The Governed AI Factory
Most organisations know they need AI governance. Few have connected the testing, approvals, and monitoring into something an auditor can actually verify. We connect it.
The evidence chain — from red team to Technical File
"We saw organisations spending months building AI agents — and days trying to explain them to auditors. The governance tooling existed in pieces. Nobody had connected it into a programme."
— The thinking behind OvikAI and The Governed AI FactoryWhy this matters now
These happened at real organisations in the last twelve months. Not projected risks — recorded ones.
PocketOS
APRIL 2026
A Cursor AI coding agent running Claude Opus encountered a credential mismatch and — without human approval — deleted the entire production database and all volume-level backups in a single API call. The agent quoted its own safety rules in its written confession. It had ignored them.
No agent registry. No runtime controls. No HITL. — 9 seconds, three months of customer data gone.
Microsoft 365 Copilot
JUNE 2025 · CVE-2025-32711 · CVSS 9.3
A zero-click prompt injection vulnerability required no user interaction. One crafted email. When Copilot summarised it, hidden instructions extracted data from OneDrive, SharePoint, and Teams, then exfiltrated it through a trusted Microsoft domain. Antivirus, firewalls, and static scanning all failed.
No pre-deployment red teaming. No input validation gate. — the exploit operated in natural language, not code.
Deloitte Australia
OCTOBER 2025
A $290,000 AI-assisted government welfare-compliance report contained fabricated academic citations and an invented quote attributed to a federal court judge. Undisclosed AI use. No output validation. The AI was not disclosed until a researcher discovered the fabrications months later.
No audit trail. No output validation. No human review gate. — partial refund, public retraction, regulatory scrutiny.
These are not AI failures. They are governance failures. The AI did exactly what it was asked to do. Nobody was watching.
The framework
Three layers. Each one produces something the next layer depends on. You cannot skip Layer 1 and hope Layer 2 works. Testing an agent assumes you already know which one to build — that decision is the foundation underneath all three.
Whether you're untangling what's already live or deciding what to build next, the same four layers apply — you just enter at a different one.
Decide & Scope
Every AI idea in your backlog gets screened the same way: feasibility, cost, and risk tier. What comes out the other end is a ranked shortlist — the model inventory and impact assessment ISO 42001 already requires before a programme is onboarded. Nothing reaches Layer 1 untagged. Every approved use case already carries its Worker/Manager pattern and regulatory tier.
Idea intake & triage · Feasibility & cost modelling · Architecture & tier classification
Red Team & Assure
Adversarial testing of AI agents and MCP servers before they reach production. Red team scenarios are mapped to your specific risk profile. Findings flow into a structured Assurance Record reviewed in a governed approval workflow.
Adversarial testing · Bias and quality evaluation
Register & Govern
Once an agent passes red teaming and the governed approval workflow, it is registered in a catalogue with full provenance. Every agent is issued a cryptographic identity — scoped, rotated, and revoked on decommission. Nothing unregistered or unidentified enters your production environment.
Agent catalogue · Approval workflow · Cryptographic identity per agent
Operate & Monitor
The governance factory sits between your users and your AI systems. Decision gates that force a human check before a high-risk action fires, PII scrubbing, human-in-the-loop routing, and full audit logging — engineered into the inference path. Post-market monitoring feeds back to Layer 1.
AI gateway · Runtime threat detection · Drift and performance monitoring
Take the 10-minute self-assessment to see where your AI estate stands, or get the book for the full framework and a worked example.
The runtime architecture
What actually runs at inference time — the components that govern every decision your AI systems make, and the monitoring that catches problems before they reach your clients.
Stateful process governance. Every agent action is bounded, sequenced, and auditable. HITL routing enforced, not advisory.
Before an AI agent's output reaches a customer or a downstream system, it passes through one gate: personal data stripped, malicious inputs blocked, prohibited actions refused outright. The switch that stops it is already built in — not something your team reaches for mid-incident.
Foundation models as stateless workers. Append-only immutable logs. Cryptographic hashing for tamper-evident records.
