Trust Gate is a policy-gated AI decision boundary engine that provides cryptographic proof (TrustAtoms) for every AI decision. It gives CISOs and security directors verifiable evidence that AI systems follow organizational policies.

A TrustAtom is a dual-token cryptographic receipt. Access TrustAtoms are pre-execution credentials (scoped, short-lived, replay-protected). Receipt TrustAtoms are post-execution proofs (immutable, evidence-linked, compliance-mappable). Both are Ed25519-signed in under 5 milliseconds.

Does Trust Gate require external APIs?

No. Trust Gate operates in 3-tier degradation mode: Full (OPA + Neo4j + APIs), Partial (sandbox policies + file receipts), and Demo (simulation mode). The demo works without any external API keys.

What compliance frameworks does Trust Gate support?

Trust Gate maps to NIST AI RMF, SOC 2 Type II, CMMC Level 2, and EU AI Act requirements. Every decision trace includes compliance_tags linking to specific framework controls.

LIVE

HUMANS 0ALLOW 0DENY

AGENTS 0ALLOW 0DENY

TOTAL 0

0ALLOWED 0DENIED

// AGENTIC WORKFORCE CONSOLE — 37 AGENTS. ZERO BLACK BOXES.

Watch 37 agents operate
under policy control — live.

Pick a scenario. Hit RUN. Watch the request flow through the policy gate, get handled by the assigned agents, signed as a TrustAtom, and land in the evidence graph — all in under 120ms.

Workforce Status — 37 Agents ● 37 ONLINE

T1 Command (3)

Orion Oracle Symphony

T2 Operations (8)

IRIS NIKO EMIL SCOUT VIX Trust PE COMMANDER APEX

T3 Specialists (16)

DevShield ThreatHunter ComplianceMapper GraphOps PolicyAuthor CyberScenario DataSanitizer SCRIBE TRIAGE GraphAnalytics TCGG ATLAS InfraBuilder ScenarioWeaver AETHER OPUS

T5 Support (10)

SecurityScanner TestRunner DemoCheck BrainDump SessionClose Scheduler TEMPO Quartermaster Alfred Forge

① PICK A SCENARIO

Hit RUN and watch the decision flow through every gate below

LIVE PIPELINE

✕ DENIED — risky action blocked before execution

📡

REQUEST

Inbound

🔒

OPA

Policy Gate

✕ DENIED

action:—

category:—

decision:—

reasons:—

policy:—

✓ ALLOWED — safe action gated, signed, and proven

✓

📡

REQUEST

Inbound

✓

🔒

OPA

Policy Gate

✓

⚛️

ATOM

TrustAtom

✓

🕸️

NEO4J

Evidence Graph

action:—

category:—

decision:—

atom_id:—

graph:—

Five Operational Planes

TRUST

Policy eval, signing, access control

EXECUTION

37 agents, all policy-gated

SYNTHESIS

Neo4j graph, institutional memory

LEARNING

LoreAtoms, pattern detection

FEDERATION

Cross-org trust sharing

// ③ HERE'S THE RECEIPT — SIGNED, HASHED, IMMUTABLE

✓ CRYPTOGRAPHICALLY SIGNED · TAMPER-EVIDENT · IMMUTABLE

🔐 Receipt ID

—

⏱️ Minted At (UTC)

—

👤 Principal

—

🤖 Agent

—

⚡ Action

—

📦 Resource

—

🔗 Evidence Hash (SHA-256)

—

✍️ Ed25519 Signature (Base64)

—

📋 Policy Version

—

🏢 Tenant

—

🛡️ Framework Alignment — Proof, Not Promises

NIST Cybersecurity Framework (CSF 2.0)

Every decision flows through all five NIST functions automatically. No manual checklist required — the Trust Gate pipeline is the control.

Identify (ID): ✓ The resource you requested (neo4j:trustgraph) was automatically catalogued and classified before evaluation began. CWN maintains a live asset inventory so every decision knows exactly what it's protecting.
Protect (PR): ✓ Your identity was verified against the principal registry before the policy engine even saw the request. Only authenticated principals reach the gate — anonymous requests are dropped at the edge.
Detect (DE): ✓ The request was screened for anomalies: unusual action/resource combinations, out-of-scope agent requests, and elevated-risk categories are flagged before evaluation. This decision passed all anomaly checks.
Respond (RS): ✓ The policy engine returned a decision in under 50ms — well within SLA. No human bottleneck, no ticket queue. Policy-driven automation means every request gets a consistent, auditable response.
Recover (RC): ✓ This TrustAtom is now an immutable audit record. It's cryptographically signed (Ed25519), hashed (SHA-256), and stored in the trust graph. If anyone tampers with it, the signature breaks — you'll know.

