25 questions and answers about IronFrame — what it is, how it works, what's open-source versus commercial, and what compliance it covers. Tier labels on every capability: (Open-source core), (Commercial tier), or (Roadmap).
IronFrame is a governance layer that sits between any LLM and your application. The (Open-source core) gives you the Hook Engine, audit schema, mandatory budget caps, and the Model Abstraction Layer. The (Commercial tier) adds runtime tool-risk enforcement, MRM decision logging, the Supervisory Audit Export, and the Offensive Capability Fence — aligned to SR 11-7 and EU AI Act Article 12.
Prompts ask the model to behave. IronFrame makes it behave. The Hook Engine (Open-source core) runs deterministic enforcement gates outside the LLM context window — the model never sees the rules it can't break. No amount of reasoning or instruction drift changes what the hooks do. The open-source core ships the reference Hook Engine class and a tested Python-native engine; wiring it into your application's tool-call lifecycle is your integration work (the commercial tier ships pre-wired for Claude Code via the .claude/hooks/ harness).
Yes, architecturally. The Model Abstraction Layer (Open-source core) provides a unified capability-based interface so upstream components are model-agnostic. Adapters currently shipped in the public pip package: Anthropic and Perplexity. Additional providers (OpenAI / GPT-4o, Google / Gemini, Llama / Mistral / open-weight local models) follow the same MALAdapter contract — users and contributors can implement them against the public interface today. Published adapters for the major commercial providers are on the post-v0.2 roadmap.
No. IronFrame is a governance stratum, not a proxy. The Hook Engine (Open-source core) fires on pre-execution, post-execution, pre-skill, post-skill, completion-gate, escalation, session-start, and session-end events (spec §5). The Claude Code harness variant (Commercial tier) maps these onto Claude Code's PreToolUse / PostToolUse / UserPromptSubmit / SessionStart / PreCompact events. The model calls tools normally — IronFrame intercepts, classifies, logs, and enforces at each event boundary.
***
DEVELOPERS
Install via pip install ironframe — the public package is v0.1.0 Beta on PyPI today. For OpenAI-compatible providers, pip install "ironframe[openai]" pre-installs the SDK dependency (the OpenAI MAL adapter itself is a reserved on-ramp for contributors — write ~200 lines against the MAL interface and open a PR). The (Open-source core) — Hook Engine, Model Abstraction Layer, Budget Manager, Self-Audit Engine base — initializes with an IronFrameConfig loaded from environment variables and an IronFrameClient that routes model calls by capability. See the public repo README for the canonical three-line quickstart. The commercial additions (Tool Risk Tiers, MRM auto-start, Capability Fence, Supervisory Audit Export) arrive as a second install step under a commercial license.
From the open-source core (Open-source core): capability-based model routing, mandatory per-request / per-session / per-day spend caps, confidence scoring and cross-model verification tiers on any output your app routes through it, write-before-release audit-event schema, and a persistent state-machine abstraction. From the commercial tier: runtime tool-risk classification on every call (LOW / MED / HIGH with HIGH-tier approval gates), auto-started MRM session documentation, offensive-capability fencing by default, and a tamper-resistant export CLI aligned to SR 11-7 and EU AI Act Article 12. Claude Code and LangChain don't provide any of these — and they become critical the moment you move from prototype to production.
The open-source core is Apache 2.0 and covers the Hook Engine, Model Abstraction Layer (MAL), Budget Manager, Self-Audit Engine base, Logic Skills, State Machine, Eval & Regression Harness, KB Grounding, Security Engine, Tool Governance base classes, Agent Trust + KillSwitch reference implementation, I/O Schema Validation, Spec Conformance & Drift Engine, Error Recovery, Context Manager, and Immutable Audit Log base. The compliance adapters for HIPAA, FINRA, SOC 2, SEC, and GDPR live under src/ironframe/compliance/adapters/ as PolyForm Noncommercial — free for research, education, nonprofits, and personal projects; commercial license required for production deployment. The (Commercial tier) post-v0.1 components (Session Methodology Registry, Dependency Scanner, Tool Risk Tier System, MRM Decision Log, Supervisory Audit Export, Capability Fence, Topology Visibility, Append-Only Audit Collector) ship under a separate commercial license and are not included in the public pip package.
Yes. The base compliance classes compliance/base_v1_0.py and compliance/audit_requirements_v1_0.py are (Open-source core) Apache 2.0. The audit schema natively captures HIPAA / FINRA / SOC 2 fields from day one, so your adapter inherits the evidence base without reinventing it. The pre-built regulatory adapters are PolyForm Noncommercial as above; you can implement your own against the same interfaces for any protocol.
