Your AI policy,
running as infrastructure.
Every enterprise has an AI policy — usually a PDF nobody can enforce. Manifesto is the governance runtime between your applications and every LLM provider: the policy is declared once, enforced on every request, and proven to any auditor.
OpenAI-compatible: point any SDK at /v1 with your app key.
No SDK migration. No provider lock-in.
RUNTIME PIPELINE · REQ 0X4F2A···9C
04sanitize_input2.1ms
05retrieve11.4ms
08select_provider6.0ms
10validate_output4.8ms
12audit3.2ms
ALLOWrisk LOW · overhead p95 ≤ 500ms · evidence written
DECLARED
Policy as versioned law
Author once in MPL-lite. Publishing creates an immutable version; compliance packs can be tightened, never loosened. No override flag exists.
# gdpr-pii-baseline when: detectors.pii: { exists: true } provider.region: { notEquals: eu } then: verdict: deny
ENFORCED
Twelve stages, in-line
Identity, retrieval ACLs, sanitization at three points, provider routing, human review — decided during the request, not audited after it.
verdict: allow | deny | escalate | require_approval transform: redact · mask · rewrite directive: skip_memory · block_provider
PROVEN
Evidence, not logs
Append-only audit with content hashes — never raw text by default. Per-execution exports a regulator can hold: JSON, HTML, PDF.
audit_id: 0x4f2a···9c prompt: sha256 a3f81c···77b2 policy: gdpr-pii-baseline v1 retention: regulatory · 7y · append-only
12PIPELINE STAGES
6RUNTIME ENDPOINTS
5CI-BLOCKING GATES
≤500msOVERHEAD P95 SLO
SHA-256CONTENT HASHES