RegulatedRuntime
Request brief
ENTERPRISE RUNTIME ENFORCEMENT

Runtime enforcement for AI that can act.
Not just logs.

Probabilistic models inside deterministic platforms create a new failure class: confidently wrong behavior at scale. RegulatedRuntime is the Runtime Control Plane and Policy Enforcement Point (PEP) that keeps execution bounded, evidence-complete, replayable, and incident-ready.

View the Control Plane See Evidence Artifacts Integration Specs
SUMMARY
What it is: A lightweight enforcement sidecar that sits in the execution path for agents, tools, and retrieval.
What it does: Enforces decision-time authorization, provenance gates, and idempotent execution, producing deterministic evidence that can be reconstructed and replayed.
Why it matters: In regulated systems, logs describe outcomes, not causality. Auditors and incident responders need proof of what was allowed, under which policy, with which inputs, and what executed.

Technical Resources

V1.0.4 SPECIFICATIONS
CORE THESIS

The Determinism Gap

Why probabilistic agents fail production audits in deterministic, regulated environments — and why runtime control must sit in the execution path.

Download PDF Request complete set
Includes: failure taxonomy, enforcement thesis, decision-time evidence requirements.
ARCHITECTURE SPEC
Reference Architecture: Runtime PEP Integration Patterns
Sidecar placement, fail-closed vs fail-open, latency budget, async evidence pipeline.
DATA GOVERNANCE
The R-JSON Schema: Evidence for Regulated Inference
Field-level breakdown, provenance binding, hash strategy, audit reconstruction primitives.
DEVELOPER GUIDE
Integration Guide: Adapting to LangChain & Custom Orchestrators
Interception middleware, SDK shapes, minimal adoption path, safe defaults.

The “Confidently Wrong” Trap

Uptime dashboards stay green while behavior drifts. Standard logs capture outputs, not the state that created them. We bind policy, identity, and retrieval state at the decision moment.

Retrieval Is a Security Boundary

RAG can ingest stale, poisoned, or unauthorized content. We enforce provenance, allowlists, and staleness budgets before inference and before actions.

Tool Calls Turn Mistakes Into Incidents

Retries duplicate side effects (double billing, duplicate tickets, repeated emails). We enforce idempotency keys, rate limits, blast-radius caps, and a global kill switch.

PRODUCTION FAILURE TAXONOMY (WHAT WE SEE IN REAL ENTERPRISE RUNTIMES)
Behavior is wrong, system looks “healthy”
No hard gates, no replayable trail, no causality chain. Hours to detect, days to root-cause.
Agent gets more authority than the user
Tool permissions aren’t scoped to delegation / tenant / task context. Privilege inflation.
Each step allowed, chain not reviewed
Individually-approved calls compose into an unreviewed capability.
Retrieval becomes the attack path
Poisoned or stale docs feed “wrong truth” into the system. Clean execution, wrong outcome.

The AI Control Plane

Governance is not a document. It is a runtime capability. RegulatedRuntime sits in the execution path to bind policy, identity, retrieval, and tool intent into a single immutable decision record.

1) Runtime Policy Enforcement Point (PEP)

Every sensitive read and every tool call is a privilege boundary. We evaluate who is calling, what operation, on which scope, under which policy version, with which risk state.

2) Tool Gateway & Safe Execution

We validate inputs, enforce operation-scoped permissions (not “whole tool allowed”), rate-limit actions, and require approvals for high-risk operations.

3) Retrieval Governance

Provenance-tagged chunks, allowlisted sources per task, freshness checks, and redaction before prompt assembly. If evidence is missing, the system downgrades to “explain-only”.

4) Containment: Safe Mode + Kill Switch

When injection signals spike or anomalies rise, globally degrade agents to read-only or approval-required without redeploying application code.

APP LAYER Orchestrator / Agent
↓ PROPOSED ACTION ↓
RegulatedRuntime (PEP)
• Identity and Delegation
• Policy and Obligations
• Provenance and Freshness
• Risk Gates and Approvals
• Idempotency and Caps
↓ VERIFIED TOOL CALL ↓
INFRA LAYER Tool Gateway / DB / APIs
> Mode: ENFORCED
> Policy: EU_DATA_RESIDENCY_V4.1
> Obligation: PII_MASK_AT_INGRESS
> Capability: jira.create_ticket (scoped)
> Idempotency Key: req_99a_safe

Integration Specs

Designed as a substrate that does not replace your models, governance tooling, or identity stack. It adds decision-time control points so regulated execution is auditable, bounded, and incident-ready.

Deployment Model

Sidecar / middleware in front of model calls, retrieval, and tools. Works for agent frameworks and custom orchestrators.

COMPATIBILITY
• Designed to sit beneath existing AI stacks as a runtime control substrate, not a replacement layer
• Integrates with established data, identity, and execution planes already present in large enterprises
• Operates across heterogeneous inference runtimes and orchestration models without architectural coupling
• Leverages existing authorization, audit, and observability investments rather than duplicating them
• Provides a consistent enforcement and evidence layer across tools, workflows, and regulated operations

Authorization Semantics

Policy answers “allowed?”; execution answers “safe to run?”. We implement runtime checks in the order that matters.