(Open-source core) Python 3.10+ is the current runtime. The hook architecture is framework-agnostic — because hooks are plain Python callables, IronFrame integrates with any Python application that makes LLM calls. Reference integrations with LangChain, AutoGen, and other agent frameworks are on the post-v0.2 roadmap; today the integration pattern is documented and contributors can wire their own.
(Open-source core) Mandatory spend caps at three levels: per-request, per-session, and per-day. They're not optional guardrails — if a session would exceed its budget, the call is blocked and a budget.exhausted event is logged before any tokens are sent to the model. Works across any MAL adapter so per-provider cost aggregates into a single session budget.
***
COMPLIANCE AND REGULATED INDUSTRIES
(Commercial tier / doc mapping) IronFrame's components map to EU AI Act Articles 9 (risk management), 12 (logging and traceability), 14 (human oversight), and 15 (cybersecurity). It also addresses SR 11-7 and BCBS 350 for model risk management, FINRA Rule 3110 for supervision, and HIPAA for PHI audit trails. The mapping itself lives in the free Bank Reference Architecture document (C25); the runtime enforcement primitives ship in the commercial tier (C22 MRM, C23 Supervisory Audit Export, C24 Capability Fence, compliance adapters).
No software tool can guarantee regulatory compliance — that's a legal determination requiring qualified review. IronFrame is designed to address specific regulatory requirements and produces the artifacts (audit logs, MRM session documentation, supervisory exports) that compliance teams and regulators ask for. Your legal team makes the compliance determination; IronFrame gives them something to work with.
(Commercial tier) The Supervisory Audit Export (C23) is a structured JSON file containing every AI session event, normalized to a consistent schema, with per-event SHA-256 integrity hashes and a manifest block. The --supervisory flag strips internal metadata and formats the output for external review — the format a regulator, auditor, or model risk team would receive. As of 2026-04-18 the export reads exclusively from the hardened collector-written trail; missing or misresolved paths raise rather than falling back silently.
(Commercial tier) Each MRM session (C22) captures: model name and version, purpose, risk tier, data sources accessed, owner, start/end timestamps, and a list of decisions — each with a description, whether it was AI-influenced, evidence references, and whether a human approved it (per-decision named-human-approver attribution is (Roadmap) — C28). The export format maps to SR 11-7 and EU AI Act Article 12 field requirements. Sessions auto-start on every Claude Code SessionStart, so no manual setup is required to begin capture.
August 2, 2026 is the full application date for the EU AI Act's high-risk AI provisions. Organizations deploying LLMs in high-risk contexts — financial services, healthcare, critical infrastructure, employment decisions — must have risk management systems, tamper- resistant logs retained for at least six months (Article 12), and human oversight mechanisms in place by that date. IronFrame's (Commercial tier) C23 Supervisory Audit Export implements Article 12's retention and integrity requirements; C22 MRM session documentation provides the Article 12 record-keeping surface; C21 Tool Risk Tier approval gates provide the Article 14 human-oversight surface.
***
FINANCIAL SERVICES
AI-assisted alert triage, TCA commentary generation, and CAT exception handling all create AI-influenced compliance decisions. IronFrame's (Commercial tier) MRM Decision Log (C22) logs the model identity, input hashes, tool tier invoked, confidence signals captured by the audit schema, and the decision description. The FINRA compliance adapter for runtime enforcement (PHI-equivalent PII handling, trade-decision capture, supervisory-review gates) ships as a source-available reference implementation today under PolyForm Noncommercial; runtime auto-loading of the adapter into a live process is (Roadmap) — FINRA first, per the fintech beachhead segment. Per-decision named-human-approver attribution is C28, also roadmap.
Yes. IronFrame is infrastructure you deploy — it doesn't require a connection to IronFrame's servers. The (Open-source core) runs entirely within your environment, and the (Commercial tier) is delivered as private repository access + license — also no phone-home. A hosted SaaS tier for organizations that prefer managed infrastructure is (Roadmap) — C29, not yet shippable.
