Plans & entitlements
A workspace’s plan determines which features it can use. Entitlements are how those features are gated and enforced across the product. Gating is a security boundary: a capability a plan does not include is enforced server-side, not merely hidden.
The plan tiers
Section titled “The plan tiers”| Plan | Frameworks | Notable inclusions |
|---|---|---|
| Standard | Core set (GTSAF, EU AI Act, NIST AI RMF) | Systems, intake, assessment, risks, policies, model cards, AI analysis, CSV export. |
| Advanced | Core plus MAESTRO, ACRS, NAGF | The full product except the agentic stack: control testing, workpapers, findings and evidence registers, reports, AI chat, policy generation, audit trail. |
| Enterprise | All, including ATF | Everything in Advanced plus the agentic stack: Agentic CISO, Gateway, Claw, and Discovery. |
| Trial | All, including ATF | The full product, time-limited, to showcase Enterprise capabilities. |
| Platform | All | Gamut operator tier. |
| No Access | None | Login only. |
The autonomous agent stack, Agentic CISO, Gateway, Claw, and Discovery, carries the highest operational and security risk, so it is reserved for Enterprise (and Trial). ATF is grouped with that stack: an agentic framework is only useful where there are governed agents to assess. ISO/IEC 42001 and 42005 assessment modules are never plan entitlements; they are enabled only after a valid licence confirmation is recorded.
Two caps, whichever is lower
Section titled “Two caps, whichever is lower”Effective access is the intersection of two limits:
- The plan tier the workspace is on.
- The role product ceiling of the user. A Standard-role user is capped at Standard capabilities even on an Enterprise plan, and an Advanced-role user cannot reach the agentic stack.
A feature is available only when both the plan and the role allow it. This is why a capability can be present for one colleague and absent for another in the same workspace.
Usage quotas
Section titled “Usage quotas”Beyond features, plans set numeric quotas, enforced server-side, that scale with tier:
- AI analysis: daily and monthly call limits.
- Policy generation: separate daily and monthly limits, zero unless the
policy_generationentitlement is on. - Assessments: a maximum number per workspace.
- Model level: which Claude models the plan may use, with a default model per tier.
Quotas keep AI usage predictable and are part of how Gamut keeps model usage governed.
How gating is enforced
Section titled “How gating is enforced”Every gated capability binds an entitlement feature to one or more RBAC permissions, so a user needs both the role permission and the plan entitlement. The check runs server-side on every request, so the interface and the API agree and gating cannot be bypassed from the client.
Administering your plan
Section titled “Administering your plan”Administrators can see the workspace’s current entitlements in Administration. To change plan or discuss enterprise capabilities, contact the Gamut team.
- Users & roles: the role half of the access gate.
- Frameworks overview: what each framework offers.
- Agentic stack overview: the Enterprise agentic capabilities.