v 2.4 · GASOC 2 Type II · ISO 42001 · NIST AI RMF

AI risk governance,
built for the way your
organization actually ships AI.

Obiguard Governance AI inspects every prompt, response, and tool-call across your stack — enforces policy, blocks exfiltration, and gives security & legal a single ledger of evidence.

Read the architecture ↗

1,204 events governed in the last minute

Inspection latency

18_{ms p50}

Detectors live

64_shipped

Frameworks mapped

7_continuous

Median time to deploy

14_days

■Obiguard is a MDEC-recognised company in Malaysia — awarded MSC Malaysia status by the Malaysia Digital Economy Corporation.

Trusted by &
backed by

02 / The Specimen

A live view from
a customer's production project.

Three violations fired in the past minute. One blocked by a Policy Set. Two routed to the Review Queue. All written to the Audit Log — searchable, exportable, and evidence-ready.

streaming · 12,402 ev/hr

Violations

last 60 minutes · 14 violations · 3 blocked · 5 flagged for review

Live

History

Export

Requests

12,402

+4.1%

Threats blocked

38

High: 6

Avg latency

18ms

p50

Active policy sets

47

3 drafts

Time

Event

Policy

Severity

Action

14:02:09

SSN in completion → support-agent · gpt-4.1

PII / US-SSN

HIGH

REDACT

14:01:58

Tool out-of-scope · db.query → payroll

Tool / Scope

HIGH

BLOCK

14:01:54

Prompt injection · act-as-developer-mode

Injection

HIGH

BLOCK

14:01:42

Off-allow-list model · llama-3.1-405b

Model / AL

MED

REVIEW

14:00:48

Customer record leak → rag-search

DLP / Customer

MED

REDACT

13:59:50

Toxicity 0.81 in agent reply

Content / Tox

LOW

LOGGED

03 / Capabilities

Six capabilities. One platform.
Every AI agent your org runs.

Obiguard wraps every AI agent your organisation operates — monitoring usage, enforcing policies, routing violations for human review, and maintaining the audit trail your compliance team needs.

01 — MONITOR

Dashboard & violations

A live project dashboard shows token usage, cost, request volume, errors, threats blocked, and average latency. The Violations view surfaces every policy breach — filtered, searchable, and exportable.

Real-time · threats blocked · p50 latency

02 — REVIEW

Human-in-the-loop review queue

Violations flagged for human judgment land in the Review Queue. Assign, annotate, and resolve — with a full audit trail from the original event to the decision.

Review Queue · assign & resolve

03 — ENFORCE

Policy Sets

Group enforcement rules into Policy Sets and assign them to AI Agents. Each set defines criteria, action (block / flag / allow), and whether violations route to the Review Queue.

Policy Sets · per-agent enforcement

04 — REGISTER

AI Use Cases & Agents

Maintain a living registry of every AI Use Case and Agent in your organisation. Link each agent to its policy set — so governance follows the workload, not the calendar.

Use Cases · agents & prompts

05 — LOG

Audit Log

Every prompt, response, tool-call, and policy decision is written to an immutable Audit Log. Export to your SIEM, your GRC stack, or hand the auditor a timestamped record.

Audit Log · SIEM-ready export

06 — GOVERN

Controls & Criteria

Define organisation-wide Controls and the Criteria that trigger them. Map each control to NIST AI RMF, EU AI Act, ISO 42001, or SOC 2 — and stop rebuilding the mapping every audit cycle.

7 frameworks · continuous mapping

For Security

Make every AI agent a governed workload.

Violations dashboard with real-time threats blocked
Policy Sets block or flag unsafe agent behaviour
Audit Log streams to your SIEM — Splunk, Sumo, custom

→ For CISOs & security platform teams

For Risk & Legal

Continuous evidence, not quarterly screenshots.