NICE Cybersecurity Workforce Framework

The NICE Framework maps every cybersecurity task to the right human competency. CWN uses this mapping to connect decisions to the people who should own them.

Operate & Maintain (OM): ✓ This decision was processed entirely by the automated pipeline — no operator intervention needed. CWN reduces manual decision overhead by ~95%, freeing OM-role staff to focus on system health and capacity planning instead of rubber-stamping approvals.
Oversee & Govern (OG): ✓ The signed TrustAtom receipt provides the cryptographic proof that governance teams need for audit cycles. Instead of collecting screenshots and spreadsheets, OG-role staff can point auditors directly to the immutable trust graph.
Securer / Protect & Defend (SP): ✓ The zero-trust decision model means every request is verified and signed regardless of origin. SP-role architects can validate that the policy rules match organizational risk appetite — the system enforces, humans govern.
Analyze (AN): ✓ Decision patterns are logged with full context (action, resource, agent, latency, policy trace). AN-role analysts can query the trust graph to surface anomalies, trend shifts, and policy gaps without reconstructing events from scattered logs.

MITRE ATT&CK Threat Mitigation

Every TrustAtom decision actively mitigates known attack techniques. Here's what this specific decision defended against.

T1078 — Valid Accounts: ✓ Mitigated. The principal was authenticated before reaching the policy gate. Even if credentials were compromised, the decision audit trail captures exactly who did what and when — creating a forensic chain that makes lateral movement detectable.
T1134 — Access Token Manipulation: ✓ Mitigated. Token passthrough is explicitly denied by policy. The Ed25519 signature on this TrustAtom proves the decision was made by the policy engine — not injected by a modified token. Any attempt to forge a receipt will fail signature verification.
T1020 — Automated Exfiltration: ✓ Mitigated. EXPORT_INTEGRATION actions are classified as restricted and require production environment context. This resource classification prevents automated tools from silently exporting data through the trust graph.
T1562 — Impair Defenses: ✓ Mitigated. The audit trail is append-only. Decision records, TrustAtoms, and policy evaluations cannot be modified or deleted after creation. An attacker who gains access cannot cover their tracks by editing the trust graph.

SOC 2 Type II Control Evidence

Each TrustAtom is a piece of SOC 2 audit evidence. When your auditor asks "how do you enforce access control?", you show them this.

CC6.1 — Logical & Physical Access Controls: ✓ Control active. Every request passes through a policy gate before accessing any resource. This decision proves the control was enforced — the TrustAtom signature is the evidence. No request bypasses evaluation.
CC6.3 — Role-Based Access: ✓ Control active. The principal's role was evaluated against the OPA policy rules. Roles are not self-assigned — they're validated at decision time. The policy trace shows exactly which role rules were matched.
A1.2 — Recovery & Availability: ✓ SLA maintained. Decision latency of ~47ms is well below the 500ms SLA threshold. Even when the primary policy engine (OPA) is offline, the sandbox fallback ensures zero downtime — decisions continue with a hardened rule set.
C1.1 — Confidentiality Commitments: ✓ Encryption enforced. All API communication uses TLS 1.3. TrustAtom evidence hashes prevent data tampering in transit. Resource classification ensures sensitive data categories (EXPORT, SECRETS) get elevated scrutiny.
PI1.1 — Processing Integrity: ✓ Integrity proven. The SHA-256 evidence hash and Ed25519 signature together prove this decision was made correctly and hasn't been altered. Any modification — even a single bit — will cause verification to fail.

Who Should Own This Decision?

CWN matched these team members and agents based on verified competencies, NICE framework roles, MITRE ATT&CK specializations, and TrustAtom history. Each profile is a living record — skills are verified through decision history, not self-reported.

HUMAN TEAM

Sarah Chen Senior Security Architect Securer SP-1

847

"This decision touches policy design boundaries. Sarah can validate whether the deny rule aligns with your organization's actual risk appetite — not just the default."

✓ 791 Allow ✕ 56 Deny 93.4% Trust Rate

Threat Modeling

92%Verified

Policy Design

88%Verified

Risk Analysis

85%Adopted

NICE: OG-101NICE: SP-103MITRE: T1078MITRE: T1134

Marcus Rodriguez Platform Operations Lead Operator OM-2

1,203

"Marcus monitors decision patterns daily. He'll spot if this deny is a one-off or part of a recurring pattern that signals a misconfigured policy rule."

✓ 1,141 Allow ✕ 62 Deny 94.8% Trust Rate

Zero Trust Ops

90%Verified

Automation

82%Verified

Incident Resp.

76%Adopted

NICE: OM-202NICE: CC-103MITRE: T1020

Dr. Amelia Okonkwo Chief Compliance Officer Overseer OG-3

534

"Every TrustAtom is evidence for your next SOC 2 audit. Amelia can confirm this decision trail meets the standard of proof your auditors require."

