The AI Runtime Control Plane

Governance approves AI for production. Quantlix proves what happened after it went live.

Quantlix sits in front of every model call and turns it into tamper-evident, time-stamped proof that the approved controls fired — policy decisions, redaction, provider attribution, approvals, evals, and stop controls — exportable as an audit bundle anyone can verify without trusting us. EU-hosted; self-hosting available.

  • OpenAI-compatible gateway
  • EU-hosted
  • Runtime policy enforcement
  • Audit-grade traces
One request through QuantlixLive

Runtime path

Your app · agent · copilot
Quantlix Runtime Control Layer

policy · redaction · budget · enforced

Policy check
PII redaction
Budget control
Enforced
Evidence recordhash-chained
OpenAI · Anthropic · Groq · Together · Bedrock

Request verdict

Allowed with redaction

Detected
email, phone
Action
redacted before call
Provider
openai · gpt-4o
Policy
gdpr-pack
Latency
412 ms
Tamper-evident evidence record · hash-chained · export ready

Fits the stack you already run

Drop-in gateway for model providers, workflow RAG and agents, and trace export to your existing observability tooling.

View integrations →
Providers
  • Azure OpenAI
  • OpenAI
  • Anthropic
  • Bedrock
  • Self-hosted
Also
  • RAG
  • Agents
  • Observability export

The problem

AI is in production. You can't continuously, auditably prove the approved controls are operating.

Your teams are shipping copilots, triage tools, screening workflows, and internal assistants. But every model call raises a question: what data was sent, which policy was enforced, what was blocked — and what evidence exists if an auditor, buyer, or board asks?

  • Can't prove approved controls fired

    Pre-deployment governance approves AI for production — but buyers and auditors ask whether those controls actually operated on each live model call.

  • Policy docs and screenshots aren't evidence

    A policy PDF, a slide deck, or a Slack screenshot doesn't show what was enforced, redacted, or blocked at runtime.

  • No record at the model-call level

    Without per-request evidence — policy version, verdict, provider, timestamp — you can't reconstruct what happened when it matters.

Regulatory timelineEU AI Act high-risk obligations land Q3 2026 — in scope even from the US

How it works

One layer between your application and every model provider

One shared source of truth for AI in production. Engineers get a gateway and traces. Governance gets obligation-mapped evidence. Leaders get risk, cost, and reliability rollups. Same data, three surfaces.

  1. 1

    Route & enforce

    Point your SDK at the Quantlix gateway (POST /run and OpenAI-compatible /v1/*). Runtime policies run on every call.

  2. 2

    Redact or block, then forward

    Sensitive input is redacted or unsafe requests blocked — before the provider sees them.

  3. 3

    Capture & export

    Every call becomes an append-only trace; export defensible evidence when needed.

  • OpenAI-compatible gateway

    POST /run and /v1/* routes with deployment binding — chat, messages, and embeddings.

  • Runtime policy enforcement

    Guardrails and contextual packs evaluate every request before inference.

  • PII redaction & blocking

    Detect, redact, or block sensitive input with per-request evidence.

  • Audit-grade traces

    Trace spans capture policy decisions, provider metadata, and model versions.

  • Evidence bundle exports

    Audit bundles and register exports for buyer and governance review.

  • Budget & reliability visibility

    Usage limits, spend signals, and fleet health in the dashboard overview.

Try it

Run a policy check in the sandbox

Paste a sample prompt, choose a policy pack, and see what Quantlix allows, redacts, blocks, and records as evidence — no signup.

Synthetic only — not stored.500 chars left

Verification

Cloudflare Turnstile helps prevent automated abuse so this sandbox stays fast for real visitors.

Run a sample to see the policy verdict and a synthetic evidence record — trace_id, rule fired, and export readiness. Illustrative only; production records are hash-chained and independently verifiable.

Live policy check via the public Boundary sandbox — synthetic prompts only, no signup required.

Runtime evidence

From policy documents to runtime proof

Quantlix turns model activity into defensible records — policy decisions, redaction events, provider metadata, timestamps, and trace IDs — exportable as audit bundles. It produces the evidence; your advisor renders the judgment. Quantlix does not declare anyone "compliant."

Hash-chained trace store

Every enforcement and run-seal event appends to a per-tenant SHA-256 ledger — each entry carries the digest of the prior entry, so undetected alteration breaks the chain.

Rekor anchoring → verify without trusting Quantlix

Completed segments publish Merkle roots to the public Sigstore Rekor log. Reviewers confirm anchors with a browser or the bundled verification script — no Quantlix login required.

Seven evidence artifacts

  • Hash-chained trace store

    Full request lifecycle: policy verdicts, redacted input, provider, latency, cost.

