What is GaaS (Governance as a Service)?

GaaS is a governance pipeline that sits between an AI agent's intent and its execution. It enriches context, evaluates policy, deliberates risk via multi-agent panels, and produces an immutable audit trail. Sub-100ms for routine actions, full multi-agent deliberation for high-stakes decisions.

How much latency does GaaS add to AI agent actions?

Routine actions (85–95% of volume) complete the full governance pipeline in under 100ms. High-risk actions that trigger multi-agent deliberation take 200ms to 5 seconds. The governance tax is proportional to the governance need.

How much does GaaS cost per action?

Routine governance costs approximately $0.00019 per action (control plane only). Deliberation costs $0.02–0.08 per action when triggered (5–15% of volume). Plans start at $350/month for 50K actions with the BYOM model, or $500/month with deliberation inference included.

Shadow Mode runs the full GaaS governance pipeline on your real agent actions without enforcement. Actions are evaluated, deliberated, and audited — but never blocked. It lets you see what governance reveals about your agents before activating enforcement. Free for 14 days, no credit card required.

What SDKs and integrations does GaaS support?

GaaS provides SDKs for Python, TypeScript, and Java. Framework plugins are available for LangChain, AutoGen, and CrewAI. The API uses REST/HTTPS with JSON payloads. Integration requires as few as three lines of code.

Governance for AI agents.

Because AI agents don't have an undo button.

Every agentic AI action gets approved, flagged, or stopped cold — in milliseconds, with a permanent record.

Start Free Shadow Mode

Quick Start

# Install the SDK. Declare your first intent in 3 lines.

$ pip install gaas-sdk

# Install the SDK. Declare your first intent in 3 lines.

$ npm install @gaas/sdk

// Add to your build.gradle dependencies block

implementation 'is.gaas:gaas-sdk:0.1.0'

# Run the local governance sidecar

$ docker run -p 8200:8200 gaas/sidecar:latest

Works with Python, TypeScript, and Java. Framework plugins for LangChain, AutoGen, and CrewAI.

The Pipeline

Five stages between intent and action.

Intent Declaration

The agent declares what it intends to do. If it can't declare it, it can't do it.

< 5ms

Context Enrichment

GaaS discovers what the agent doesn't know. Missing context is itself a finding.

< 50ms

Policy Evaluation

Four-tier policy hierarchy. Universal — regulatory — organizational — agent-specific.

< 10ms

Deliberation Engine

High-risk actions are debated by a multi-agent panel. Deliberation is the product, not overhead.

< 200ms – 5s

Decision + Audit

An immutable, hash-chained audit record with DLT anchoring and governance proof tokens. Every decision is explainable, verifiable, and non-repudiable.

< 25ms

Core Principles

What we believe about governance.

The agent is not the governor.

The agent proposing an action and the system evaluating it are architecturally separate. An agent cannot govern itself — and shouldn't have to. That's cognitive offloading.

Fail-safe, not fail-open.

If governance fails, the action is blocked. Not approved. Not silently passed through. Blocked.

Speed scales with risk.

Sub-100ms for routine actions. Up to 10 seconds of full multi-agent deliberation for high-stakes decisions. The governance tax is proportional to the governance need.

Every decision is auditable.

Hash-chained, immutable audit records with DLT anchoring and co-signed governance proof tokens. Policy epoch versioning. Complete reasoning chains. When a regulator asks "show me your governance program," this is the answer.

Your agents are acting. Who's governing?

Autonomous AI agents are sending emails, executing transactions, accessing records, posting content, and controlling physical systems. Right now, the governance model for most of these agents is: hope the prompt was good enough.

GaaS provides the institutional checks that every hospital, bank, and trading floor requires of human employees — but for AI agents. Cognitive offloading that's structured, fast, transparent, and auditable.

