Governance-first AI infrastructure

Governance before generation.
Every time.

Deterministic authority resolution, governed retrieval, and tamper-evident audit — the invisible infrastructure your AI stack is missing.

The four invariants

  • No authority → no retrieval
  • No eligible evidence → no context
  • No governed evidence → no generation
  • No audit commit → no allow

What we don't do

Four things every RAG vendor sells.
Four things we refuse to build.

Data residency

Your content stays with you.

TenantSage stores governance metadata only — never chunks, never embeddings, never raw text. Documents live in your storage, on your keys, under your compliance boundary.

Audit truth

Hashes only. No payloads.

The evidence ledger records SHA-256 hashes of every decision, retrieval, and response. Auditors get a verifiable chain without your data ever leaving your control.

Fail-closed

No commit, no allow.

Audit writes are synchronous and blocking on the request's critical path. If the evidence ledger can't commit, the request is denied. No fire-and-forget.

Structural, not optional

Legal hold cannot be flag-flipped.

Tenant boundary and legal hold are enforced by the query structure, not by a boolean the app layer can bypass. Governance is a schema property, not a feature.

The problem

Every AI product ships without three things
that regulated buyers demand.

Auth-you-can-prove

AI features ship with role checks in the app layer that can't be replayed for an audit six months later. Regulated buyers reject that.

Retrieval-you-can-audit

RAG pipelines pull evidence via ad-hoc filters. When something leaks, nobody can point at the moment the boundary was crossed.

Generation-you-can-replay

LLM responses depend on context assembled at request time. Without deterministic provenance, there's no way to prove what the model saw.

How it works

DAR → EEB → Audit.
No shortcuts.

Three deterministic stages. Every one produces a hash. Every hash chains to the next. The whole path is replayable from a Postgres snapshot.

01

Authority (DAR)

Deterministic Authority Resolution

Every request is bound to a user, tenant, and scope before any retrieval touches your data. Authority decisions are hashed, tied to identity, and stored append-only.

authority_decisions

02

Eligible Evidence Boundary (EEB)

Governed retrieval envelope

The EEB defines exactly which scopes and source types the request may see. Retrieval outside the boundary is structurally impossible — not gated by application code, gated by the schema.

evidence_boundaries

03

Tamper-evident ledger

Every decision hash-chained

Every allowed decision writes a hash-chained evidence ledger entry canonicalized per Appendix A. Auditors replay the chain; regulators accept the trail.

evidence_ledger

Side-by-side: normal RAG retrieves relevant chunks and asks the LLM; governed RAG verifies identity, checks position / entitlement / assignment / scope / policy, builds an allowed candidate set, retrieves only permitted chunks, and audits every allow/deny decision.
RAG decides what is relevant.TenantSage decides what is allowed before relevance is searched.

Verified by TLA+ & Alloy

The four invariants are proved as machine-checked assertions.15 distinct states, depth 11, 14 Alloy assertions UNSAT.Denial cannot progress into retrieval, generation, or execution. Not by convention — by the model.

Canonical principles

Constitutional invariants.
Not guidance.

01

Protocol immutable. Implementations replaceable.

02

History never rewritten.

03

Authority externally inspectable.

04

Evidence human-verifiable.

05

No synthetic audit history.

06

Governance precedes generation.

Ship AI features your CISOsigns off on the first time.

Book a 30-minute technical review. We'll look at your stack together and show you where TenantSage fits.