AI Governance
Built In, Not Bolted On

The governance-native AI platform for regulated industries. Every LLM call and every multi-agent pipeline is guided by APRA, ASIC, AFSL, AUSTRAC, OAIC, ISO 42001 and OWASP Agentic Top 10, audited in real time, and deployed inside your own VPC — your data stays where it's always been: with you. Helping you bring AI to production with confidence.

Request a pilot →See it live →

From shadow AI → trusted AI · live workflow

1 · Shadow AIunmanaged

⚠ Copilot⚠ Salesforce⚠ Internal LLM⚠ Agents⚠ Dynamics

↓

2 · GatedGate → Main → Validator

🛡 Gate→🤖 Main→✓ Validator

Blocked · cites CPS230 APP.11 ASI02.6

↓

3 · Auditedevery decision · point-in-time

🐘 Postgres🧊 Iceberg📊 Tableau📈 Power BI

↓

✓4 · Trusted↻ auto-refreshed weekly

APRA CPS 230ASIC REP 798OAIC APPsNSW AIAFDTA AI AssuranceISO 42001OWASP AgenticNIST AI RMF

1,311 controls · 54 frameworks · 4 verticals (finance · healthcare · energy · gov) · 49 / 54 frameworks (91%) with full-text source archive in S3 (HTML + PDF, sha256-versioned, 1,758 chunks) · APRA CPS 220 · CPS 234 · CPG 235 · NIST CSF 2.0 (Govern function) PDFs live · bullet-level diff & verbatim refusal citations · TinyFish refresh (HTML / PDF / browserless headless) per framework cadence (7-90d).

The Solution — Four Modules

Discover · Assess · Enforce · Audit — one bundled platform, four buyer outcomes.

Discover

Every AI surface, captured at the gateway.

•Multi-provider chatbot SDK — OpenAI, Claude, Gemini, Fireworks, Ollama
•Every LLM call and multi-agent turn captured before it reaches the model
•Shadow-AI inventory across Copilot, Salesforce, internal LLMs

Assess

Risk-graded against 300+ controls in 60+ frameworks.

•Policy-as-data catalogue · SCD2-versioned · auto-refreshed weekly by TinyFish
•Multi-agent-native Gate → Main → Validator pipeline (AG2-compatible)
•OWASP Agentic ASI07 / ASI08 / ASI10 enforced deterministically per turn

Enforce

Cited refusals, live — regulator names appear inline.

•Blocks before the model when a request falls outside policy
•“Based on APRA CPS 230 and OAIC APP.11…” shown in the chat response
•Demonstrable in a 30-second pilot — not slideware

Audit

Auditor-ready evidence on whichever BI you already use.

•Postgres operational store + S3 Iceberg immutable archive
•dbt models for Tableau / Power BI / Looker / Metabase / in-house BI
•Point-in-time reconstruction via SCD2 — “our APRA posture on 2026-02-15” is a SQL query

What's Special About Us

Eight things competitors can't say today.

🛡

Cited refusals, live

When a request falls outside policy, regulator names appear inline in the response.

•e.g. “Based on APRA CPS 230 and OAIC APP.11…”
•Something you can try in a 30-second demo

📚

Policy-as-data

300+ controls across 60+ frameworks in a versioned catalogue.

•Every decision joins to the control that fired
•“What was our APRA posture on 2026-02-15?” is a SQL query, not a forensics project

🔄

Weekly regulator auto-refresh

TinyFish web-AI keeps the catalogue aligned with the regulator.

•Scrapes APRA / ASIC / OAIC / OWASP every week
•Diffs against catalogue, proposes reviewable changes
•You ship against today's regulatory state, not last year's

📝

Per-turn audit evidence

Write-once audit trail for every gate decision.

•Postgres live store + S3 Iceberg immutable archive
•Point-in-time reconstruction via SCD2
•ISO 27001 and ISO 42001 aligned out of the box

🤝

Multi-agent-native

Governance pipeline IS itself a multi-agent system.

•AG2-compatible Gate → Main → Validator pattern
•Governs solo LLM calls AND multi-agent workflows
•OWASP ASI07 / ASI08 / ASI10 enforced deterministically

🔌

Scheduler & warehouse agnostic

Fits the stack you already have.

•Works with BMC Control-M and your existing scheduler
•Works with your BI tool — Tableau, Power BI, Looker, Metabase, in-house
•Reads and writes Postgres, Snowflake, BigQuery, Redshift

📦

Bundled, not bolted

Governance is included with the platform, not a separate SKU.

•One docker-compose deployment
•One contract, one invoice, one support line
•No extra GRC module to license or integrate

🔐

ISO 42001 in-house

Customer DDs are handled by our in-house compliance team.