Controls mapped to NIST AI RMF, EU AI Act, ISO 42001
Immutable Audit Log — every decision timestamped
Export for SOC 2, HIPAA, and internal AUP audits

→ For Risk, Legal & Compliance

For AI Teams

Register, govern, and iterate on your AI agents.

AI Use Case & Agent registry — one source of truth
Policy Sets assign enforcement rules per agent
Review Queue routes edge cases to human judgment

→ For AI product & platform teams

04 / How it works

Live in 14 days.
Coverage from day one.

No model retraining. No migration. Obiguard slots in front of your existing AI gateway or speaks AWS/Azure/GCP-native APIs.

STEP 01 · CONNECT

30 minutes

Create a project, generate an Access Key, and route your AI agents through Obiguard. Works with OpenAI, Anthropic, Bedrock, Vertex, Azure OpenAI, and any OpenAI-compatible endpoint.

# route via Obiguard
$ export OPENAI_BASE_URL=\
  https://gw.obiguard.com/v1
→ project connected

STEP 02 · REGISTER

Day one

Add your AI Use Cases and register each AI Agent in the platform. Link agents to the business function they serve — so every governance decision has full context.

AI Use Cases registered
3 agents linked
1 project · t77
→ registry complete

STEP 03 · ENFORCE

When you're ready

Build a Policy Set — define your Criteria, set the action (block or flag), and assign the set to your agents. Violations surface immediately in the dashboard.

policy_set: no-pii-in-responses
action: block
agent: support-agent
review_queue: true

STEP 04 · REPORT

Continuously

Violations are logged to the Audit Log and routed to the Review Queue for human sign-off. Export evidence to your SIEM or hand the auditor a timestamped record.

audit log → 1,204 events
violations → review queue
export → splunk · stream
soc2.cc7.2 — covered

05 / What customers measure

The numbers our customers report after their first quarter on Obiguard.

94%

PII exposure reduction

Across customer-support agents and internal copilots at a 12,000-seat enterprise pilot.

3.2×

Faster audit prep

Time-to-evidence for SOC 2 CC7 controls vs. manual screenshot collection.

14d

Median time to deploy

From first call to enforced policy — including security review and procurement.

0

Retraining required

Runs at the gateway layer. We don't touch your weights, your data, or your training pipeline.

06 / FAQ

Common
questions.

Don't see what you're looking for? Our solutions engineers respond within one business day.

Talk to an SE →

Does Obiguard see our customers' data?[01]

Obiguard can run entirely inside your VPC or on-prem. In SaaS mode, content is processed in-memory and never stored — only the policy decision and metadata are persisted to the ledger. We can attest to this with a deployment-time enclave proof.

Does this add latency to model calls?[02]

Median added latency is 18ms for the inspect-and-decide path. Tool-call validation adds ~5ms. We publish per-customer p50/p95/p99 to your dashboard continuously.

How is Obiguard different from a model gateway?[03]

Gateways route traffic. Obiguard governs it. We sit in front of your gateway or SDK and add the policy enforcement, violation tracking, review workflow, and audit trail that routing tools leave out of scope.

Which compliance frameworks do you support?[04]

Controls and Criteria can be mapped to NIST AI RMF, EU AI Act, ISO 42001, SOC 2 (CC6/CC7), HIPAA, and your internal AUP. Custom framework mapping is available on enterprise plans.

How do Policy Sets and Criteria work together?[05]

Criteria define what triggers a policy event — a detector match, a keyword, a model call outside scope. Policy Sets group Criteria and assign them to AI Agents, with an action (block or flag) and an optional route to the Review Queue.

What is the Review Queue?[06]

Violations that need human judgment — edge cases, high-risk content, new agent behaviour — are routed to the Review Queue. Reviewers can annotate, approve, or escalate, and every decision is written to the Audit Log.

07 / Get started

Bring the same rigor you apply
to data and identity — to the AI
in your stack.

A 20-minute call with a solutions engineer is enough to scope your pilot. Most customers are enforcing policy in production within two weeks.

Read the architecture