48,293

DECISIONS

87.3%

APPROVAL RATE

74ms

AVG LATENCY

BLOCKED TODAY

TIMEAGENTACTIONVERDICTMS

cx-agent-7

send_email → customer@acme.com

APPROVE

47ms

trading-bot-3

execute_trade → AAPL × 500

APPROVE

62ms

content-agent

post_to_social → instagram_brand

MODIFY

84ms

deploy-bot

push_to_prod → v2.4.1-rc3

APPROVE

55ms

hr-assistant

access_record → employee #4421

ESCALATE

340ms

cx-agent-7

read_cc_number → customer_call

BLOCK

91ms

billing-agent

process_refund → $2,340.00

APPROVE

73ms

research-agent

query_database → patient_records

MODIFY

112ms

fleet-mgr

reroute_vehicle → truck_17 → depot_B

APPROVE

38ms

marketing-bot

send_campaign → segment_eu_users

ESCALATE

890ms

irrigation-ctl

activate_valve → zone_4

BLOCK

223ms

support-agent

issue_credit → $500 credit

APPROVE

41ms

SYSTEM OVERVIEW● ONLINE

VERDICT DISTRIBUTION

74.2% APPROVE 12.8% MODIFY 8.6% ESCALATE 4.4% BLOCK

PIPELINE HEALTH

Intent Declaration2ms

Context Enrichment18ms

Policy Evaluation6ms

Deliberation142ms

Decision + Audit9ms

RECENT BLOCKS

irrigation-ctl2m ago

Stale sensor data — contradiction detected

cx-agent-74m ago

PCI-DSS violation — speakerphone active

data-export-311m ago

GDPR scope exceeded — 340K records

PIPELINE TRACEPROCESSING

Simulated feed. Actual decisions include full audit records with hash-chain verification.

Integration

Three lines of code. Full governance.

from gaas import GaaSClient

client = GaaSClient(api_key="gaas_live_org_...")

# Every agent action goes through governance
decision = client.declare_intent(
    action="send_email",
    target="customer@example.com",
    risk_level="low",
    context={"authenticated": True, "template": "welcome_series"}
)

if decision.approved:
    send_email(decision.modified_parameters or original_params)

SDKs Python, TypeScript, Java

FRAMEWORK PLUGINS LangChain, AutoGen, CrewAI

PROTOCOL REST/HTTPS, JSON payloads

Context Connectors

Rules applied to reality, not just claims

Context Connectors are pluggable data sources that enrich AI agent intent declarations with real-world context during Stage 2 of the governance pipeline.

They transform governance from "rules applied to agent claims" to "rules applied to reality."

Native Production Connectors

Twilio Connector

Call/SMS metadata enrichment for PCI/PHI compliance

Data Enriched

Call status, recording state, speakerphone detection, caller info

API

Twilio Voice/Messaging REST API

Use Case

Prevents agents from reading credit card numbers on speakerphone

Salesforce Connector

CRM data enrichment for relationship-aware governance

Data Enriched

Account standing, customer tier, complaint history, open cases

API

Salesforce REST API (OAuth2)