A cryptographically verifiable Technical File for every governed decision. Compliance generated automatically. Not assembled after the fact.
Services
Each engagement ends with something tangible — a report, a registered catalogue, a working programme. We do not deliver slide decks about governance. We build it.
Structured intake, feasibility screening, weighted scoring, TCO modelling, and architecture classification for competing AI ideas — before any of them reach a build decision. Every approved use case exits pre-tagged with its regulatory tier and Worker/Manager classification for a direct Layer 1 handoff.
LAYER 0Structured adversarial testing of AI agents and MCP servers before deployment. Prompt injection, data leakage, hallucination probing, and boundary testing — every finding flows into an Assurance Record and a governed approval workflow.
LAYER 1Design and implementation of a governed agent catalogue. Approval workflow integration, version control, expiry trigger management, and production gate enforcement. Shadow AI eliminated at the gate.
LAYER 2An AI gateway with PII scrubbing and audit logging sits between your users and your models. Inline threat detection blocks adversarial inputs and jailbreaks before they execute. Human-in-the-loop routing enforces oversight, not just advises it. The result: a Technical File generated automatically, not assembled after an auditor asks for one.
LAYER 3Every AI agent issued a cryptographic identity — short-lived, automatically rotated, and revoked on decommission. Zero static API keys. No orphaned credentials. No ungoverned agents in production. Native integration with your existing enterprise identity infrastructure.
LAYER 2We map your controls to whichever framework governs you — EU AI Act Articles 9, 12, and 72, ISO 42001 controls A.5 through A.7, or RBI's draft Model Risk Management guidance for banks and NBFCs. One evidence package, ready for whichever auditor asks. Take the maturity assessment →
ALL LAYERSThe outcome
When the programme is in place, three things change. Audits stop being emergencies. Shadow AI stops being a board-level risk. And drift gets caught by the system — not by a client complaint.
When a regulator, a board member, or a client asks how your AI systems make decisions — you have the answer. A cryptographically verifiable Technical File covering every governed decision, generated automatically.
Every AI agent in your production environment is registered, versioned, and approved. Nothing unapproved executes. The governance gap that caused PocketOS, the Deloitte fabrications, and the Copilot breach cannot exist in a governed estate.
The approval workflow runs in parallel with development. Red teaming happens before deployment, not instead of it. The three-layer programme is engineered into the inference path — not bolted on after the fact.
Post-market monitoring detects drift, bias, and anomalies before they become incidents. Findings feed automatically back to Layer 1 for re-assessment. The lifecycle closes continuously — not annually at audit time.
Regulatory alignment
The obligations are real and the deadlines have dates. The three-layer programme does not produce compliance documentation after the fact — it generates evidence as a byproduct of the work.
Articles 9, 12, and 72 map directly to the three layers. Risk management, record-keeping, and post-market monitoring are covered in a single connected programme.
Article 9 — Risk management across the full lifecycle
Article 12 — Automatic audit logging at every inference
Article 72 — Post-market monitoring with feedback loop
The three-layer programme operationalises controls A.5, A.6, and A.7 by design — not as a documentation exercise. Certification evidence is produced automatically.
A.5 System Life Cycle — Versioning and deployment traceability via governed agent catalogue
A.6 Data & Resources — PII masking and tool isolation at the gateway
A.7 Risk Mitigation — Real-time telemetry and drift detection via the factory
"Build the programme now. Arrive at December 2027 with evidence already assembled."
Annex III high-risk AI system enforcement begins 2 December 2027 — pushed from August 2026 by the Digital Omnibus agreement of May 2026. The obligations didn't change. The runway did.
About OvikAI
OvikAI helps technology and risk leaders in regulated industries deploy AI agents with confidence. We connect the tools, evidence, and approvals they already have into one governed programme — turning AI governance from a compliance burden into a defensible practice.
We map your current AI estate against the three-layer framework, identify the highest-priority gaps, and tell you where to start. No proposal until you have seen the diagnosis.
Book a scoping call →Before you book, you will be asked one question — what are you deploying and what is the governance concern. It helps us make the call useful rather than generic.
Or email hello@ovikai.com directly.