***
HEALTHCARE
IronFrame's audit schema captures the PHI fields a HIPAA adapter needs on every event (Open-source core). The HIPAA compliance adapter itself ships as a tested source-available reference implementation under PolyForm Noncommercial — it documents PHI detection hooks, retention rules, and access-audit patterns. Runtime loading of the adapter into a live process (session-start adapter instantiation, PreToolUse PHI gates, retention enforcement) is (Roadmap) alongside the FINRA rollout. Today a healthcare organization gets the audit schema, the base compliance classes, and the reference adapter to extend or study; full runtime PHI-gate enforcement requires either custom wiring against the open-source interfaces or the forthcoming adapter-runtime release.
***
ANY COMPANY / GENERAL ENTERPRISE
Yes. (Open-source core) spend caps and Self-Audit Engine confidence scoring are valuable in any production LLM deployment. (Commercial tier) tool-risk classification and MRM session logging extend that into defensible decision capture. If your AI can write files, call APIs, or execute commands, you want to know what it did, when, and why — and you want spend caps that refuse to let a stuck loop drain your API budget. IronFrame gives every organization the audit infrastructure that regulated industries are legally required to have.
(Commercial tier) The Capability Fence (C24) blocks offensive-code categories — vulnerability-exercise tooling, credential-harvesting, and network-reconnaissance patterns — by default in all sessions running the commercial enforcement harness. These categories are only available in an explicitly activated SECURITY_TESTING mode, and only for targets on an approved allowlist. The fence exists because LLMs powerful enough to do useful work are also powerful enough to do serious damage if a session goes off-rails. The fence is not in the public pip package — consumers running only the open-source core can implement equivalent pattern gates using the reference Hook Engine and Security Engine classes.
(Commercial tier) When a tool is classified as HIGH-risk and flagged requires_approval by the Tool Risk Tier Registry (C21), IronFrame emits a TOOL_APPROVAL_REQUIRED audit event and blocks execution until a human approves. This is the mechanism that satisfies EU AI Act Article 14's human oversight requirement and gives an operations team a checkpoint before a consequential AI action completes. Per-decision named-human-approver attribution — which specific human approved — is (Roadmap) (C28).
***
COMPETITIVE / WHY IRONFRAME
Observability tools watch what the model does and tell you afterward. IronFrame enforces what the model can do and stops it in real time. (Open-source core) ships the deterministic enforcement primitives — Hook Engine, Budget Manager, Security Engine, base compliance classes — that stop a run-away agent before tokens leave the model. (Commercial tier) ships the production-wired harness with default deny-by-default behaviour across tool tiers, capability fences, and MRM-aware decision capture. The difference matters when the AI is about to execute a HIGH-risk tool, exceed a spend limit, or trigger a fenced-capability pattern — you want enforcement, not a dashboard notification after the fact.
Model-level safety is the model provider's responsibility. Deployment governance is yours. IronFrame handles the layer between "the model is safe" and "my deployment is defensible" — session continuity (Open-source core), tool boundary enforcement (Commercial tier), audit trails (Open-source core) + hardened collector (Commercial tier), budget controls (Open-source core), and compliance documentation (Commercial tier). These are not things Anthropic or OpenAI build for you.
***
ROADMAP / FUTURE
C22 MRM Decision Log, C23 Supervisory Audit Export, and C24 Capability Fence are shipped today on the (Commercial tier) — they are not roadmap items. What remains (Roadmap): C28 User Attribution + Human Approval Gate (per-decision named-human-approver attribution, required to complete the SR 11-7 narrative); C29 Dashboard + Multi-User Tokens (self-serve hosted SaaS tier); additional compliance adapters beyond the current five (FedRAMP and international frameworks like DORA); wider language-adapter coverage (OpenAI / Gemini / open-weight providers); and automatic CI-level invocation of the Spec Conformance Engine, Eval Harness, and Self-Audit cron integration across every production session — each of those is a reference implementation today and will ship as a wired pipeline next.
Yes — and we actively want this input. The chatbot on this page (Commercial tier / public KB) is a Perplexity-powered assistant grounded against IronFrame's public knowledge base. It can answer accurately about: the components C19–C27, compliance mappings (EU AI Act, SR 11-7, BCBS 350, FINRA 3110, HIPAA, SOC 2, GDPR, FedRAMP), the open-core vs commercial licensing split, installation, acronyms, and the tier-label convention used here. It will defer on: roadmap specifics beyond what BUILD_STATUS tracks, internal architecture negotiations, pricing negotiation, and any custom-deployment scoping — use the chatbot to describe your use case, and if IronFrame doesn't currently solve it, that goes directly to the roadmap. Enterprise customers with specific compliance requirements can discuss custom adapter development through the commercial licensing conversation.