Use Case

Adjusts agent tone based on customer relationship status

Stripe Connector

Payment account enrichment for financial transaction governance

Data Enriched

Fraud scores, dispute history, account balance, delinquency status

API

Stripe REST API

Use Case

Blocks transactions for delinquent accounts or high fraud scores

GitHub Connector

Developer platform enrichment for code access and deployment governance

Data Enriched

Repository metadata, branch protection, 2FA status, org membership

API

GitHub REST API v3

Use Case

Blocks deployments to protected branches without proper permissions

Okta Connector

Identity verification enrichment for MFA-based governance

Data Enriched

MFA status, group memberships, session state, authentication factors

API

Okta REST API v1

Use Case

Requires MFA verification before accessing regulated data

Datadog Connector

Observability enrichment for SLO and incident-aware governance

Data Enriched

Monitor status, SLO compliance, error budgets, incident severity

API

Datadog API v1/v2

Use Case

Blocks risky deployments when SLO error budget is depleted

Slack Connector

Workspace enrichment for organizational and team-based governance

Data Enriched

User roles, 2FA status, team membership, channel access, workspace policies

API

Slack Web API

Use Case

Requires 2FA verification before executing workspace operations

Workday Connector

HR enrichment for employee profile and compliance-based governance

Data Enriched

Worker status, manager chain, certifications, training completion

API

Workday REST API v36.0

Use Case

Blocks access when required compliance certifications are missing

Zendesk Connector

Support ticket enrichment for SLA and priority-aware governance

Data Enriched

Ticket priority, SLA breach status, requester details, organization info

API

Zendesk REST API v2

Use Case

Escalates high-priority tickets with SLA breach risk to human review

Microsoft Teams Connector

Workplace collaboration enrichment for team governance

Data Enriched

Team membership, channel permissions, meeting status, presence state

API

Microsoft Graph API

Use Case

Restricts channel posting when team policies require approval workflows

Google Workspace Connector

Document management enrichment for data governance

Data Enriched

File ownership, sharing permissions, Drive access, document sensitivity

API

Google Drive API, Admin SDK

Use Case

Prevents sharing of confidential documents outside organization domain

Jira Connector

Project management enrichment for workflow governance

Data Enriched

Issue status, sprint state, workflow stage, approval chains

API

Jira REST API v3

Use Case

Blocks deployments when linked Jira tickets are still in review status

Asana Connector

Work management enrichment for task governance

Data Enriched

Task dependencies, project milestones, assignee workload, due dates

API

Asana REST API v1

Use Case

Escalates when agents attempt actions on incomplete prerequisite tasks

Vanta Connector

Compliance automation enrichment for regulatory governance

Data Enriched

SOC 2 status, ISO 27001 compliance, HIPAA controls, GDPR readiness

API

Vanta REST API

Use Case

Blocks access to regulated systems when compliance controls are failing

PagerDuty Connector

Incident management enrichment for operational governance

Data Enriched

Incident severity, on-call schedules, escalation policies, service status

API

PagerDuty REST API v2

Use Case

Prevents non-urgent changes during active P1/P2 incident windows

Alexa Smart Home Connector

Smart home device enrichment for facility-aware governance

Data Enriched

Device inventory, reachability state, automation routines, device types

API

Alexa Smart Home API v3

Use Case

Prevents smart lock unlock commands when device is unreachable

SmartThings Connector

Smart home IoT hub enrichment for device-aware governance

Data Enriched

Device capabilities, states, locations, automation routines

API

SmartThings API v1

Use Case

Prevents device control commands across smart home hubs without proper authorization scoping

Google Nest Connector

Smart home enrichment for occupancy and environmental governance

Data Enriched

Thermostat readings, camera status, doorbell data, occupancy detection

API

Google SDM API v1

Use Case

Restricts thermostat changes when occupancy sensors detect empty rooms

Honeywell Home Connector

HVAC and thermostat enrichment for energy-aware governance

Data Enriched

Thermostat mode, setpoints, indoor/outdoor temperature, device status

API

Honeywell Home API (Resideo)

Use Case

Blocks HVAC setpoint changes that exceed energy compliance thresholds

Philips Hue Connector

Smart lighting enrichment for facility-aware governance

Data Enriched

Light states, brightness, rooms, scenes, active light count

API

Philips Hue CLIP v2 API

Use Case

Restricts smart lighting automation overrides during facility occupancy hours

Canvas LMS Connector

Learning platform enrichment for FERPA-compliant education governance

Data Enriched

User roles, course enrollment, assignment metadata, student counts

API

Canvas LMS REST API

Use Case

Blocks grade data access for non-instructor roles under FERPA policy

Clever Connector

K-12 identity enrichment for student data governance

Data Enriched

District identity, roster counts, SIS sync status, authorized scopes

API

Clever Data API v3.1

Use Case

Restricts student PII access based on COPPA/FERPA district policies

ShipStation Connector

Logistics enrichment for order fulfillment governance

Data Enriched

Orders awaiting shipment, shipment counts, warehouse data, carrier configs

API

ShipStation REST API

Use Case

Blocks new order intake when fulfillment backlog exceeds threshold

AEMP 2.0 Connector

Heavy equipment telematics enrichment for safety-aware governance

Data Enriched

Equipment status, operating hours, fuel consumption, fault codes

API

AEMP 2.0 REST API (ISO 15143-3)

Use Case

Blocks heavy equipment dispatch when active fault codes exceed safety thresholds

Leaf Agriculture Connector

Precision agriculture enrichment for environmental-aware governance

Data Enriched

Field boundaries, equipment telemetry, operation records, crop data

API

Leaf Agriculture REST API

Use Case

Restricts irrigation automation when soil moisture data conflicts with precipitation forecasts

Tesla Fleet Connector

Energy and fleet enrichment for charging and infrastructure governance

Data Enriched

Energy site data, charging sessions, charger inventory, energy history

API

Tesla Fleet API

Use Case

Restricts high-power charging sessions during peak energy rate windows

SolarEdge Connector

Solar and battery monitoring enrichment for energy-aware governance

Data Enriched

Solar production, battery charge level, energy consumption, inverter status

API

SolarEdge Monitoring API

Use Case

Prevents battery discharge commands when reserves fall below household backup thresholds

Bidirectional

Govern what your agents do. Govern what agents do to you.

↑

Outbound Governance

Your agents, governed.

Control what your AI agents do in the world. Every action evaluated before execution.

↓

Inbound Governance

Your property, protected.

