between your applications and every model provider — enforcing policy, blocking what isn't approved, and recording an immutable audit trail. Self-hosted. Fails closed by default.

Apache-2.0 · self-hosted · deploy in your own infrastructure

POST /v1/chat/completions 403 blocked
{
"error": {
"type": "assuranceops_governance",
"code": "model_not_allowed",
"message": "model not permitted by policy",
"matched_rule": "deny:*-vision*"
}
}

A live policy denial — before any tokens are spent.

Why this exists

Every AI request should have an owner, a policy, and a record.

Shadow AI usage

Any team can call any model provider, enable any tool, or connect any MCP server — with no central record.

No audit trail

When compliance asks who used AI, for what, and at what cost, there is no answer to give them.

Policy without enforcement

Approved-model lists live in a wiki. Nothing in the request path actually stops a violation.

How it works

One gateway, in front of every provider.

Your apps & agents
MCP-based agents
AssuranceOps Gateway
01 Authenticate 02 Enforce policy 03 Route 04 Audit
reads policy from config / YAML writes to the audit trail — JSONL · Postgres
Allowed
forwarded unmodified
Denied
blocked before a token is spent
allowed requests continue to
OpenAI · Anthropic · MCP servers
01

Authenticate

Clients hold virtual keys. Real provider credentials never leave the gateway.

02

Enforce policy

Providers, models, tools, MCP servers, input size, and budgets are evaluated per request.

03

Forward or block

Allowed requests pass through unmodified. Denied requests fail before a token is spent.

04

Audit

Every request is written to an immutable trail, priced, and attributed by activity.

What's in the gateway today

Governance, built into the request path.

Policy engine

Allow/deny rules over providers, models, tools, and MCP servers — per team. Deny always wins; default-deny allow-lists.

Immutable audit trail

Structured logs, append-only JSONL, and optional Postgres. Every request recorded, nothing overwritten.

Usage, cost & budgets

Per-request USD attribution from a config-driven price model, with daily or monthly caps enforced inline.

MCP proxy governance

Agents connect through the gateway. Tool lists are filtered, and every call is policy-checked, audited, and PII-scanned.

PII / PHI detection

Pattern-based scanning on request input and, optionally, the model's response — SSN, card numbers, email, phone. Only the kind is recorded, never the value.

Prompt registry & quality

Versioned, policy-gated templates with typed variables, static lint scores, and runtime quality metrics.

Multi-cloud & self-hosted providers

Azure OpenAI, AWS Bedrock, and Google Vertex AI — plus self-hosted vLLM, Ollama, Together, and Groq — governed identically to OpenAI and Anthropic.

Tamper-evident audit

Every record is SHA-256 hash-chained to its predecessor. One endpoint proves the chain intact; another exports an archivable evidence attestation.

Identity provider integration

Entra ID, Okta, Google Workspace, and ADFS JWTs, with directory groups mapped to policy. Every record carries the actual user, not just a key.

Cloud-app governance (CASB)

An approved-app catalog enforced by an inline forward proxy and decision API, with a shadow-IT discovery feed for what is not yet catalogued.

Proactive alerting

Webhook notifications to Slack, Teams, or a generic endpoint on budget breaches, denial spikes, and sensitive-data blocks — with per-rule cooldowns.

Per-user budgets & rate limits

An optional cap per key or user on top of the policy budget, plus token-bucket rate limits — over-limit requests get 429 before any upstream call.

Inside the gateway

Enforcement you can trace — on infrastructure you control.

How a request is judged

Every request runs the same ordered gates. Deny always wins, and each allow-list is default-deny — anything not explicitly permitted is rejected.

Authenticated request
pass
01 Provider On the approved provider allow-list? deny → 403
pass
02 Model Permitted for this caller and route? deny → 403
pass
03 Tools & MCP Requested tools and MCP servers allowed? deny → 403
pass
04 Limits Within input-size and budget caps? deny → 403
pass
05 Data PII / PHI policy satisfied for this route? deny → 403
all gates pass
Allowed — forwarded unmodified, then written to the audit trail.

Self-hosted by design

The gateway, your policy, and the entire audit trail run inside your own infrastructure. Provider credentials and request data never leave it.

Your infrastructure
AssuranceOps Gateway
Policy
config · YAML
Audit trail
JSONL · Postgres
only approved traffic leaves · credentials never do
Model providers · MCP servers
See it in action

Every governed request, visible in one place.

