v0.1.2 Beta · Apache 2.0 · Python 3.10+

LLM governance that blocks, not just logs.

Most AI governance products write violations to a dashboard. IronFrame stops the action at the tool boundary, before it executes — with a tamper-resistant audit trail your regulator can read.

Get started → Enterprise & Compliance
pip pip install ironframe
141/141
Tests passing
18
Components
5
Compliance adapters
0ms
Hook latency target
The problem

Prompts don’t produce audit trails.

Most “AI reliability” products try to fix hallucination with more AI. IronFrame takes a different approach: deterministic enforcement outside the LLM context window. A model cannot rationalize around hooks it never sees.

Capability Prompt Engineering RAG / Chain-of-Thought IronFrame
Enforces tool boundaries at hook level
Tamper-resistant audit trail
Persists state across sessionsPartial
Compliance-ready out of the box
Model-agnostic (any LLM)
MRM / supervisory audit export
Architecture

Above the model. Below your application.

IronFrame is a governance stratum. The enforcement logic executes outside the LLM context window. The model never sees the rules it can’t break.

Claude/ GPT-4o/ Gemini/ Llama Tool Risk (C21) Capability Fence (C24) MRM Log (C22) Audit Export (C23) ✓ Governed Output
Competitive landscape

Where IronFrame fits.

The word “governance” is overloaded in 2026. Most products in the category trace, log, and evaluate. A smaller set blocks at the LLM input/output boundary. Almost no one runs outside-LLM enforcement at the tool boundary. That last column is what IronFrame is.

Pure observability
Arize Phoenix · LangSmith · Guardrails AI
Trace, log, and evaluate model behavior; alert on violations.
What's missing
No runtime block. These platforms do not stop tool calls from executing based on policy violations (for example, Arize Phoenix describes its instrumentation as non-blocking if the service is unavailable, per their documentation as of April 2026).
Gateway-layer enforcement
Portkey · Cloudflare AI Gateway · Strongly.AI
Enforce policy at the prompt/response boundary.
What's missing
Doesn't see tool calls downstream of the LLM. Gateways do not inspect or block individual tool invocations the agent performs after the LLM call.
Program governance
Credo AI · Monitaur · Fiddler
Inventories, assessments, policies, governance artifacts.
What's missing
Documents and dashboards, not runtime intercepts. These platforms do not sit inline with agents to block specific actions at execution time.
Enforcement-first
IronFrame
Hooks fire before tool execution at the tool boundary, outside the LLM context window, with append-only HMAC-signed audit transport and documented mappings to SR 11-7 and EU AI Act Article 12.
What this means
When a policy violation is detected, the action does not execute. The model never sees the rule it cannot break. The audit trail your regulator reads is the same one that did the blocking.
Capability comparison

Side by side.

Capability IronFrame Arize Credo Portkey ModelOp
Blocks at tool boundaryPartial
Hooks fire outside LLM context window
Tamper-resistant audit log (append-only, HMAC, per-event SHA-256)
SR 11-7 / EU AI Act Art. 12 documented mapping
Per-event SHA-256 supervisory export
Model-agnostic (Claude / GPT-4o / Gemini / open-weight)

Competitor capabilities are based on public documentation and marketing materials as of April 2026 (e.g., Arize Phoenix docs, Credo AI product pages, Portkey AI Gateway docs, and ModelOp governance controls).

None of the major named competitors (Arize, Guardrails, Fiddler, Credo, Monitaur, ModelOp) present an architecture where outside-LLM hooks sit at the tool boundary and enforce policy before agent actions execute, with hardened, append-only audit transport built in. Observability platforms focus on tracing and evaluation, gateway products intercept prompts and responses, and program-governance suites produce policies and evidence but do not sit inline with tool calls. ModelOp does advertise “inline protections” as part of its model-governance controls, but as a model-lifecycle platform with enforcement added into that context, rather than an enforcement-first agent middleware layer.

18 components · 4 pillars

Everything LLM infrastructure needs.