Control what visiting AI agents do on your digital property. Identify, gate, monitor, and audit.

Organizations that govern their outbound agents earn trust tokens recognized across the GaaS network.

Trust Tiers

Governance earns trust. Trust unlocks access.

Registered

SDK integrated, basic policies configured.

→ GaaS token issued

Verified

30-day compliant operation demonstrated.

→ Elevated trust tokens

Certified

Independent audit, full deliberation enabled.

→ H2Om GaaS Certified

Compliance

12 frameworks. 60+ policies. Built in.

Every governance decision is evaluated against the regulatory frameworks that apply to your industry, jurisdiction, and action type.

EU AI Act

5 policies

Articles 9–15 enforcement. Risk classification, transparency obligations, human oversight requirements.

GDPR

4 policies

Erasure, portability, automated decision explanation, sub-processor management.

HIPAA

Enforced

PHI detection and blocking. Minimum necessary standard enforcement. BAA-ready audit trail.

PCI DSS

Enforced

Cardholder data detection and blocking. Agent payment compliance.

SOC 2

Audit-ready

Hash-chain integrity satisfies availability and integrity trust service criteria.

NIST 800-53

Mapped

AC, AU, IA, SC control families with agent-specific interpretations.

FedRAMP

Mapped

FedRAMP Moderate baseline alignment. Control inheritance documentation.

CMMC

Mapped

Level 2 practice mapping for defense contractor agent governance. CUI handling.

NIST CSF

Mapped

Identify, Protect, Detect, Respond, Recover mapped to governance pipeline stages.

NIST AI RMF

Mapped

AI Risk Management Framework — Map, Measure, Manage, Govern functions.

FERPA

Enforced

Education record protection. Role-based access enforcement for student PII.

COPPA

Enforced

Child data protection. Age-gated content and data access controls.

Patent Pending — Provisional patent filed March 2026 covering the GaaS governance pipeline architecture.

◆ Governance Protocol Active ◆

GaaS IS GOVERNANCE

paused — click a dot to jump

// FAQ

Frequently Asked Questions

What exactly counts as a "governance decision"? +

Every time an agent declares an intent and GaaS evaluates it through the full five-stage pipeline — intent declaration, context enrichment, policy evaluation, deliberation if needed, and verdict plus audit — returning a verdict in under 100ms, that is one governance decision. The free launch pool covers all of that at no cost.

What happens when GaaS blocks an action? +

Every block includes a complete reasoning chain: which policy triggered, which condition failed, and what the agent would need to change to make the action compliant. Nothing is blocked silently. Your team can review every blocked action in the dashboard.

Do I need to code anything to get started? +

Shadow Mode requires a short SDK integration (Python, TypeScript, or Java) that routes your agent's actions through the GaaS pipeline. It typically takes an afternoon for a developer using LangChain, AutoGen, or CrewAI. Shadow Mode does not enforce decisions, so there is zero operational risk while you evaluate. Switching to live enforcement is a single flag change.

How is GaaS different from system-prompt guardrails? +

Guardrails live inside your agent's context window and cost 23,000–65,000 tokens per governance cycle. They have no access to real-world context and produce no auditable record. GaaS is an external governance layer: 200–500 tokens per cycle, enriches decisions with context your agent doesn't have, and produces an immutable audit trail for every decision.

What compliance frameworks does GaaS support? +

GaaS evaluates every governance decision against 12 regulatory frameworks and 60+ policies — including EU AI Act, GDPR, HIPAA, PCI DSS, SOC 2, NIST 800-53, FedRAMP, CMMC, NIST CSF, NIST AI RMF, FERPA, and COPPA. Coverage is automatic based on the action type, jurisdiction, and industry. Compliance status is queryable via API and exportable for auditor review.

How does GaaS handle prompt injection and security threats? +

Every intent declaration is scanned against 17 prompt injection signatures at Stage 1 — before any context enrichment or policy evaluation occurs. Flagged payloads are rejected immediately. At Stage 3, enriched context is re-scanned for injection patterns that only emerge after enrichment. Behavioral anomaly detection identifies agents deviating from established patterns. All security controls are Tier 1 — non-disableable. SIEM integration (CEF format) is available for enterprise security operations.

White Paper

The Context Dividend

How externalizing governance reclaims 30–60% of an agent's context window — and why that changes everything.

Download PDF

Intellectual Property

Patent Pending

Provisional patent filed March 2026 covering the multi-stage governance pipeline architecture for autonomous AI agents.