Platform: Governance

The controls inventory your compliance officer can sign off on.

Pre-dispatch runtime policy, SoD approvals, application-layer tenant isolation, regex-based PII redaction at ledger write time, regulated-industry policy template with conservative defaults on every axis. Each control documented against the code that enforces it.

Pre-dispatch policyApplication-layer tenant isolation7-year regulated retention

When you have AI agents that may touch sensitive data or take material action, you want a controls inventory where every claim ties to code you can review — so the answer to “show me your SoD enforcement” isn’t a slide deck.

Three layers: pre-dispatch, approval, audit.

Pre-dispatch

Every tool call decided allow / deny / require_approval BEFORE it runs. Pure decision module — no I/O, no Firestore writes — so policy outcomes are reproducible and audit-replayable.

Approval

Human-in-the-loop gate via AgentApproval rows. Three-state machine (pending → approved | rejected | expired) with 48-hour default expiry. SoD enforced: the user who edited an agent in the last 24h cannot approve its next action.

Audit

Every action — including denials and require-approval routes — lands in the hash-chained per-org ledger. Regex-typed PII redaction runs at write time on params and outcome_detail, scanning both keys and values.

Each control documented against the code that enforces it.

Pre-dispatch runtime policy

tools_allowed + data_scope predicates (no_pii, read_only, org_id == self) + external-comms allow-list + per-run cost cap + PII filter + retention horizon. Most-restrictive intersection with the agent’s legacy tools field wins.

SoD approvals

The user who edited an agent definition in the last 24h is auto-rejected on approval with decision_reason=segregation_of_duties_violation. SoD lookup uses the approval’s own org_id; callers cannot override. Enforced fail-CLOSED (SOD_REQUIRE_AUDIT_AVAILABLE=true): if the SoD audit context is unavailable the approval is blocked rather than allowed.

Approval state machine

AgentApproval rows: pending → approved | rejected | expired. 48-hour default expiry. Proposed action stored as free-form JSON for the human to inspect.

Application-layer tenant isolation

Audit-critical Firestore collections (AgentActionLog, AuditLogTip, Policy) stored as per-org sub-collections under user_docs/<org_id>/. org_id-required loaders plus router-layer membership-derived org_id. The platform does not enforce isolation via Firestore Rules.

Regex-based PII redaction

params and outcome_detail routed through redact_value before serialisation. Both dict keys and values scanned. Regulated-industry orgs get a strict pass that adds email + phone to the SSN / CC / ACH baseline.

Regulated-industry policy template

Canonical REGULATED_INDUSTRY_POLICY constant. Conservative on every axis: $100 per-run cap, external_comms=require_approval, pii_filter=True, data_scope=[no_pii, read_only], retention_years=7. tools_allowed empty by default — customer opts each tool in.

How the primitives compose in production.

DCAA-aligned operations

Hash-chained ledger + SoD approvals + 7-year retention via the regulated profile. Designed for DCAA alignment; not DCAA-certified.

Read-only support agent

data_scope=[read_only] blocks every tool in DANGEROUS_ACTIONS. The forbidden-tools guard catches accidental write-class registrations at three deploy points.

Sensitive-action approval flow

Agent proposes a material action; runtime policy returns require_approval; an AgentApproval row is created; a separate human (per SoD) reviews and decides.

Compliance-profile flip

OWNER flips standard → regulated_industry via the org-config endpoint. Reverse direction returns HTTP 422 — reverse is a high-trust action that requires human compliance review.

Forbidden-tools deploy guard

Three layers: explicit prefix list, write-verb heuristic, explicit literal list. Enforced at pre-flight validation, last-line Firestore write, and post-write read-back.

Today’s controls inventory, by the numbers.

24h

SoD lookback window for definition edits

7y

Regulated-industry retention floor (override UP only)

3-point

Forbidden-tools deploy guard

Where GoodHelp’s governance surface sits.

CapabilityGoodHelpGeneric agent SDKsVanta / Drata
Pre-dispatch runtime policyDIYDifferent scope
SoD approvalsDIYDifferent scope
Approval state machineDIYDifferent scope
Application-layer tenant isolationVariesDifferent scope
PII redaction at ledger writeRegexDIYDifferent scope
Regulated-industry policy templateDIYDifferent scope

Comparison reflects publicly documented capabilities as of 2026-05-25. Vanta and Drata are excellent at evidence collection for SOC 2 / ISO 27001 — a different layer of the stack.

What compliance officers ask first.

What does 'SoD enforced' mean today?

The user who edited an agent definition in the last 24h cannot approve that agent’s next action. Enforcement is fail-CLOSED: SOD_REQUIRE_AUDIT_AVAILABLE=true is set in production, so if the SoD audit context is unavailable the approval is blocked (not allowed) and the block is logged.

How is tenant isolation enforced?

Application-layer: per-org Firestore sub-collections under user_docs/<org_id>/, org_id-required loaders, router-layer membership-derived org_id. There is no firestore.rules file in the repo — isolation is defense-in-depth at the application layer.

What's the PII redaction story?

Regex-typed redactor. Runs at ledger write time on params and outcome_detail. Scans both dict keys and values. Regulated-industry orgs get a strict pass adding email + phone to the baseline SSN / CC / ACH coverage. The strict-mode lookup fail-CLOSES for previously-confirmed regulated orgs. Explicitly regex-based per ADR-006; deferred NER for write-path scope reasons.

What's enforced on cost?

Per-run cost cap (cost_cap_per_run_usd) IS enforced today. Per-period cap (cost_cap_per_period) is captured in the policy schema but inert until the AgentActionLog aggregate-query wiring ships. An inert-counter Prometheus metric monitors the gap.

Is MFA enforced?

Not currently in the GoodHelp surface — Firebase Auth blocking functions are pass-through. On the roadmap.

What's the regulated-industry policy template?

A canonical AgentPolicy instance attachable to any agent, conservative on every axis: $100 per-run cap, external_comms=require_approval, pii_filter=True, data_scope=[no_pii, read_only], retention_years=7, tools_allowed=[] (customer opts in). The 30-day rolling cap is captured but inert until F1; per-run cap is live.

Compliance profile flip?

One-way self-serve for OWNER: standard → regulated_industry flips retention to 7 years, seeds approval policies for FINANCIAL + external_comms, enables runtime PII filtering, locks the dangerous-action policy strict. Reverse direction returns HTTP 422 — contact compliance@goodhelp.ai.

Sub-processors?

Canonical list: OpenAI, Anthropic, Google AI, Ideogram, Kling (LLM/image), GCP infra, Temporal Cloud (mTLS), Stripe, SendGrid. Full list publishes with the Trust Center.

Governance is one of three pillars.

See the multi-agent runtime and the observability + action-ledger surface, or return to the platform overview.

Bring your control checklist; we’ll walk through ours.

Thirty minutes — bring your compliance officer or security lead and the controls list they actually grade against. We’ll go line by line.