•Chief Compliance Officer holds ISO/IEC 42001 qualification
•Gap assessments and audit prep done internally
•Evidence packs tailored for each customer's framework

Deploys In Your Own Infrastructure

We ship a container that runs in your VPC, reads from your warehouse, writes to your S3 — so your data stays where it is today. Designed to align with APRA CPS 234, OAIC APP 8, and AU data residency from day one.

Your credentials, your keys, your data — always yours. We work inside the perimeter you already trust.

🌐

Your VPC

Runs as a container inside your existing VPC, subnets, security groups and WAF — no new network perimeter to approve.

☁️

Your Cloud Account

AWS, GCP, Azure, or on-premise — your account, your billing, your IAM. Credentials stay with you.

🗄️

Your S3 / Object Store

Audit evidence (Iceberg archive) writes into your S3 bucket under your KMS keys. Access stays with your team.

🏢

Your Data Warehouse

dbt targets your Snowflake / BigQuery / Redshift / Postgres directly — data flows within your warehouse, not through us.

⚙️

Your Orchestration

Works natively with BMC Control-M and your existing scheduler — our jobs run as standard shell commands, no bespoke runner required.

🔐

Your IdP & KMS

SSO via Entra, Okta, or Cognito. Encryption with your CMK — keys stay under your control throughout.

🇦🇺

Data Stays Onshore

Deployed into AU regions with no cross-border transfer — aligned with APRA CPS 234 and OAIC APP 8 by architecture.

📦

Air-Gapped Ready

Offline install packages available for classified environments. No outbound telemetry, no phone-home.

Frameworks Covered

60+ regulatory & industry frameworks · 300+ controls · auto-refreshed weekly

🇦🇺 AU Regulators

APRA CPS 230
APRA CPS 220 — Risk Management
APRA CPS 234 — Information Security
APRA CPG 235 — Managing Data Risk
ASIC REP 798 + s912A
ASIC AFSL — s911A / s961B Best Interests Duty
AUSTRAC AML/CTF Act + AI/ML guidance
OAIC Privacy APPs
AU 6 Principles
NSW AIAF
TGA SaMD

🌏 International

NIST AI RMF 1.0
NIST AI GenAI Profile (NIST AI 600-1)
NIST CSF 2.0
ISO/IEC 42001:2023
ISO/IEC 27001:2022
UK 5 Principles (DSIT)
FCA DP5/22
EU AI Act

🇺🇸 US Sector

FINRA Notice 24-09
Colorado SB24-205
NY DFS AI Guidance

🛡 Industry

OWASP Agentic Top 10
OWASP LLM Top 10
NIST SP 800-53

🌏

APAC-native AI governance

Credo, OneTrust and Holistic AI are built US-first (NYC LL144, Colorado SB21-169) and EU-first (EU AI Act). We're built for this side of the Pacific — regulators your CCO actually answers to.

✓ Live in the catalogue

🇦🇺 APRA CPS 230🇦🇺 ASIC REP 798🇦🇺 OAIC APPs🇦🇺 NSW AIAF🇦🇺 NSW MEP🇦🇺 NSW AIRC🇦🇺 DTA AI Assurance🇦🇺 APS Code AI🇦🇺 Robodebt Reforms🇦🇺 PGPA Act🇦🇺 Digital ID Act🇦🇺 AU AI Safety Std🇦🇺 AU 8 Ethics🇦🇺 AU AISI🇦🇺 TGA SaMD

↻ On the auto-refresh roadmap

🇸🇬 MAS FEAT🇭🇰 SFC AI🇯🇵 FSA🇳🇿 Privacy Act🇮🇳 DPDP🇰🇷 PIPA

TinyFish auto-refresh treats new regulators as new scrape targets, not new code — APAC coverage extends as customers land.

Who It's For

Regulated verticals where AI governance is procurement-gating.

🏦

Financial Services

Banks · insurers · super funds · asset managers · advisers

•APRA CPS 230 — operational risk
•ASIC REP 798 — governance gap
•AFSL obligations — s912A efficient, honest, fair
•Prudential AI risk — accountable person

🏥

Healthcare

Clinics · hospitals · digital health · pharma

•TGA SaMD — software as a medical device
•OAIC APPs — health records privacy
•AU 6 AI Principles — clinical decision support
•State health dept AI guidelines

🏛

Government

Federal · state · local · agencies

•NSW AIAF — AI Assurance Framework
•QLD AI Governance · VIC AI Principles
•AU 6 Principles — contestability
•Public accountability obligations

Ready to see it live?

90-second demo. Live chatbot citing APRA, ASIC, OAIC in your own test session. No slideware.

Request a pilot Contact us

AI GovernanceBuilt In, Not Bolted On