FAQ
What is Gamut AI?
Section titled “What is Gamut AI?”Gamut is an AI governance lifecycle platform. It helps organisations discover the AI they use, classify its risk, assess it against multiple frameworks, and produce audit-ready evidence. See What is Gamut AI.
Who is Gamut for?
Section titled “Who is Gamut for?”Organisations running AI governance, across risk, compliance, security and procurement, and the auditors who review them. It is built for organisations that need to demonstrate structured governance, including banks, financial institutions and regulated enterprises. See Who Gamut is for.
Which frameworks does Gamut support?
Section titled “Which frameworks does Gamut support?”GTSAF, the EU AI Act, NIST AI RMF, ISO/IEC 42001 and 42005, NAGF, ACRS, the Agentic Trust Framework (ATF) and MAESTRO. A single AI system can be assessed against one or several. See Frameworks overview.
How is a system’s risk tier decided?
Section titled “How is a system’s risk tier decided?”Intake captures structured risk signals, and a deterministic governance weighting profile, six weighted dimensions with configurable thresholds and floor rules, turns them into a risk tier. The same inputs always produce the same tier, and the reasoning is traceable. See Intake & risk tiering.
Does Gamut give legal advice or certify compliance?
Section titled “Does Gamut give legal advice or certify compliance?”No. Gamut’s framework references help you organise governance work and are not endorsements by framework owners. The product does not replace licensed standards, legal advice, certification audits or regulator guidance. See Frameworks overview.
What is the difference between GTSAF and the regulatory frameworks?
Section titled “What is the difference between GTSAF and the regulatory frameworks?”GTSAF is Gamut’s native assurance baseline, 358 controls across 17 domains, for depth. The regulatory frameworks (EU AI Act, NIST AI RMF, ISO) map Gamut’s workflow to external regimes. Evidence crosswalks between them. See GTSAF.
How does Gamut govern AI agents?
Section titled “How does Gamut govern AI agents?”Through the agentic stack: Agentic CISO governs agents, Gateway enforces policy on every action, and Claw executes work only through Gateway. Agents never hold credentials or call tools directly. See the agentic stack overview.
Can I use my own agent framework?
Section titled “Can I use my own agent framework?”Yes. The BYO agent runtime lets you run external frameworks (LangGraph, CrewAI, Hermes, OpenClaw and custom code) while Gamut remains the trust and enforcement plane, think anywhere, act through Gateway.
What happens if an agent is not registered?
Section titled “What happens if an agent is not registered?”It is blocked. Gateway refuses any action from an agent that is not in the Agentic CISO register, at critical severity. An agent’s autonomy is also capped by its ATF level (Intern through Principal), so it can only act within that boundary.
How are agents scored for risk?
Section titled “How are agents scored for risk?”By ACRS, which scores an agent’s capability across dependency, action, access and harm to set how tightly to govern it, and by an ATF assessment for trust and autonomy readiness.
Is my data isolated from other organisations?
Section titled “Is my data isolated from other organisations?”Yes. Each organisation operates in an isolated tenant with its own database schema, not just query filtering. See Security & data handling.
Is my data encrypted?
Section titled “Is my data encrypted?”Sensitive secrets and credentials are encrypted at the application layer with AES-256-GCM, and the server refuses to start in production without its encryption key. Passwords are scrypt-hashed. See Security & data handling.
What actions are recorded?
Section titled “What actions are recorded?”State-changing actions are written to the audit log before they return, and a defined set of high-sensitivity actions (role grants, exports, policy and agent decisions, billing, and more) mandate an audit record. Agent actions also generate hash-chained runtime evidence.
How is AI analysis handled?
Section titled “How is AI analysis handled?”All AI analysis is proxied server-side, so model provider keys are never exposed to the browser. The AI Consultant and other AI features are gated by role and entitlement and metered by daily and monthly quotas. See Security & data handling.
What plan tiers are there?
Section titled “What plan tiers are there?”Standard, Advanced, Enterprise (plus Trial and Platform). Standard covers core frameworks and basic AI; Advanced adds control testing, workpapers, findings/evidence registers and policy generation; Enterprise adds the agentic stack (Agentic CISO, Gateway, Claw) and Discovery. A capability needs both the plan entitlement and the user’s role permission. See Plans & entitlements.
Does Gamut support single sign-on?
Section titled “Does Gamut support single sign-on?”Yes, via OpenID Connect. See Single sign-on.
Is there an API?
Section titled “Is there an API?”Yes, an HTTP API authenticated with bearer tokens. See the API overview.
How do I get started?
Section titled “How do I get started?”Follow the Quickstart: sign in, register an AI system, run intake, and complete your first assessment.
How do I get help?
Section titled “How do I get help?”See Support.