Trust Infrastructure for Regulated AI Agents
The AI agent vendors most teams evaluate today were built for consumer-grade SaaS. They work well there. They do not pass procurement at a defense prime, a hospital system, a bank, or a government agency. FlowDot was built with the trust layer as the floor, not the ceiling, so that the platform clears the security and compliance gates that block other vendors. This page is the regulated-industry reference.
TL;DR
- Cross-surface panic E-stop, sticky, password-confirmed clear. One button, every outbound action stops, no auto-clear. The compliance officer's "show me the kill switch" question has an answer.
- Per-tool permission gate with five scopes. The principle of least privilege at the AI tool level, persisted across web, native, mobile, VR, CLI, MCP.
- Append-only audit, no DELETE path. Every press, every clear, every action is forensically recorded. Audit retention is not a feature; it is an invariant of the code.
- Four-layer LLM attribution on every call. Provider, routing provider, source provider, model. Every audit row knows what touched the data.
- Deployment options: FlowDot SaaS, self-host, AWS GovCloud, on-prem, and air-gapped. You choose where data lives.
- Honest about what is not audited. When a call legitimately bypasses the Hub (local Ollama, OAuth-Codex), the Trust Center says so on a banner rather than fabricating coverage.
Why Regulated Buyers Are Blocked Today
Procurement at a regulated buyer asks the same three questions of any AI agent vendor, and none of the major hosted vendors answer all three.
| Compliance question | What is actually being asked |
|---|---|
| Can you prove what the agent did and on what authority? | "Show me an audit log that an external auditor can read. Not a debugging trace. Not a vendor dashboard. A forensic, append-only record that answers: who approved this tool call, who actually executed it, who got the data." |
| Can the operator stop it? | "Show me the kill switch. Not the cancel button on one screen. The control that halts every outbound action across every device until a human with the right password clears it." |
| Where does the data live? | "Tell me the cloud region. If the answer is 'the model provider's cloud,' then tell me what data the provider sees, in what form, retained for how long. If you cannot deploy in the cloud we are authorised to use, the conversation ends." |
The first question kills hosted-only agent platforms that do not have a per-user audit feed with cryptographic posture and append-only semantics. The second question kills agent platforms whose only kill switch is "stop the workflow on this surface." The third question kills any vendor that cannot deploy in AWS GovCloud, on-premise, or air-gapped. FlowDot was designed so that all three answers exist before the conversation starts.
Defense
What defense customers need from an AI agent platform
- Sovereign-cloud deployment. AWS GovCloud or on-prem. Commercial cloud regions are not authorised for most defense data.
- Auditability sufficient for IG / IG-equivalent review. The audit trail must answer "what did the system do and who authorised it" without re-construction.
- Hard kill switch. An autonomous system in the loop must be stoppable by a human with a clearly defined revocation path.
- No model-provider data leakage assumptions. The default assumption is that anything the model sees may be retained by the model provider. The platform's job is to make that auditable and bounded.
- RBAC + identity integration. CAC, PIV, or equivalent SSO. The platform must respect the existing identity boundary.
What FlowDot provides
- AWS GovCloud + Bedrock routing (model paths via
bedrock/anthropic/...) with FedRAMP-class deployment substrate. The PI has direct production experience with this stack via the Obsidian VERTEX defense engagement. - Cross-surface panic E-stop with append-only audit per press and per clear. Forensic posture by design.
- Per-tool permission gate at the action level. The agent can propose; only a human can authorise.
- Honest banners for any path that legitimately bypasses the Hub. No fabricated coverage.
Healthcare
What healthcare customers need
- BAA-ready posture. The vendor must be willing to sign a Business Associate Agreement and operate inside the corresponding controls.
- Minimum necessary access. Per the HIPAA Privacy Rule, agents must only access the minimum data needed for the task. Per-tool permission gates make this enforceable.
- Audit logs for ePHI access. HHS OCR audit protocol explicitly asks for evidence of access logs and retention.
- Data residency control. Most healthcare systems require US-only data residency; many require dedicated tenancy.
- De-identification and re-identification controls. Where applicable, evidence that the data was de-identified before reaching the model.
What FlowDot provides
- Self-host and on-prem deployment so the entire substrate runs inside the covered entity's compliance boundary.
- Per-tool permission gates and per-surface memory attribution to enforce minimum-necessary at the agent layer.
- Append-only audit across every action and every memory write.
- Trust Center per user (not per admin) so the access log obligation runs at the right granularity.
HIPAA posture is a deployment choice, not a product flag. FlowDot ships the controls. The covered entity decides where to deploy, which provider keys are in scope, and how BAAs flow. We document the control surface; the customer's compliance team makes the call.
Financial Services
What financial services customers need
- Model risk management (SR 11-7 lineage). Every decision the model influences must be explainable, auditable, and reviewable.
- Action-level approval for anything touching the book of business. Trade entry, account modification, customer communication: all require explicit authorisation paths.
- Audit retention satisfying SEC 17a-4 or FINRA 4511 where applicable. Write-once, retrievable, time-stamped.
- Vendor-managed key separation. The model provider's credentials must not be co-mingled with the customer's account credentials.
What FlowDot provides
- Per-tool permission gates that map cleanly to action-level approval. The agent proposes a trade; the human approves the trade. No tool runs without a recorded authorisation.
- Four-layer LLM call attribution gives a per-call record of which model touched which decision, which is the kernel of any model-risk audit.