Enforcement
  • Hook Engine — deterministic pre/post hooks outside LLM context Open-core library
  • Tool Risk Tier System (C21) — LOW / MED / HIGH classification Commercial runtime
  • Capability Fence (C24) — exploit, recon, credential patterns blocked Commercial runtime
  • State Machine · Agent Trust · I/O Schema Open-core library
Observability
  • Immutable Audit Log — write-before-release, SHA-256 integrity Open-core library
  • MRM Metadata (C22) — SR 11-7 & EU AI Act Art. 12 aligned Commercial runtime
  • Supervisory Audit Export (C23) — tamper-resistant, CLI exportable Commercial runtime
  • Conformance & Drift Engine · Context Budget Open-core library
Model Access
  • Model Abstraction Layer — fast / smart / cheap / verification routing Open-core library
  • Budget Manager — per-request, per-session, per-day spend caps Open-core library
  • Error Recovery Open-core library
Verification
  • Self-Audit Engine — confidence scoring on every output Open-core library
  • Logic Skills · Eval & Regression Open-core library
  • KB Grounding Open-core library
Ask IronFrame AI

Have a question? Ask the AI.

Ask about architecture, compliance mapping, or whether IronFrame solves your deployment challenge. Unbuilt capabilities go directly to the roadmap.

🤖
IronFrame Assistant
Powered by Perplexity AI
🤖
Hi — ask me anything about IronFrame: architecture, compliance mapping, LLM support, or whether IronFrame can solve your specific challenge. If something isn’t built yet, I’ll flag it as a roadmap item.
Open Source · Apache 2.0

Start with the open core. Scale to enterprise.

Hook Engine, Tool Risk Tiers, and Session Registry are free forever. Compliance adapters and hosted tier for regulated deployments.

View on GitHub → pip install ironframe
For Developers

Production-grade LLM governance in minutes.

Open-source core, Apache 2.0. Install, wire up your API key, and every LLM call is audited, budget-capped, and enforcement-gated from line one.

Install from PyPI View source →
Quickstart

Up in 3 lines.

Python
# Install
pip install ironframe

from ironframe import IronFrameConfig
from ironframe.mal.client_v1_0 import IronFrameClient

config = IronFrameConfig.from_env()
client = IronFrameClient(config)

response = client.complete(
    prompt="Summarize key contract risks.",
    capability="smart",  # fast|smart|cheap|verify
)

print(response.content)
print(f"Confidence: {response.confidence}")
print(f"Cost: ${response.cost:.4f}")
# Every call: audited, budget-capped, confidence-scored.
Extras
pip install "ironframe[openai]"   # GPT-4o / Perplexity
pip install "ironframe[z3]"      # Symbolic verification
pip install "ironframe[all]"     # Everything
What you get free (Apache 2.0)
Session Methodology Registry (C19)
Methodology injection on every session startup — no more context drift.
Dependency Registry + Scanner (C20)
Tracks project dependencies, scans for drift automatically.
Tool Risk Tier System (C21)
LOW / MED / HIGH enforcement — PreToolUse hooks, audit events on every HIGH execution.
Immutable Audit Log
Write-before-release. SHA-256 per event. If logging fails, the operation does not complete.
Budget Manager
Per-request, per-session, per-day spend caps. Mandatory — not optional.
Model Abstraction Layer
Capability routing across Claude, GPT-4o, Gemini, Llama — swap models without code changes.
Licensing

Open core. Commercial power.

Apache 2.0 — Free forever
  • C19 Session Methodology Registry
  • C20 Dependency Registry + Scanner
  • C21 Tool Risk Tier System (core)
  • Hook Engine · Self-Audit Engine
  • Model Abstraction Layer · Budget Manager
  • Base compliance classes (build your own adapters)
Commercial license
  • C22 MRM Metadata + Decision Log
  • C23 Supervisory Audit Export (SHA-256, CLI)
  • C24 Offensive Capability Fence
  • HIPAA, FINRA, SOC2, SEC, GDPR adapters
  • C25 Bank Reference Architecture
  • Multi-user management · Hosted tier (coming)

Start building in 3 minutes.

