Skip to main content
Governance is the layer that turns “we can see what the agent does” into “we know it’s allowed to do that”. Use it to enforce policies before runs reach users, score risk per app, gather evidence with a review workflow, and run repeatable assessments.

What’s inside

Policies

Define and assign governance rules, evaluate them against runs, score compliance.

Evidence

Collect, review, and approve evidence — automated or manual.

Assessments

Dynamic questionnaires with weighted scoring.

Risk Dashboard

Six-dimensional risk score per app, rolled up to the org.

AI Registry

Catalogue of models, deployments, and ownership.

How governance fits together

The AI Registry is the inventory layer — what exists in your portfolio. Policies and Assessments produce the inputs to risk scoring. Evidence is the artefact layer that proves controls are met. Risk rolls up the four into a single per-app score, and Compliance translates the score into framework-specific status.

When to start where

MaturityStart with
You just got Observatory runningAI Registry — catalogue what you have before governing it.
You have telemetry but no controlsPolicies — the highest-leverage place to add guardrails.
You have policies but no audit trailEvidence — turn enforcement into proof.
You report to a risk committeeRisk Dashboard — give them one number per app.
You need formal sign-offAssessments — structured, repeatable, scoreable.

Compliance

Map controls to EU AI Act, NIST AI RMF, and ISO 42001.

Observability

The telemetry that policies and risk scoring read from.
Last modified on June 3, 2026