What is the ACE Governance Platform?

ACE is a runtime policy engine that gates every AI action, enforces human-in-the-loop on restricted operations, and produces audit-grade evidence for every decision. Unlike traditional AI tools that operate without guardrails, ACE uses the MAI classification system (MANDATORY, ADVISORY, INFORMATIONAL) to ensure the right level of human oversight is applied to every action based on its risk level.

What is the MAI classification system?

MAI stands for MANDATORY, ADVISORY, and INFORMATIONAL — a risk-based governance framework for AI agents. MANDATORY actions (like authentication, final submissions, and decisions affecting benefits) require human approval before proceeding. ADVISORY actions (like evidence analysis and quality checks) are flagged for human review with auto-proceed after timeout. INFORMATIONAL actions (like data gathering and navigation) proceed automatically with full audit logging. Classification is declared at design time and enforced at runtime — no agent can bypass governance gates.

How is ACE different from traditional RPA or AI agent frameworks?

Traditional RPA (like UiPath or Automation Anywhere) has no built-in governance and fails on dynamic pages. AI agent frameworks (like LangChain, AutoGPT, or CrewAI) provide zero compliance boundaries — agents run uncontrolled with no audit trails. ACE is different because governance is built into the runtime, not bolted on. Every action is classified by risk, gated by policy, and logged with tamper-evident hashing. ACE produces audit-grade evidence packs, not just logs.

What industries does ACE support?

ACE is built for any regulated industry where AI acceleration is needed but accountability cannot be automated away. Current use cases include government procurement and RFP analysis, legal research and document review, compliance and audit evidence collection, healthcare claims processing and prior authorization, and HR screening with consent-gated workflows. The platform uses configurable playbooks and industry skill packs, so it adapts to specific regulatory requirements.

What compliance frameworks does ACE align with?

ACE's architecture is designed to align with NIST AI Risk Management Framework (AI RMF 1.0), CMMC 2.0 requirements for controlled unclassified information, HIPAA requirements for healthcare data handling, and FedRAMP security controls. The MAI classification system maps directly to NIST AI RMF's GOVERN function, and the immutable audit trail with SHA-256 hashing provides the evidence chain required for compliance audits.

What are AI evidence packs?

Evidence packs are audit-grade output bundles generated for every workflow execution. Each pack includes a complete timeline of actions taken, all extracted artifacts with provenance tracking, decisions made with reasoning and confidence scores, human approvals with timestamps and attestations, and a SHA-256 integrity hash for tamper detection. Evidence packs are designed to withstand audit scrutiny — they prove what was done, why, by whom, and whether it was authorized.

GIA Platorm | Enhance AI Governance Today

Core Innovation

Classification at Design Time. Enforcement at Runtime.

The MAI pattern solves a fundamental problem: how do you give AI agents enough autonomy to be useful while maintaining the human oversight required in regulated environments? The answer is graduated autonomy — matching the level of oversight to the risk level of each action.

Design Time

Every action is pre-classified by risk level before deployment

Runtime Evaluation

Policy rules evaluate every action. Most-restrictive-wins logic ensures nothing slips through

Audit Output

Every decision logged with operator identity, reasoning, and tamper-evident hashing

Architecture

The Governed Intelligence Loop

Every workflow passes through five architectural layers. Each layer has a specific governance function. No shortcuts, no bypasses.

1

Unified Gateway MANDATORY

All data enters through a single ingestion point. PII/PHI is identified and redacted. Behavioral integrity checks detect adversarial inputs and instruction injection attempts before any processing begins.

2

Multi-Agent Processing ADVISORY INFORMATIONAL

Specialized AI agents execute in parallel — evidence extraction, analysis, quality checks. Each agent is classified by risk level. Agents cannot self-promote to a lower risk tier.

3

Human Oversight Gate MANDATORY

MANDATORY-classified agents pause execution and present their work for human review. The operator must explicitly approve before the workflow continues. Rejected actions terminate with logged reasoning.

