Runtime Flow
How IOA governs AI in real time — from intent to evidence.
IOA operates in-loop: policies are evaluated before actions execute, decisions are captured as signed evidence, and an immutable audit chain preserves accountability.
1. Policy Definition
Define governance rules with IOA's Seven System Laws and organizational policies.
Seven System Laws
Transparency, consent, fairness, security, auditability, accountability, sustainability guide policy design.
Learn the LawsPolicy Library
Composable constraints for data access, provider selection, retention, and jurisdictional rules.
2. Runtime Enforcement
Every request passes through policy gates prior to model execution (pre-facto).
Pre-Facto Controls
Validate purpose limitation, data scope, and provider constraints before invocation. Unsafe flows are blocked.
Pre-Facto GovernanceRedaction & Masking
Field-level masking for PII/PHI and sensitive attributes at ingress/egress.
3. Evidence Generation
Cryptographically signed bundles document inputs, policy results, and outputs.
Attestable Records
Bundles include request context, policy evaluation trace, response, and signatures for tamper evidence.
See MethodologyStorage & Retention
Evidence stored in immutable audit chain with lifecycle policies per framework.
4. Audit Trail
Auditors can verify any decision with end-to-end provenance.
Verifier Workflow
Auditors verify signatures and reconcile policy outcomes with framework requirements.
Pre-Facto & Post-Facto Governance
Governance before and after execution — prevention and review.
Pre-Facto (Prevent)
Policy gates, purpose checks, provider selection, redaction — stop non-compliant actions before they occur.
Post-Facto (Prove)
Signed evidence, audit chain queries, and corrective actions — prove behavior and improve controls.