Governance-first AI for financial services

Your compliance team needs to prove AI usage is governed. Today.

Regulators — FINRA, the OCC, FCA — are actively developing AI governance frameworks. Model risk management (SR 11-7) expectations are now being applied to AI coding tools. Your developers are already using them. The question is whether you can prove they're controlled.

FORG deploys at the adapter layer — between developer tools and LLM APIs. Every model call is evaluated against your policy ruleset before execution. Unapproved models are blocked. Sessions scoring high on PII risk trigger alerts. All of it is logged immutably.

When a regulator asks for your AI governance evidence, you run one command. The export includes model usage by user, rule evaluations, cost attribution, and cryptographic proof that the log hasn't been altered.

# forg policy — fintech-prodpolicy: fintech-compliance-v2rules:  - id: no-unapproved-models    condition: model NOT IN allowlist    action: block    notify: [security@corp.com]  - id: pii-risk-flag    condition: session_risk_score > 0.7    action: warn    notify: [compliance@corp.com]  - id: daily-budget    condition: daily_cost > $500    action: block

Policies are versioned YAML stored in your git repo. Peer-reviewed like code. Deployed via CI/CD. Any rule change is auditable in git history.

• Engineers use unapproved models in prod — no enforcement layer exists
• PII surfaces in AI prompts with no detection or alerting
• Regulator asks for AI usage evidence; weeks of manual extraction follow
• Daily AI spend untracked — budget overruns surface in monthly billing
• Policy enforcement requires eng ticket, code review, and deployment

• Model allowlist enforced at runtime — only approved models reach the API
• PII risk scoring flags high-risk sessions in real time before data leaves
• Regulator audit evidence generated in one day, cryptographically signed
• Daily cost budgets enforced per-team, per-environment, per-model
• Policy-as-code: update YAML in git, propagate to all environments in seconds

Regulator-ready Audit Logs

Every AI event logged with user identity, model, cost, and rule outcome. HMAC hash-chained for tamper evidence. Structured export compatible with regulator tooling — delivered same day.

Model Allowlist Enforcement

Whitelist approved LLMs per environment. All others are silently blocked at the adapter layer before a single token is sent. Zero-latency enforcement, no proxy required.

PII Risk Scoring

Real-time session risk scoring surfaces high-probability PII exposure events before data leaves your perimeter. Configurable thresholds trigger block, warn, or notify actions.

SOC 2 Type II Evidence

Generate structured SOC 2 evidence packages on demand. Includes AI usage controls testing evidence, change logs, and cryptographic audit proofs. Auditor-compatible PDF and JSON output.

BAA for HIPAA

Business Associate Agreements available on Enterprise plans. FORG is metadata-only — prompt content never transits FORG infrastructure, minimizing PHI exposure surface.

Zero Data Residency Risk

FORG operates on event metadata at the adapter layer. No prompt content, no response content, no model inputs stored anywhere in FORG infrastructure. GDPR and CCPA compliant by architecture.