- Append-only audit with no DELETE path. Retention is bounded by storage policy, not by a code path that can erase records.
- BYOK with per-user encrypted credential storage, and aggregation credentials kept separate at the provider row level.
Government and Public Sector
What government customers need
- Authorised cloud only. FedRAMP Moderate or High; for some agencies, AWS GovCloud is the only authorised region.
- Audit trail that meets agency Inspector General expectations. The same forensic posture defense requires applies here.
- Account isolation. No cross-tenant data leakage. Per-user blast radius on every administrative action, including panic.
- Document everything. Procurement asks for written architecture, written controls, written boundaries. The vendor must be ready to provide them.
What FlowDot provides
- AWS GovCloud deployment substrate, with Bedrock routing for model access entirely inside the GovCloud boundary.
- Per-user blast radius for panic: no code path can stop another user's account.
- Public, written trust documentation (this set of pages, plus the CLI
ZERO_TRUST_AUDIT.mdfile the platform ships). - Append-only audit with documented retention semantics.
Deployment Options
Where the data lives is the third procurement question. FlowDot supports several deployment models so the answer is yours, not the vendor's.
| Mode | Where the Hub runs | Where the data lives | Typical buyer |
|---|---|---|---|
| FlowDot SaaS | FlowDot's commercial cloud | FlowDot's commercial cloud (US) | Commercial teams, low-sensitivity workloads, evaluation pilots. |
| Self-host | Your VPC | Your VPC | Healthcare systems, mid-market financial, anyone with a dedicated infrastructure team and a tenancy requirement. |
| AWS GovCloud | Your GovCloud account | Your GovCloud account | Defense primes, federal agencies, contractors handling Controlled Unclassified Information. |
| On-premise | Your data centre | Your data centre | Intelligence, regulated finance with sovereign-data mandates, healthcare with strict residency. |
| Air-gapped | Your isolated environment | Your isolated environment | Classified workloads, sovereign-cloud customers, customers running local models only. |
The deployment mode does not change the trust layer. Cross-surface panic, per-tool permissions, four-layer attribution, append-only audit, and the Trust Center work the same in every mode. The difference is where the substrate runs and which model providers are in scope for that environment.
Compliance Posture
FlowDot is not a compliance product. It is a platform whose architecture makes the compliance team's job easier. The distinction matters: certifications are scoped to specific deployment configurations, and the customer's compliance officer signs off on the configuration, not on a marketing claim.
What FlowDot guarantees at the platform level
- Append-only audit semantics with no DELETE path in the code.
- Cross-surface panic with sticky state, password-confirmed clear, and per-press notification across every COMMS channel configured plus account email.
- Per-tool permission gating with five scopes, server-enforced, persisted across surfaces, not implementable as a client-only "hide the button" pattern.
- Four-layer LLM call attribution and per-call USD cost ledger.
- Zero-trust agent runtime: untrusted-content envelopes, sanitised tool metadata, signed inbound control frames, replay protection, path-validated file inclusion, HTTPS-off-loopback enforcement.
- Per-user blast radius on every administrative action including panic.
What requires customer configuration
- Deployment mode (SaaS, self-host, GovCloud, on-prem, air-gap).
- Identity integration (SSO, RBAC, MFA policy).
- Audit retention duration and backup policy.
- Approved model providers (BYOK only, FlowDot aggregation, Bedrock, OAuth-Codex, local-only).
- Network egress policy (which outbound destinations toolkits and webhooks may reach).
- Memory write matrix (which surfaces and modes are allowed to write to user memory).
What we do not claim
- No standing FedRAMP authorisation as of the publish date of this page. We document the deployment substrate that supports it; the authorisation itself attaches to a specific configuration in a specific cloud account.
- No SOC 2 Type 2 attestation as of the publish date. Roadmapped; not done.
- No HIPAA-compliance "certification" marketing. We sign BAAs where applicable. Compliance is a customer-side determination.
The Procurement Conversation
Most agent platforms fail procurement on the same three questions. FlowDot answers each one with a product feature, not a roadmap promise. The compliance officer's questionnaire usually maps cleanly to the trust matrix.
| Compliance question (typical phrasing) | FlowDot answer |
|---|---|
| "Show us the audit trail for an autonomous AI action." | Trust Center at /observability. Per-call, per-tool, per-recipe-step, per-workflow-node, per-voice-session, with four-layer attribution. CSV export. Append-only at the database level. |
| "What happens if the system behaves unexpectedly?" | Cross-surface panic. Sticky until password-confirmed clear. Notification on press and clear across every configured channel. |
| "Can we deploy this in our authorised cloud?" | FlowDot SaaS, self-host, AWS GovCloud, on-prem, air-gapped. Bedrock for FedRAMP-class model access. |
| "Who has access to our data?" | Per-user blast radius. No admin view of other users' Trust Center. BYOK keeps provider credentials in the user's own provider account. |
| "How do you handle prompt injection from external content?" | Untrusted-content envelopes on web fetches and tool descriptions. Provenance-aware approval prompts in the CLI runtime. Documented in the public Zero-Trust Audit. |
| "Can the agent be tricked into pressing its own emergency stop?" | No. The panic controller stamps x-flowdot-mode on every request and rejects presses from recipe-runtime and goal-runner contexts. Only direct user-initiated callers can press. |
| "What if a model call bypasses your platform?" | The Trust Center says so on a banner. Local Ollama and OAuth-Codex are the two documented bypass paths. We refuse to fabricate audit rows for them. |