Skip to content
Governed run replay
Live - no signup

Run AI workflows under your controls.
Watch one get stopped.

A governed vendor-risk run, replayed end to end: source-grounded evidence, deterministic checks, then a human approval gate that rejects the vendor and writes a tamper-evident proof packet.

Read-only replay of an illustrative run - no inputs, no production credentials.

  • Source-grounded evidence with citations
  • A human approval gate that can stop the run
  • A tamper-evident proof packet
  • Self-hosted, EU-hosted - under your controls

A real governed run, replayed in full below - ending in a human rejection and an auditable proof packet.

Vendor Evidence Review replay
run_8f2c1bvendor-risk/v300:00.0 elapsed
Governed runIllustrative sample - EU region
Ready to run - press play
Evidence case opened
Evidence packet intake
AI work projection
Deterministic evidence checks
Policy triggers
Reviewer decision
Proof packet preview
Review stopped with evidence
Watch a vendor evidence review, end to end

A reviewer receives a supplier evidence packet, sees missing control artifacts, rejects the approval gate, and keeps the proof packet for follow-up.

status - seq 1
Evidence case opened
running

A procurement reviewer opens a synthetic supplier evidence packet for a regulated AI-system vendor.

VendorHelio Metrics AI
Use caseRegulated decision support
PacketQuestionnaire, DPIA excerpt, model card, subprocessors
node - seq 2
Evidence packet intake
passed

The replay extracts source-cited evidence fields before any model output is trusted.

node - seq 3
AI work projection
info

The AI work is projected against procurement controls for human oversight, audit logging, data retention, and model governance.

node - seq 4
Deterministic evidence checks
info

Deterministic checks block clearance because two required artifacts are missing.

node - seq 5
Policy triggers
passed

The findings were combined into a composite vendor risk score. The score is elevated, so the run is routed to a human reviewer rather than auto-cleared.

72/100Blocked until evidence is complete
0 - low60 - review threshold100 - high

Risk is elevated by missing security and residency evidence, not by AI confidence.

approval - seq 6
Reviewer decision
rejected
Human gate rejected
Clearance stops until the vendor supplies the missing penetration-test summary and signed residency attestation.
REJECTED

The reviewer rejects the case and records exactly which evidence must be supplied before procurement can continue.

Missing penetration-test summary
Missing subprocessors residency attestation
Reviewer Procurement compliance Decision Rejected at approval gate
output - seq 7
Proof packet preview
completed
vendor-evidence-proof.jsonproof:vendor-evidence-review
Decision
Rejected
The proof packet records AI extraction, deterministic checks, human decision, residual risks, and next actions.
Reasons
AI work summary
Deterministic evidence checks
Human rejection rationale
Residual-risk notes
Evidence (source-grounded citations)
Written once to a tamper-evident, append-only audit ledger - decision, reviewer, reasons, and evidence.
done - seq 8
Review stopped with evidence
completed
Stopped with evidence

The workflow ends without vendor clearance and leaves a customer-readable proof packet for follow-up.

OutcomeVendor not cleared
Proof packetReady for procurement follow-up
Next actionRequest missing artifacts
What just happened

Three governance moments, in one run.

The replay is not a chatbot demo. It is the control plane doing its job: grounding, gating, and proof - the parts a regulator asks about.

Seq 2

Evidence with citations

Every finding is grounded in a source document and section. Reviewers and auditors can trace any claim back to where it came from - not to a model's recollection.

Seq 6

A human gate that can stop the run

Elevated risk routes to a person, not an auto-approve. Here the reviewer rejected - and rejection is final at the gate. The run stops before anything is cleared or written.

Seq 7

A tamper-evident proof packet

The decision, the reviewer, the reasons, and the cited evidence are written once to an append-only audit trail. Months later, you can prove exactly why this vendor was not cleared.

Built for regulated teams - designed to run under your controls
Self-hosted
EU AI Act controls
GDPR controls
Audit trail
Data sovereignty

PrivateFlow is not certified under any compliance framework. Controls are designed to support compliance preparation. Where the EU AI Act applies, high-risk obligations carry penalties up to the EUR 15M / 3% of worldwide annual turnover tier; this run is an illustrative, synthetic example.

See it on your own data

Run this on your own vendors.

We'll stand up a governed pilot on your own data - sandbox first, no production credentials required. You decide what the gates do.