  • Enforcement records

    Pinned policy version, rules evaluated, verdict, and reason per request.

  • Redaction / PII events

    Detection category and action taken — metadata only, no retained PII.

  • Provider & failover attribution

    Per-call provider/model plus failover events when routing shifts.

  • Approval-gate & stop records

    Human approvals, deployment stops, and access-audit events with actor identity.

  • Eval & adversarial detection

    Eval-gated promotion results and boundary detections on live traffic.

  • Exportable audit bundle

    Manifest-led PDF / CSV / JSON with HOW_TO_VERIFY and standalone verifier.

Evidence captured

policy GDPR Pack

verdict Allowed with redaction

detected email, phone number

action redacted before provider call

environment production

provider openai · gpt-4o

trace_id qlx_8f2a41c9…

export audit-ready

Example record — illustrative only.

For your whole team

Built for engineering, security, risk, audit, and AI leadership

One runtime evidence layer — five buying-committee lenses, not five products.

  • Platform & AI Engineers

    Integrate fast. Keep control. Debug every call.

    • OpenAI-compatible gateway
    • Provider configuration
    • API keys & SDK snippets
    • Policy packs
    • Raw traces & request inspection
    • Latency & error visibility
    View developer flow
  • CISO & Security

    Defensible runtime control across all AI usage; tamper-evident evidence for security review.

    • Policy enforcement on /run and /v1/* gateway paths
    • Hash-chained trace store with Rekor anchoring
    • Provider failover events on the enforcement spine
    • Audited deployment stop and resume controls
    • RBAC and scoped external reviewer access
    • Signed enforcement exports when configured
    View security controls
  • Risk, Compliance & Internal Audit

    Operating-effectiveness evidence per control, per policy version — exportable and independently verifiable.

    • Enforcement events with pinned policy version
    • Composed audit bundles (PDF, CSV, JSON)
    • Standalone bundle verification (no Quantlix login)
    • Obligations map: runtime-evidenced vs attestation
    • Investigation API by request_id or run_id
    • Article 26 register and RoPA assistance exports
    View readiness evidence
  • Governance, DPO & Trust

    Prove controls are enforced. Export the evidence.

    • PII redaction evidence
    • Policy coverage status
    • Obligation mapping
    • Audit bundle exports
    • Art. 30 / RoPA assistance exports
    • Scoped external reviewer access
    View evidence flow
  • CTOs & AI Leaders

    See whether your AI estate is controlled, reliable, and within budget.

    • AI estate overview
    • Budget tracking
    • Provider & enforcement rates
    • Incident rollups
    • Leadership report export (JSON)
    View leadership signals

The shift

From policy documents to runtime proof

Policy documents

  • Controls live in policy documents and slide decks
  • Evidence is screenshots, emails, and attestations
  • No per-request record of what was enforced
  • Auditors must trust narratives, not artifacts
  • Policy versions drift from what production runs
  • Buyers can't verify controls without a vendor call

Runtime proof

  • Every model call produces a runtime evidence record
  • Policy decisions are logged with pinned policy version
  • Redaction and blocks are captured before the provider
  • Hash-chained traces anchor to Rekor for independent verification
  • Audit bundles export as PDF, CSV, and JSON
  • Reviewers verify bundles without a Quantlix login

Who it's for

Designed for regulated AI use cases already in production

  • HR-tech

    Candidate screening, interview copilots, employee support.

  • Fintech

    Fraud triage, support copilots, loan-processing assistance.

  • Insurance

    Claims triage, underwriting support, knowledge assistants.

  • Healthtech

    Care-admin copilots, patient routing, clinical ops.

  • Legal-tech

    Contract review, matter intake, legal research.

  • Govtech

    Citizen-service assistants, case triage, process automation.

Security & deployment

Built for EU data, enterprise buyers, and security reviews

  • EU-hosted

    For teams with EU users or EU data-residency needs. EU-only today.

  • Provider-independent

    Works with OpenAI, Anthropic, Groq, Together, Bedrock, Voyage.

  • Role-based access

    Separate engineering, governance, leadership, and reviewer access.

  • Exportable evidence

    Audit bundles for buyers, auditors, and leadership review.

Security posture — stated honestly

  • SOC 2 Type 1In progress
  • ISO 27001On roadmap
  • ISO 42001Planned
  • Third-party penetration testScheduled
  • Evidence integrityAppend-only · Rekor
  • Data residencyEU-only

SOC 2 Type 1 in progress — report available under NDA when the examination completes. Not certified today.

Control every AI request. Prove every decision.

Make your production AI independently provable.

Start with one production workflow. Route it through Quantlix. See what was allowed, redacted, blocked, and captured as evidence.

Quantlix — The AI Runtime Control Plane