1) Agent identity: can this workload run the tool at all?
2) Delegation: can it run on behalf of this user / tenant / environment?
3) Capability scope: which operations exactly (create vs delete)?
4) Data scope: row/column filters, classification, purpose-limits.
5) Risk gates: downgrade to read-only, require approval, or block.

Safe Execution Patterns (Non-Negotiables)

Two-phase execution
Model proposes plan. Policy and approvals gate. Execute with bounded scope.
Idempotency for every write
All state changes must be safe to retry; duplicates are rejected at the gateway.
Default to read-only under risk
Injection, anomaly, or uncertainty spikes. Tools disabled. Explain-only behavior.
Blast-radius caps
Hard ceilings: max tool calls, max writes per session, max affected entities.

The Evidence Artifact

A reconstructible ledger of what happened at execution time: which policy version was active, what was retrieved, what was redacted, what was attempted, what was allowed, and what was blocked.

Scenario: Cross-Border Data Access (GDPR / Residency)
STATUS: VERIFIED

The Challenge

An EU regulator asks for proof that German customer data was processed on EU-based nodes and that PII was masked before entering inference. Standard logs miss the “pre-process” state and policy version binding.

Runtime Guarantees

  • Policy binding, including version and obligations
  • Geofencing verification
  • Pre-inference PII masking proof
  • Provenance + staleness checks for retrieval
"decision_trace": { "timestamp": "2025-06-12T14:30:00Z", "identity": { "workload": "agent_credit_ops", "tenant": "bank_eu_prod" }, "policy_binding": { "active_policy": "EU_DATA_RESIDENCY_V4.1", "enforcement_mode": "BLOCK_ON_VIOLATION", "obligations": ["PII_MASK_AT_INGRESS", "ROUTE_TO_EU_ONLY"] }, "retrieval_provenance": [ { "source_id": "doc_892_germany_guidelines.pdf", "classification": "INTERNAL_CONFIDENTIAL", "staleness_budget_days": 30, "staleness_check_passed": true } ], "compliance_check": { "data_subject_region": "EU_DE", "execution_region": "EU", "pii_masked_at_ingress": true }, "tool_execution": { "tool_name": "core_banking_ledger", "operation": "credit_check_read", "idempotency_key": "req_5592_retry_1" }, "outcome_hash": "sha256:8f92a..." }
Scenario: Fair Lending Dispute (Decision Replay)
STATUS: REPLAYABLE

The Challenge

A customer disputes a decision from months ago. The model, prompts, and retrieval corpus have changed. You must prove what the system saw then, under which policy, and which tool operations were executed.

Runtime Guarantees

  • Policy version binding + obligations applied
  • RAG snapshot (chunk IDs + provenance)
  • Deterministic replay inputs (hashes)
  • Tool call chain with idempotency keys
"decision_trace": { "decision_id": "tx_892_af3", "timestamp_utc": "2025-09-18T09:11:00Z", "model_state": { "inference_runtime": "enterprise_inference_gateway", "model_release": "sha256:model_prod_2025_09" }, "active_policy": { "id": "FAIR_LENDING_POLICY_V2.1", "jurisdiction": "US_NY", "obligations": ["RECORD_REASON_CODES", "LIMIT_PII_FIELDS"] }, "rag_snapshot": [ { "chunk_id": "income_v3_2025_08#c14", "source": "bank_docs", "freshness_ok": true } ], "tool_chain": [ { "tool": "risk_engine", "op": "score_read", "scope": "customer:masked" }, { "tool": "limits_service", "op": "update_write", "idempotency_key": "req_77b_write_0" } ], "decision": { "result": "DENIAL", "reason_codes": ["DTI_RATIO_EXCEEDED"] } }

What You Actually Get

If you are accountable for regulated AI, you need three things that most stacks don’t provide:

Control
Runtime gates, scoped capabilities, approvals, safe mode, kill switch.
Causality
Replayable chain: input → retrieval → policy → tools → outcome.
Containment
Idempotent writes, caps, rate limits, incident playbooks.

Operating Model

Production AI isn’t a diagram. It’s a living runtime. These are the few SLOs and runbooks that make it manageable.

SLOs That Matter

Not “model accuracy.” Real survivability metrics:

Trace completeness: can we reconstruct the full chain every time?
Policy coverage: % of sensitive reads/writes gated by PEP with recorded decision.
Time to contain: how fast can we disable tools / downgrade runtime?
Drift detection time: detect behavior drift before users do.

Runbooks You Must Have

When bad days happen, response must be boring and predictable:

Injection spike: safe mode. Block writes. Require approvals.
Retrieval poisoning: restrict sources. Tighten freshness. Require citations.
Retry storm: enforce idempotency. Circuit-break writes. Rate-limit tools.
Tool instability: fail closed for writes. Degrade to explain-only.

Strategic Rationale

This is a missing runtime layer that mature teams repeatedly rebuild (inconsistently) inside each agent workflow. When enforcement becomes a platform primitive, it compounds across every product surface: retrieval, tools, and regulated execution.

Why this matters now
Agents are moving from “answering” to “acting”. Once tools mutate state, you need runtime control points and deterministic evidence, not best-effort monitoring after the fact.
What becomes possible
A consistent enforcement substrate: clear policy semantics, proven integration patterns, and an evidence artifact schema that supports replay, incident response, and audit-grade accountability across teams.

Once this layer exists, regulated execution becomes a property of the platform, not a burden on individual teams.