Full docs, architecture decision records, and SPEC.md are in the repo.

Read the docs → Open an issue
EU AI Act full application: August 2, 2026

LLM governance for regulated industries.

IronFrame’s commercial tier is built for financial services, healthcare, and government — organizations that cannot deploy AI without a verifiable audit trail, risk management log, and explainable output chain.

Request a demo Ask our AI →
Industries

Built for regulated environments.

IronFrame is purpose-built for organizations where an unaudited AI decision has legal, financial, or patient-safety consequences.

Financial Services
Trading, Risk & Compliance
Model risk management documentation, supervisory audit exports, and capability fencing for trading desk AI. Built to BCBS 350, SR 11-7, and FINRA requirements.
FINRASR 11-7BCBS 350
Banking, Credit Unions & Fintech
Model Risk, Supervision & Audit
Model risk management documentation, supervisory audit exports, and capability fencing for community banks, credit unions, regional banks, and fintech compliance teams. Built to BCBS 350, SR 11-7, FINRA Rule 3110, and NCUA examination requirements.
FINRASR 11-7BCBS 350NCUA
Healthcare
Clinical & Administrative AI
HIPAA-native audit schema, PHI access logging, and session methodology enforcement for clinical decision support and administrative automation.
HIPAASOC2
Government & Defense
Policy & Operations AI
FedRAMP-aligned architecture, immutable audit trails for AI-assisted decisions, and tool risk enforcement for sensitive government workflows.
FedRAMPNIST AI RMF
Enterprise Technology
AI Platform Teams
Multi-model governance, compliance reporting, and deployment guardrails for AI platform teams building on Claude, GPT-4o, Gemini, or open-weight models.
SOC2GDPREU AI Act
Regulatory mapping

Which component satisfies which requirement.

The components below are part of IronFrame’s runtime/commercial surface. The open-core library at github.com/briancarter456546/ironframe provides the SDK foundation — model abstraction, hook engine, audit log primitives, conformance — while runtime/commercial deployments add MRM logging (C22), supervisory export (C23), capability fencing (C24), and per-tier tool risk enforcement (C21).

RegulationRequirementIronFrame ComponentNotes
EU AI Act Art. 9Risk management systemC21 Tool Risk C24 Capability FenceTool tier classification + offensive capability blocking
EU AI Act Art. 12Logging & traceabilityC22 MRM Log C23 Audit Export6-month retention, SHA-256 integrity, supervisory export
EU AI Act Art. 14Human oversightC21 HIGH gate C22 MRM LogTOOL_APPROVAL_REQUIRED blocks until human approves
EU AI Act Art. 15Cybersecurity & robustnessC24 Capability FenceExploit/recon/credential patterns blocked by allowlist
SR 11-7 / BCBS 350Model risk managementC22 MRM Metadata C23 Audit ExportMRMSession + MRMDecision; JSON/YAML supervisory export
FINRA Rule 3110Supervision & recordsC23 Supervisory Export--supervisory flag strips internal metadata for regulators
HIPAAPHI audit trailCompliance Adapter Audit LogHIPAA fields captured natively in audit schema
FedRAMP ModerateContinuous monitoringC23 Audit Export C24 FenceLLM-agnostic — works on approved models, not Anthropic-locked
Custom engagements

Full runtime governance surface.

pip install ironframe ships the open-core library — C1–C18 + SAE, the SDK foundation. A custom IronFrame engagement deploys the full runtime governance surface below: 32 built components plus the hook layer that fires outside the LLM context window plus the audit transport hardened on dedicated infrastructure. Components are listed honestly: Live in our own production ops today, Wiring for components that are tested but whose runtime invocation is still being completed, Roadmap for components included for transparency.

