Platform: Governance
The controls inventory your compliance officer can sign off on.
Pre-dispatch runtime policy, SoD approvals, application-layer tenant isolation, regex-based PII redaction at ledger write time, regulated-industry policy template with conservative defaults on every axis. Each control documented against the code that enforces it.
When you have AI agents that may touch sensitive data or take material action, you want a controls inventory where every claim ties to code you can review — so the answer to “show me your SoD enforcement” isn’t a slide deck.
Three layers: pre-dispatch, approval, audit.
Pre-dispatch
Every tool call decided allow / deny / require_approval BEFORE it runs. Pure decision module — no I/O, no Firestore writes — so policy outcomes are reproducible and audit-replayable.
Approval
Human-in-the-loop gate via AgentApproval rows. Three-state machine (pending → approved | rejected | expired) with 48-hour default expiry. SoD enforced: the user who edited an agent in the last 24h cannot approve its next action.
Audit
Every action — including denials and require-approval routes — lands in the hash-chained per-org ledger. Regex-typed PII redaction runs at write time on params and outcome_detail, scanning both keys and values.
Each control documented against the code that enforces it.
Pre-dispatch runtime policy
tools_allowed + data_scope predicates (no_pii, read_only, org_id == self) + external-comms allow-list + per-run cost cap + PII filter + retention horizon. Most-restrictive intersection with the agent’s legacy tools field wins.
SoD approvals
The user who edited an agent definition in the last 24h is auto-rejected on approval with decision_reason=segregation_of_duties_violation. SoD lookup uses the approval’s own org_id; callers cannot override. Enforced fail-CLOSED (SOD_REQUIRE_AUDIT_AVAILABLE=true): if the SoD audit context is unavailable the approval is blocked rather than allowed.
Approval state machine
AgentApproval rows: pending → approved | rejected | expired. 48-hour default expiry. Proposed action stored as free-form JSON for the human to inspect.
Application-layer tenant isolation
Audit-critical Firestore collections (AgentActionLog, AuditLogTip, Policy) stored as per-org sub-collections under user_docs/<org_id>/. org_id-required loaders plus router-layer membership-derived org_id. The platform does not enforce isolation via Firestore Rules.
Regex-based PII redaction
params and outcome_detail routed through redact_value before serialisation. Both dict keys and values scanned. Regulated-industry orgs get a strict pass that adds email + phone to the SSN / CC / ACH baseline.
Regulated-industry policy template
Canonical REGULATED_INDUSTRY_POLICY constant. Conservative on every axis: $100 per-run cap, external_comms=require_approval, pii_filter=True, data_scope=[no_pii, read_only], retention_years=7. tools_allowed empty by default — customer opts each tool in.
How the primitives compose in production.
DCAA-aligned operations
Hash-chained ledger + SoD approvals + 7-year retention via the regulated profile. Designed for DCAA alignment; not DCAA-certified.
Read-only support agent
data_scope=[read_only] blocks every tool in DANGEROUS_ACTIONS. The forbidden-tools guard catches accidental write-class registrations at three deploy points.
Sensitive-action approval flow
Agent proposes a material action; runtime policy returns require_approval; an AgentApproval row is created; a separate human (per SoD) reviews and decides.
Compliance-profile flip
OWNER flips standard → regulated_industry via the org-config endpoint. Reverse direction returns HTTP 422 — reverse is a high-trust action that requires human compliance review.
Forbidden-tools deploy guard
Three layers: explicit prefix list, write-verb heuristic, explicit literal list. Enforced at pre-flight validation, last-line Firestore write, and post-write read-back.
Today’s controls inventory, by the numbers.
SoD lookback window for definition edits
Regulated-industry retention floor (override UP only)
Forbidden-tools deploy guard
Where GoodHelp’s governance surface sits.
| Capability | GoodHelp | Generic agent SDKs | Vanta / Drata |
|---|---|---|---|
| Pre-dispatch runtime policy | ✅ | DIY | Different scope |
| SoD approvals | ✅ | DIY | Different scope |
| Approval state machine | ✅ | DIY | Different scope |
| Application-layer tenant isolation | ✅ | Varies | Different scope |
| PII redaction at ledger write | Regex | DIY | Different scope |
| Regulated-industry policy template | ✅ | DIY | Different scope |
Comparison reflects publicly documented capabilities as of 2026-05-25. Vanta and Drata are excellent at evidence collection for SOC 2 / ISO 27001 — a different layer of the stack.
What compliance officers ask first.
What does 'SoD enforced' mean today?
The user who edited an agent definition in the last 24h cannot approve that agent’s next action. Enforcement is fail-CLOSED: SOD_REQUIRE_AUDIT_AVAILABLE=true is set in production, so if the SoD audit context is unavailable the approval is blocked (not allowed) and the block is logged.
How is tenant isolation enforced?
Application-layer: per-org Firestore sub-collections under user_docs/<org_id>/, org_id-required loaders, router-layer membership-derived org_id. There is no firestore.rules file in the repo — isolation is defense-in-depth at the application layer.
What's the PII redaction story?
Regex-typed redactor. Runs at ledger write time on params and outcome_detail. Scans both dict keys and values. Regulated-industry orgs get a strict pass adding email + phone to the baseline SSN / CC / ACH coverage. The strict-mode lookup fail-CLOSES for previously-confirmed regulated orgs. Explicitly regex-based per ADR-006; deferred NER for write-path scope reasons.
What's enforced on cost?
Per-run cost cap (cost_cap_per_run_usd) IS enforced today. Per-period cap (cost_cap_per_period) is captured in the policy schema but inert until the AgentActionLog aggregate-query wiring ships. An inert-counter Prometheus metric monitors the gap.
Is MFA enforced?
Not currently in the GoodHelp surface — Firebase Auth blocking functions are pass-through. On the roadmap.
What's the regulated-industry policy template?
A canonical AgentPolicy instance attachable to any agent, conservative on every axis: $100 per-run cap, external_comms=require_approval, pii_filter=True, data_scope=[no_pii, read_only], retention_years=7, tools_allowed=[] (customer opts in). The 30-day rolling cap is captured but inert until F1; per-run cap is live.
Compliance profile flip?
One-way self-serve for OWNER: standard → regulated_industry flips retention to 7 years, seeds approval policies for FINANCIAL + external_comms, enables runtime PII filtering, locks the dangerous-action policy strict. Reverse direction returns HTTP 422 — contact compliance@goodhelp.ai.
Sub-processors?
Canonical list: OpenAI, Anthropic, Google AI, Ideogram, Kling (LLM/image), GCP infra, Temporal Cloud (mTLS), Stripe, SendGrid. Full list publishes with the Trust Center.
Governance is one of three pillars.
See the multi-agent runtime and the observability + action-ledger surface, or return to the platform overview.
Bring your control checklist; we’ll walk through ours.
Thirty minutes — bring your compliance officer or security lead and the controls list they actually grade against. We’ll go line by line.