✓ 521 Allow ✕ 13 Deny 97.6% Trust Rate

SOC 2 / ISO

95%Verified

Audit Mgmt

91%Verified

Regulatory

88%Verified

NICE: OG-102NICE: OG-103SOC2: CC6.1SOC2: A1.2

AI AGENTS

GateKeeper Policy Evaluation Engine AGENT · OPA-CORE

14,291

"Every decision flows through GateKeeper first. It evaluates OPA Rego rules in under 15ms, ensures deny-by-default, and routes decisions to the signing layer."

✓ 12,847 Allow ✕ 1,444 Deny 89.9% Allow Rate

Policy Eval

99%Verified

Latency

15msP99

Uptime

99.9%SLA

OPA RegoNIST: PR.ACSOC2: CC6.1

TrustAtom Signer Cryptographic Receipt Engine AGENT · ED25519

12,847

"Signer mints every TrustAtom — Ed25519 signature in ~3ms, SHA-256 hash, immutable receipt. It's the agent that makes 'No Receipt. No Trust.' real."

✓ 12,847 Minted ✕ 0 Failed 100% Success

Signing

3msP50

Hash Verify

100%Verified

Throughput

340/sPeak

Ed25519SHA-256SOC2: PI1.1

Evidence Writer Neo4j Graph Persistence AGENT · NEO4J

12,847

"Evidence Writer persists every signed TrustAtom to the Neo4j graph. Append-only. Landauer principle. No decision is ever deleted — it's the permanent record."

✓ 12,847 Stored ✕ 0 Lost 100% Integrity

Graph Write

8msP50

Immutability

100%Verified

Graph Size

38KNodes

Neo4jCypherSOC2: CC8.1

Synthesis Layer — Live Intelligence

2.03M

Graph Nodes

2.73M

Relationships

592

LoreAtoms

281

Threat Signals

8 CRITICAL 143 HIGH 9 MEDIUM 37 AGENTS ACTIVE

Data creates gravity. Gravity creates moats. Every node makes every future decision smarter.

Agent Activity Log

📎

Got evidence? Attach it to the decision graph.

Drag files here or click to browse

PDF, CSV, or JSON — up to 10 MB

GO DEEPER

What do you want to know?

Live Investigation

Intent Parser

Neo4j Query

OPA Policy

Explainer

Claude SDK

TRUST GATE // INVESTIGATION STREAM STANDBY

Ask a question to see agents parse, query, and explain — live

Audit Trail

1. Understand the question pending

Classify what you're asking into an intent type

2. Check the policy pending

Evaluate against active OPA rules

3. Query the graph pending

Pull decision lineage from the evidence graph

4. Explain the answer pending

Generate a compliance-aligned explanation

Related Decisions

— Ask a question to surface related decisions

Framework Coverage

NIST CSF SOC 2 NICE

VERIFY AT SCALE

▶ RUN REGRESSION TESTS

Run every scenario against the policy engine — see which pass and which break

// Select a scenario above, then hit RUN ALL to execute the regression suite…

▶ RUN TELEMETRY MAPPER

Map real events to ZML skills — surface any unmapped gaps before they become blind spots

// Select a scenario above, then hit MAP to see event→skill→framework mapping…

🧠 LoreAtom™ — Coming Next

Every Signed Decision Gets Its Own Memory

TrustAtom signs the decision. LoreAtom captures the why — harvesting Slack threads, SIEM alerts, analyst notes, and agent transcripts into cryptographically-linked institutional memory. Ask "what happened last time?" and get the full context.

Learn More on Landing Page → 📡 Give Feedback — Shape What We Build

📡 Feedback

Watch 37 agents operate
under policy control — live.

✓ What Just Happened

📊 Why This Matters

⚡ How Fast Was That?

🛡️ Framework Alignment — Proof, Not Promises

Who Should Own This Decision?

⏰ Replay Any Decision — Audit Backwards in Time

Replay Result

Link New Evidence

What do you want to know?

Live Investigation

Audit Trail

Related Decisions

Framework Coverage

Every Signed Decision Gets Its Own Memory

Build AI Agents with Trust Baked In

Watch 37 agents operateunder policy control — live.

✓ What Just Happened

📊 Why This Matters

⚡ How Fast Was That?

🛡️ Framework Alignment — Proof, Not Promises

Who Should Own This Decision?

⏰ Replay Any Decision — Audit Backwards in Time

Replay Result

Link New Evidence

What do you want to know?

Live Investigation

Audit Trail

Related Decisions

Framework Coverage

Every Signed Decision Gets Its Own Memory

Watch 37 agents operate
under policy control — live.