Security & data handling
Gamut holds sensitive governance data, so security is a core design property rather than an add-on. This page describes Gamut’s security posture at a product level.
Workspace isolation
Section titled “Workspace isolation”Each organisation uses Gamut in an isolated workspace. One organisation’s AI systems, assessments, evidence and users are kept strictly separate from every other. Access is always scoped to the workspace a user belongs to.
Server-side AI
Section titled “Server-side AI”All AI analysis is proxied server-side. Model provider keys are never exposed to the browser, and prompts and responses are handled by Gamut rather than sent directly from a user’s device to a model provider. This keeps model usage governed and credentials protected.
For agentic AI, the same principle is enforced more strictly still: agents never hold credentials and never call tools directly, every action passes through Gamut Gateway, where keys live and policy is enforced. See the agentic stack overview.
Access control
Section titled “Access control”Access is governed by role-based access control and entitlements. Permissions are enforced server-side on every action, so gating is a genuine security boundary, not just a hidden button. Suspending a user or workspace revokes access immediately.
Authentication
Section titled “Authentication”People sign in with a password or via single sign-on using OpenID Connect, so organisations can apply their own MFA and conditional-access policies. Programmatic access uses named, revocable bearer tokens. Sensitive operations are rate-limited.
Data protection
Section titled “Data protection”Sensitive data and secrets are encrypted, and connector credentials for the agentic stack are held on the Gateway side rather than in workflows or with agents. Destinations for agent actions are allowlisted so agents cannot reach arbitrary endpoints.
Accountability by default
Section titled “Accountability by default”State-changing actions are written to the audit log, and every agent action generates runtime evidence. Together these give a complete, reviewable account of both human and agent activity.
Reporting a concern
Section titled “Reporting a concern”If you believe you have found a security issue, please contact the Gamut team so it can be handled responsibly.
- Agentic stack overview: zero-trust governance of agents.
- Workspaces & tenancy: isolation between organisations.