The AI Runtime Control Plane
Governance approves AI for production. Quantlix proves what happened after it went live.
Quantlix sits in front of every model call and turns it into tamper-evident, time-stamped proof that the approved controls fired — policy decisions, redaction, provider attribution, approvals, evals, and stop controls — exportable as an audit bundle anyone can verify without trusting us. EU-hosted; self-hosting available.
- OpenAI-compatible gateway
- EU-hosted
- Runtime policy enforcement
- Audit-grade traces
Runtime path
policy · redaction · budget · enforced
Request verdict
Allowed with redaction
- Detected
- email, phone
- Action
- redacted before call
- Provider
- openai · gpt-4o
- Policy
- gdpr-pack
- Latency
- 412 ms
Fits the stack you already run
Drop-in gateway for model providers, workflow RAG and agents, and trace export to your existing observability tooling.
- Azure OpenAI
- OpenAI
- Anthropic
- Bedrock
- Self-hosted
- RAG
- Agents
- Observability export
The problem
AI is in production. You can't continuously, auditably prove the approved controls are operating.
Your teams are shipping copilots, triage tools, screening workflows, and internal assistants. But every model call raises a question: what data was sent, which policy was enforced, what was blocked — and what evidence exists if an auditor, buyer, or board asks?
Can't prove approved controls fired
Pre-deployment governance approves AI for production — but buyers and auditors ask whether those controls actually operated on each live model call.
Policy docs and screenshots aren't evidence
A policy PDF, a slide deck, or a Slack screenshot doesn't show what was enforced, redacted, or blocked at runtime.
No record at the model-call level
Without per-request evidence — policy version, verdict, provider, timestamp — you can't reconstruct what happened when it matters.
Regulatory timelineEU AI Act high-risk obligations land Q3 2026 — in scope even from the US
How it works
One layer between your application and every model provider
One shared source of truth for AI in production. Engineers get a gateway and traces. Governance gets obligation-mapped evidence. Leaders get risk, cost, and reliability rollups. Same data, three surfaces.
- 1
Route & enforce
Point your SDK at the Quantlix gateway (POST /run and OpenAI-compatible /v1/*). Runtime policies run on every call.
- 2
Redact or block, then forward
Sensitive input is redacted or unsafe requests blocked — before the provider sees them.
- 3
Capture & export
Every call becomes an append-only trace; export defensible evidence when needed.
OpenAI-compatible gateway
POST /run and /v1/* routes with deployment binding — chat, messages, and embeddings.
Runtime policy enforcement
Guardrails and contextual packs evaluate every request before inference.
PII redaction & blocking
Detect, redact, or block sensitive input with per-request evidence.
Audit-grade traces
Trace spans capture policy decisions, provider metadata, and model versions.
Evidence bundle exports
Audit bundles and register exports for buyer and governance review.
Budget & reliability visibility
Usage limits, spend signals, and fleet health in the dashboard overview.
Try it
Run a policy check in the sandbox
Paste a sample prompt, choose a policy pack, and see what Quantlix allows, redacts, blocks, and records as evidence — no signup.
Verification
Cloudflare Turnstile helps prevent automated abuse so this sandbox stays fast for real visitors.
Run a sample to see the policy verdict and a synthetic evidence record — trace_id, rule fired, and export readiness. Illustrative only; production records are hash-chained and independently verifiable.
Live policy check via the public Boundary sandbox — synthetic prompts only, no signup required.
Runtime evidence
From policy documents to runtime proof
Quantlix turns model activity into defensible records — policy decisions, redaction events, provider metadata, timestamps, and trace IDs — exportable as audit bundles. It produces the evidence; your advisor renders the judgment. Quantlix does not declare anyone "compliant."
Hash-chained trace store
Every enforcement and run-seal event appends to a per-tenant SHA-256 ledger — each entry carries the digest of the prior entry, so undetected alteration breaks the chain.
Rekor anchoring → verify without trusting Quantlix
Completed segments publish Merkle roots to the public Sigstore Rekor log. Reviewers confirm anchors with a browser or the bundled verification script — no Quantlix login required.
Seven evidence artifacts
Hash-chained trace store
Full request lifecycle: policy verdicts, redacted input, provider, latency, cost.
Enforcement records
Pinned policy version, rules evaluated, verdict, and reason per request.
