Platform

How EvidentAI works under the hood.

EvidentAI is designed to sit alongside existing GRC platforms (OneTrust, Archer, ServiceNow, MetricStream) and feed them continuous, normalized evidence through a Canonical Control Schema.

The governance loop

Every inference flows through five stages.

Capture, policy evaluation, enforcement decision, evidence emission, and GRC integration. All five run in-path, with sub-second latency on the enforcement decision.

Stage 3 outcomes

Every inference your agents make passes through this loop. The enforcement decision is the only stage in the critical path of the request — everything else runs without blocking. The result is continuous governance with sub-second latency.

The same loop governs cost and fairness, not just compliance. Token budgets meter spend per workflow, and bias cohort monitoring evaluates outcomes across protected segments, all emitting evidence through the same pipeline.

Before the first run

The loop above governs execution. A shorter loop governs setup. Workflows and agents are declared, their configuration is evaluated against the same canonical controls, approval is recorded, and drift is watched from then on. The checks are workflow-aware, not per-agent in a vacuum: an agent's permitted tools and models follow from the tasks it runs and the risk tier of the workflow they belong to. A build gate applies the same evaluation in CI, so noncompliant configuration never deploys.

A configuration check is an observation like any other. It binds a control to a declared agent instead of an executed task, and it lands in the same evidence record. Posture findings and runtime evidence share one backbone.

Schema

Canonical evidence schema

Agent traces from any framework — LangChain, AutoGen, custom stacks — normalize into a single evidence schema. This is what makes cross-system governance possible: one schema, every framework, every model.

The schema is published openly. We don't believe in lock-in on the foundational data layer.

schemas / decision-event.v1.json

{
  "decision_id": "…",
  "agent":       "credit-assist",
  "framework":   "langchain@0.3",
  "inputs":      { "prompt_sha256": "…" },
  "retrieval":   ["doc:kyc-policy-v4#p12"],
  "policy_eval": {
    "obligations": ["output-pii-scan"],
    "verdict":     "route",
    "confidence":  0.71
  },
  "enforcement": "route:human_reviewer",
  "latency_ms":  612,
  "signature":   "ed25519:…"
}

Control mapping

Canonical control schema

Customer control libraries from OneTrust, Archer, ServiceNow, and MetricStream map to a single internal control schema. Policy obligations bind once and apply everywhere.

When your control library changes, your AI governance changes with it — automatically.

External GRC

OneTrust
Archer
ServiceNow GRC
MetricStream

Canonical

Internal schema

Canonical Control

control_id · obligation · severity · binding

Foundation

Headless tracing backbone

Built on Langfuse (MIT-licensed) as our tracing backbone, so the evidence pipeline is open at the foundation. No vendor lock-in on the most critical layer of the stack.

You can self-host the tracing layer in your own environment, on your own cloud, against your own retention policy.

Layer 1 · TraceLangfuse · MIT
Layer 2 · NormalizeCanonical Evidence Schema
Layer 3 · GovernPolicy Engine & Enforcement
Layer 4 · BindCanonical Control Schema
Layer 5 · IntegrateGRC outflow · OneTrust · Archer · ServiceNow

How we connect

EvidentAI connects to the systems you already run. GRC platforms, including OneTrust, Archer, ServiceNow GRC, and MetricStream. Cloud control planes across Azure, AWS, and GCP. Identity through Microsoft Entra. Air-gapped environments import controls and policies through structured files.

Connections read agent definitions, tool permissions, model versions, and deployment settings, and feed AI posture continuously, so governance reflects your estate as it is, not as it was last quarter.

The models behind evaluation

Policy evaluation is not one large model guessing. Purpose-built small language models handle policy interpretation and control mapping. Deterministic checks handle what should never be probabilistic. Predictive models watch for drift and unusual behavior.

Large language models are used only where language itself is the problem.

Next step

Want the full architecture walk-through?

We share platform details, schema specifications, and deployment options during the demo. Request one below.

Controls in an AI context