AssuranceOps — Governance Dashboard
localhost:8080/admin
AssuranceOps governance dashboard
Last 7 days
Requests
12,406
11,980 allowed · 14 upstream errors
Denied by policy
212
1.7% of requests
Total tokens
3.2M
2.1M in · 1.1M out
Spend
$184.32
priced models only
Requests per bucket
Top models by tokens
claude-3-5-sonnet
1.4M
gpt-4o-mini
980K
gpt-4o
612K

The built-in dashboard at /admin — shown with sample data.

Compliance

Fail-closed policy packs for regulated environments.

Three starter packs pre-wire policy controls to named regulatory requirements. Every allow-list ships empty or as a placeholder — your team names the approved providers, models, and prompt templates before it goes live.

HIPAA

Restrictive-by-default baseline for protected health information — provider and model allow-lists scoped to your BAA, PHI detection that blocks on match, and minimum-necessary limits on prompt templates and input size.

§164.312(a) Access control §164.312(b) Audit controls §164.502(b) Minimum necessary

GDPR

Baseline for personal data of EU/EEA subjects — provider and model allow-lists pinned to adequacy- or SCC-covered endpoints, with detection set to flag rather than block so lawful-basis processing isn't rejected outright.

Art. 5(1)(c) Minimisation Art. 30 Records Art. 44+ Transfers

FINRA / GLBA / PCI-DSS

Baseline for nonpublic personal information and cardholder data — Luhn-validated card detection, vendor-scoped provider allow-lists, and an optional full-transcript mode for books-and-records retention.

PCI-DSS Req 3/4 PCI-DSS Req 10 FINRA 4511 / SEC 17a-4

Data protection scanning

Pattern-based detection on request input, reported by kind and count only — the matched value itself is never logged or stored anywhere.

SSN Credit card · Luhn Email Phone IP address NPI DEA
Block Reject before it reaches a provider — 403, before a token is spent.
Flag Allow the request; record the detected kinds on the audit trail as evidence.
Require approved Allow only to providers explicitly approved for every kind detected; reject the rest.

Evidence, on demand

Every request — allowed or denied — writes one audit record: who made it, which policy applied, the disposition and matched rule, PII flags, and latency.

Append-only JSONL
No update or delete path from the gateway — hand it to an auditor as-is.
Queryable Postgres
Same records in SQL form, plus a summary analytics API by org and date range.
Optional full transcripts
Opt-in per policy for books-and-records — request/response bodies, PII-redacted by default, size-capped and retention-windowed.
append-only · audit.jsonl one record per request
{
"ts": "2026-07-06T14:22:08Z",
"request_id": "req_9f3ac21b",
"subject": { "user": "a.rivera", "org": "acme-clinical" },
"provider": "anthropic", "model": "claude-3-5-sonnet",
"activity": "chat_completion",
"disposition": "denied", "matched_rule": "deny:*-vision*",
"pii": ["ssn"],
"tokens": { "in": 0, "out": 0 }, "cost_usd": 0.0, "latency_ms": 3
}

One line in the append-only audit trail — attributed, priced, and policy-tagged. Denied here before a token was spent.

Compliance packs and detection accelerate the work — they are scaffolding, not legal advice or a certification. Full control mapping in docs/COMPLIANCE.md ↗.

Roadmap

Built incrementally, in the open.

01 Live

Governance gateway

Reverse proxy, virtual keys, policy enforcement, and an immutable audit trail. Fails closed.

02 Live

Usage & cost analytics

Cost attribution, spend budgets, the analytics API, the built-in dashboard, and shared counters across gateway replicas are all live.

03 In progress

Prompt registry

Versioned templates and policy-gated rendering are live; approval workflows and change history are next.

04 In progress

Prompt quality

Static lint scores and runtime metrics are live; LLM-as-judge scoring and refusal detection are next.

05 In progress

Compliance scaffolding

Framework packs, input and response PII/PHI detection, transcript capture, and MCP proxy governance are live; inline redaction and data-residency controls are next.

06 In progress

Identity & administration

OIDC/IdP integration, per-user budgets, per-principal rate limits, and proactive alerting are live; SCIM sync, live policy editing, and RBAC are next.

07 In progress

Audit integrity

The hash-chained audit trail is verifiable and exportable as evidence today; scheduled export to external immutable storage is next.

08 In progress

Cloud-app governance

The approved-app catalog, forward-proxy enforcement, decision API, and shadow-IT discovery are live; payload inspection on the forward-proxy path is next.

Help build the governance layer for enterprise AI.

Join early access to self-host the gateway, shape the roadmap, and govern your organization's AI traffic from day one.

or view the source on GitHub ↗