Architecture overview

This page describes Gamut at a conceptual level: how the platform is organised and how its parts fit together. It is intentionally product-level. For integration details see the API reference.

The big picture

Gamut has two complementary halves:

The governance platform, the system of record for AI systems, risk, assessments, evidence and reporting. This implements the governance lifecycle.
The agentic stack, Agentic CISO, Gamut Gateway and Gamut Claw, which extend governance to AI that takes action, applying and enforcing policy at runtime.

The governance platform is where policy and evidence live. The agentic stack is where that policy is applied to running agents and where runtime evidence is generated and fed back.

Gamut defines the governance policy.
Gateway applies and enforces that policy at runtime.
Claw requests work and executes only through Gateway-controlled paths.
Gamut records what happened.

The governance lifecycle

The governance platform implements an eight-stage lifecycle. Each stage is backed by one or more product modules.

The eight-stage AI governance lifecycle. Each stage produces records the next builds on, and findings feed back into continuous improvement.

Module	Lifecycle stage	What it does
Registry & Discovery	Discover	Standing inventory of AI systems; surfacing AI in use.
Intake & risk tiering	Assess, Classify	Capture context and determine risk.
Assessments & control testing	Govern	Score systems against frameworks and test controls.
Evidence & findings	Evidence, Audit	Capture proof and track deficiencies to closure.
Reporting & exports	Report	Board-level and workpaper-grade outputs.
Policy generation	Govern	Draft AI governance policy with AI assistance.
Model cards	Govern	Document model-level technical and ethical characteristics.

How records connect

The defining property of Gamut is traceability. The objects connect in a chain:

AI system -> use case -> intake -> risk tier
          -> assessment -> control -> control test
          -> evidence -> finding -> remediation
          -> report

Because the chain is explicit, any conclusion can be traced back to the records that support it, which is what makes Gamut governance defensible under review.

Deployment shape

Gamut is delivered as a secure, multi-tenant web application. Key properties:

Workspace isolation. Each organisation’s data is isolated in its own workspace.
Server-side AI. All AI analysis is proxied server-side, so model provider keys are never exposed to the browser.
Role-based access. Access is governed by roles and entitlements.
Accountable by default. State-changing actions are written to the audit log.

For how Gamut protects governance data, see Security & data handling.

The agentic stack

When AI takes action rather than only producing text, design-time assessment is not enough. The agentic stack adds runtime governance, with a clean separation between policy, enforcement and execution.

The agentic stack. Gamut AI sets policy and records evidence; Gateway decides and enforces every action; Claw or a bring-your-own runtime executes only through Gateway. Agents never hold credentials or call tools directly.

Agentic CISO, the agent register, ATF assessment, tool and data governance, approvals and runtime evidence.
Gamut Gateway, the policy decision and enforcement engine that governs agent actions at runtime.
Gamut Claw, the secure execution layer that runs agent work only through Gateway-controlled paths.

See the agentic stack overview for how these fit together and align to the Agentic Trust Framework.