✓ Live in our ops today
Wired into PC + Minerva right now. Claim-safe in audit trail.
  • C19 Session Methodology InjectionUserPromptSubmit hook, 13 governance rules per session
  • C20 Dependency Registry + Scanner
  • C21 Tool Risk Tier Registry35 tools classified, LOW / MED / HIGH, PreToolUse enforcement
  • C22 MRM Metadata + Decision LogAuto-starts on every session; SR 11-7 / EU AI Act Art. 12 aligned
  • C23 Supervisory Audit ExportThree-branch resolver, no silent fallback, FileNotFoundError on missing source
  • C24 Offensive Capability FenceOffensive-code, recon, credential patterns blocked in NORMAL_DEV
  • C25 Bank Reference ArchitectureEU AI Act / SR 11-7 / BCBS 350 doc mapping
  • C26 Topology VisibilityManifest + verifier + cron
  • C26.1b Governance Layers 4–6Admin gate + freeze flag (the armed emergency-stop)
  • C26.2 Asset Registry
  • C27 Append-Only Audit CollectorHMAC-signed O_APPEND, hardened systemd unit, deployed since 2026-04-18
  • C30 Preflight Speed-Check HookAST + runtime-history Red/Yellow/Green scoring on Python invocations
  • C31 Worker-Count Guard Hookpsutil PreToolUse cap on concurrent worker processes
  • C32 DACI Domain-Aware Context InjectionDomain-keyed context loaded once per session at moment of entry
  • SAE Self-Audit Engine Phase 1 CLI5 subcommands: judge / confidence / verify / tier / evaluate-session
  • Designer Contract v1 + Lane disciplinePre-design 7-question checklist + lane-discipline-guard hook (informs delivery quality)
⏳ Built & tested, wiring in progress
Honest state — we’ll tell you which apply to your deployment.
  • C11 Security / Injection DefenseLibrary-only today; runtime hook wiring in queue
  • C13 Eval & Regression Harness141 tests run on-demand; CI cron pending
  • C17 Agent Trust + KillSwitchKillSwitch class exists; not armed today — the armed emergency-stop is C26.1b freeze flag
  • C18 Spec Conformance + DriftCLI exists; cron pending
  • HIPAA / FINRA / SOC2 / SEC / GDPR adapter loadersTested; runtime loading is the post-FINRA-first wiring work
  • SAE Phase 2 samplerPostToolUse hook + in-MAL sampler — task #875
◯ Roadmap (for transparency)
Specced — not yet built. Listed so prospects can see the trajectory.
  • C28 User Attribution + Human Approval GateNamed-human attribution layer for SR 11-7. The gate primitive itself works today via C21 HIGH tier.
  • C29 Dashboard + Multi-User TokensSelf-serve commercial tier
  • C36 MCP Governance ServerExternal-distribution wedge: deployable MCP server that wraps any MCP deployment with IronFrame governance
  • C37 Hook Telemetry Feedback LoopSelf-improvement loop: aggregates audit events, flags hooks with high false-positive rates
  • C38 Design Doc EnforcementSpec only, warn-only mode today; gates new high-impact changes on a 7-section design doc
Day one deployment checklist

The boxes your legal team will ask about.

Tool boundary enforcement
Every tool call classified LOW/MED/HIGH. HIGH tools require explicit approval or log TOOL_HIGH_RISK_EXECUTED.
Tamper-resistant audit log
Write-before-release. SHA-256 hash per event. verify_integrity() CLI command.
MRM session documentation
SR 11-7 and EU AI Act Art. 12 aligned. JSON/YAML export for supervisory review.
Human oversight gates
TOOL_APPROVAL_REQUIRED events block execution and wait for human approval.
Offensive capability fencing
Exploit, scan, credential, and recon patterns blocked by default. Allowlist only.
Model-agnostic governance
Works with your approved model — Claude, GPT-4o, Gemini, or open-weight. Not Anthropic-locked.
EU AI Act · August 2026

The clock is running. IronFrame is ready.

Commercial licenses, enterprise onboarding, and white-label deployments available.

Contact for licensing Bank reference architecture →