Redaction / PII events
Detection category and action taken — metadata only, no retained PII.
Provider & failover attribution
Per-call provider/model plus failover events when routing shifts.
Approval-gate & stop records
Human approvals, deployment stops, and access-audit events with actor identity.
Eval & adversarial detection
Eval-gated promotion results and boundary detections on live traffic.
Exportable audit bundle
Manifest-led PDF / CSV / JSON with HOW_TO_VERIFY and standalone verifier.
Evidence captured
policy GDPR Pack
verdict Allowed with redaction
detected email, phone number
action redacted before provider call
environment production
provider openai · gpt-4o
trace_id qlx_8f2a41c9…
export audit-ready
Example record — illustrative only.
For your whole team
Built for engineering, security, risk, audit, and AI leadership
One runtime evidence layer — five buying-committee lenses, not five products.
Platform & AI Engineers
Integrate fast. Keep control. Debug every call.
- OpenAI-compatible gateway
- Provider configuration
- API keys & SDK snippets
- Policy packs
- Raw traces & request inspection
- Latency & error visibility
CISO & Security
Defensible runtime control across all AI usage; tamper-evident evidence for security review.
- Policy enforcement on /run and /v1/* gateway paths
- Hash-chained trace store with Rekor anchoring
- Provider failover events on the enforcement spine
- Audited deployment stop and resume controls
- RBAC and scoped external reviewer access
- Signed enforcement exports when configured
Risk, Compliance & Internal Audit
Operating-effectiveness evidence per control, per policy version — exportable and independently verifiable.
- Enforcement events with pinned policy version
- Composed audit bundles (PDF, CSV, JSON)
- Standalone bundle verification (no Quantlix login)
- Obligations map: runtime-evidenced vs attestation
- Investigation API by request_id or run_id
- Article 26 register and RoPA assistance exports
Governance, DPO & Trust
Prove controls are enforced. Export the evidence.
- PII redaction evidence
- Policy coverage status
- Obligation mapping
- Audit bundle exports
- Art. 30 / RoPA assistance exports
- Scoped external reviewer access
CTOs & AI Leaders
See whether your AI estate is controlled, reliable, and within budget.
- AI estate overview
- Budget tracking
- Provider & enforcement rates
- Incident rollups
- Leadership report export (JSON)
The shift
From policy documents to runtime proof
Policy documents
- Controls live in policy documents and slide decks
- Evidence is screenshots, emails, and attestations
- No per-request record of what was enforced
- Auditors must trust narratives, not artifacts
- Policy versions drift from what production runs
- Buyers can't verify controls without a vendor call
Runtime proof
- Every model call produces a runtime evidence record
- Policy decisions are logged with pinned policy version
- Redaction and blocks are captured before the provider
- Hash-chained traces anchor to Rekor for independent verification
- Audit bundles export as PDF, CSV, and JSON
- Reviewers verify bundles without a Quantlix login
Who it's for
Designed for regulated AI use cases already in production
HR-tech
Candidate screening, interview copilots, employee support.
Fintech
Fraud triage, support copilots, loan-processing assistance.
Insurance
Claims triage, underwriting support, knowledge assistants.
Healthtech
Care-admin copilots, patient routing, clinical ops.
Legal-tech
Contract review, matter intake, legal research.
Govtech
Citizen-service assistants, case triage, process automation.
Security & deployment
Built for EU data, enterprise buyers, and security reviews
EU-hosted
For teams with EU users or EU data-residency needs. EU-only today.
Provider-independent
Works with OpenAI, Anthropic, Groq, Together, Bedrock, Voyage.
Role-based access
Separate engineering, governance, leadership, and reviewer access.
Exportable evidence
Audit bundles for buyers, auditors, and leadership review.
Security posture — stated honestly
- SOC 2 Type 1In progress
- ISO 27001On roadmap
- ISO 42001Planned
- Third-party penetration testScheduled
- Evidence integrityAppend-only · Rekor
- Data residencyEU-only
SOC 2 Type 1 in progress — report available under NDA when the examination completes. Not certified today.
Control every AI request. Prove every decision.
Make your production AI independently provable.
Start with one production workflow. Route it through Quantlix. See what was allowed, redacted, blocked, and captured as evidence.