Evidence with citations
Every finding is grounded in a source document and section. Reviewers and auditors can trace any claim back to where it came from - not to a model's recollection.
A governed vendor-risk run, replayed end to end: source-grounded evidence, deterministic checks, then a human approval gate that rejects the vendor and writes a tamper-evident proof packet.
Read-only replay of an illustrative run - no inputs, no production credentials.
A real governed run, replayed in full below - ending in a human rejection and an auditable proof packet.
A reviewer receives a supplier evidence packet, sees missing control artifacts, rejects the approval gate, and keeps the proof packet for follow-up.
A procurement reviewer opens a synthetic supplier evidence packet for a regulated AI-system vendor.
The replay extracts source-cited evidence fields before any model output is trusted.
The AI work is projected against procurement controls for human oversight, audit logging, data retention, and model governance.
Deterministic checks block clearance because two required artifacts are missing.
The findings were combined into a composite vendor risk score. The score is elevated, so the run is routed to a human reviewer rather than auto-cleared.
Risk is elevated by missing security and residency evidence, not by AI confidence.
The reviewer rejects the case and records exactly which evidence must be supplied before procurement can continue.
The workflow ends without vendor clearance and leaves a customer-readable proof packet for follow-up.
The replay is not a chatbot demo. It is the control plane doing its job: grounding, gating, and proof - the parts a regulator asks about.
Every finding is grounded in a source document and section. Reviewers and auditors can trace any claim back to where it came from - not to a model's recollection.
Elevated risk routes to a person, not an auto-approve. Here the reviewer rejected - and rejection is final at the gate. The run stops before anything is cleared or written.
The decision, the reviewer, the reasons, and the cited evidence are written once to an append-only audit trail. Months later, you can prove exactly why this vendor was not cleared.
PrivateFlow is not certified under any compliance framework. Controls are designed to support compliance preparation. Where the EU AI Act applies, high-risk obligations carry penalties up to the EUR 15M / 3% of worldwide annual turnover tier; this run is an illustrative, synthetic example.
We'll stand up a governed pilot on your own data - sandbox first, no production credentials required. You decide what the gates do.