4

Behavioral Repair ADVISORY

A supervisor agent validates output consistency across the pipeline. Logical inconsistencies (future dates, contradictory findings, schema violations) are flagged and repaired before final output.

5

Telemetry & Evidence INFORMATIONAL

Complete audit trail is compiled. Evidence packs are generated with SHA-256 integrity hashing. Compliance documentation (NIST AI RMF, CMMC 2.0) is auto-generated from the execution record.

Runtime Policies

Seven Default Policy Rules

These policies are evaluated against every action at runtime. Most-restrictive-wins logic ensures that if multiple rules match, the strictest decision applies. Custom rules can be added, but defaults cannot be weakened.

DENY

Authentication Boundary

Credential-related actions are permanently blocked from automation. Authentication is always human-only.

DENY

Human Verification Boundary

Mechanisms designed for human verification (CAPTCHAs, identity checks) are never automated.

REQUIRE APPROVAL

Submission Gate

Form submissions require explicit human approval. No automated submissions, especially on government or regulated portals.

ALLOW + LOG

Controlled Data Handling

Data operations are permitted within governance boundaries. Every artifact is tracked with full provenance in the audit trail.

REQUIRE ATTESTATION

External Communication Gate

Actions that share information outside the system boundary require human attestation of lawful basis.

REQUIRE ATTESTATION

High-Stakes Action Gate

Actions affecting employment, benefits, or eligibility require human attestation of consent and authorization.

DENY

Domain Boundary Enforcement

Configurable restrictions prevent automation on sensitive or restricted domains. Interactions require appropriate approval levels.

Evidence Architecture

What's Inside an Evidence Pack

Every workflow execution produces a tamper-evident evidence bundle. Designed to withstand audit scrutiny and prove the complete chain of custody.

Execution Timeline

Every step with timestamps, duration, and completion status

Artifacts

Extracted documents with provenance, source, and individual hashes

Decisions

Every decision with reasoning, confidence score, and timestamp

Approvals

Human approvals with approver identity, timestamp, and attestation

Audit Log

Complete action log with operator ID, classification, and policy decision

Integrity Hash

SHA-256 hash of entire pack for tamper detection and verification

Compliance Alignment

Built for Regulatory Requirements

ACE's architecture is designed to align with major compliance frameworks. The MAI pattern maps directly to established risk management standards.

GOVERN Function

NIST AI RMF 1.0

MAI classification maps to NIST's graduated autonomy model. Runtime enforcement satisfies GOVERN function requirements for AI risk management.

Access Control

CMMC 2.0

Immutable audit trails, role-based approval gates, and controlled data handling align with CMMC requirements for controlled unclassified information.

PHI Protection

HIPAA

PII/PHI redaction at ingestion, consent-gated workflows, and attestation requirements support HIPAA compliance for healthcare data handling.

Security Controls

FedRAMP

Zero credential storage, domain boundary enforcement, and comprehensive audit logging align with FedRAMP security control families.

See the Architecture in Action

Schedule a technical deep-dive with our team. We'll walk through the MAI runtime, policy engine, and evidence pack generation with your specific use case.

Request Technical Demo

The MAI Runtime Architecture

Classification at Design Time. Enforcement at Runtime.

Design Time

Runtime Evaluation

Audit Output

The Governed Intelligence Loop

Unified Gateway MANDATORY

Multi-Agent Processing ADVISORY INFORMATIONAL

Human Oversight Gate MANDATORY

Behavioral Repair ADVISORY

Telemetry & Evidence INFORMATIONAL

Seven Default Policy Rules

Authentication Boundary

Human Verification Boundary

Submission Gate

Controlled Data Handling

External Communication Gate

High-Stakes Action Gate

Domain Boundary Enforcement

What's Inside an Evidence Pack

Execution Timeline

Artifacts

Decisions

Approvals

Audit Log

Integrity Hash

Built for Regulatory Requirements

NIST AI RMF 1.0

CMMC 2.0

HIPAA

FedRAMP

See the Architecture in Action