Governance
Governance is the architecture, not the disclaimer.
Zero
outputs issued without a human approval on record
In code
every user-facing figure, never model-guessed
In-region
regulated and personal data, by policy
Every agent we build runs the same line.
Work comes in. The agent does the routine part end to end. It stops at a human gate before anything irreversible, then runs on, every action logged, to a measured result. The five parts never change: the work, the agent, a human approval, the record, the outcome.
- 01
Work comes in
A task enters the line
- 02
AI agent
Pulls the data, drafts the work, checks the rules
- 03
Human gate
A person signs off
- 04
Outcome
Written to your record, every action logged
- 01
Work comes in
A task enters the line
- 02
AI agent
Pulls the data, drafts the work, checks the rules
- 03
Human gate
A person signs off
- 04
Outcome
Written to your record, every action logged
The standards that do not move.
These are not promises in a slide. They are engineered into how every CLRT system is built, so the governance holds whether or not anyone is watching.
- 01
A human approval gate on every agent
Routine work runs end to end. The judgement that matters routes back to a named person before anything irreversible happens. The approver sees a draft with its exceptions already flagged, so the review is a judgement on what is unusual, not a proofread of boilerplate.
- 02
A trail behind every action
Every input an agent read, every rule it applied, the draft it produced, the person who approved it, and the moment they did, are logged. Any issued action can be reconstructed and defended after the fact. Nothing is unexplained, nothing unattributable.
- 03
Every figure computed in code, never by a model
The numbers a user sees are calculated deterministically from real inputs. A language model writes the sentence around the figure. It never originates the figure. The enterprise's deepest fear, the confident hallucinated number, is engineered out.
- 04
Model output checked before it reaches anyone
What a model produces is constrained and verified before it is shown or acted on, so the system degrades to a sensible default rather than a surprise.
Most data may travel. Regulated records may not.
We classify your data by tier and route each tier by policy, designed to align with UAE PDPL and GDPR. For government entities and regulated businesses, we design for data residency and sovereign hosting from the start.
- Public and internal
- Best available model, wherever it runs.
- Confidential
- Stays in-region.
- Regulated and personal
- In-region or on-premise only, by policy. We choose the engine to fit the obligation, never the other way round.
Built to survive a security review, not just a demo.
Before an agent touches production, four controls are in place, and your security and legal teams get them in writing.
- 01 / Scoped permissions
- The agent gets least-privilege access and cannot do the thing you fear because it was never granted the ability.
- 02 / Immutable audit log
- Every action is recorded to a log that cannot be quietly edited after the fact.
- 03 / Deterministic figures
- User-facing numbers are computed in code from the record, then placed by rule.
- 04 / Human approval gate
- Nothing irreversible happens without a named person on the record.
Some work should never run unattended. We tell you which.
Negotiation, genuinely novel judgement, and the relationship itself stay human. An agent that tried to negotiate would be a liability dressed as a feature. And when an agent is not the right answer at all, we say so. Telling you where not to build is part of the work.
Start here
Could your AI survive your own security review?
Ascent is our free diagnostic. It finds the one workflow worth building, prices it in dirhams, and shows the governed line it would run before you commit a single day. The controls are in the design from the first step.