Defend every AI decision before the regulator asks.

Proofpane is the evidence layer for AI in regulated teams. Three contracts:
(1) every call passes a policy gate and lands in a tamper-evident audit log.
(2) every production default — which prompt ships, which model, which memory strategy — comes from a significant experiment with an inter-rater reliability floor, not a hunch.
(3) the whole record exports as a signed Evidence Pack your auditor verifies offline.

For CISOs, CAEs, and Risk Officers. Not a policy-doc GRC checklist; not a log aggregator; not a prompt-injection scanner — see how we’re different.

One decision, end to end: production default → frozen verdict → source experiment → reliability gate → signed Evidence Pack
See it live Create account Talk to us

 One-click demo. No signup. No card. Populated org with real frozen verdicts.

Daemon available for macOS Apple Silicon macOS Intel Linux x86_64 Windows x86_64 · one-liner installer auto-detects →

Govern any AI tool your team uses. Yours included.

Proofpane is a thin governance layer beneath the tools your team already uses — IDE assistants via MCP, non-MCP automators (Zapier / Make / n8n / UiPath / Power Automate / Copilot Studio / Agentforce) via the egress gateway. All live today. Custom MCP servers and in-house code wire through the same daemon. Members keep their workflows; you keep the hash-chained audit, the cost cap, the policy gate, the Evidence Pack. No wrappers. No vendor lock-in. No "you must use our IDE."

MCP-native · agent-protocol-agnostic
Live · MCP-native (one-command auto-install)
  • Claude Desktop
  • Claude Code
  • Cursor
  • VS Code Copilot
  • Codex app
  • Continue
  • Custom MCP servers

proofpane install-mcp — auto-detect + auto-configure every client above. JSON, TOML, YAML — the right shape goes to the right file.

Live · via egress gateway
  • n8n
  • Zapier
  • Make
  • UiPath
  • Power Automate
  • Copilot Studio
  • Agentforce

Four wiring mechanisms — base_url · HTTP action · OpenAPI import · Named Credential — /mcp-setup renders the exact recipe per platform. Policy gate + DLP + audit + cost on every call.

Two planes. One audit chain.

Everyone else governs one of these. Proofpane is the only audit + policy + evidence layer that covers both — in the same signed chain. Because if half your AI is ungoverned, the auditor rejects the whole thing.

Run · Operate

How your business operates with AI

Daily business workflows — vendor onboarding, lead triage, doc review, alert remediation. Import them from a plain SOP, or pull them straight out of UiPath, n8n, Power Automate or Zapier. Every step maps to a governed skill with policy, cost and human-approval gates.

  • SOP → workflow
  • UiPath
  • n8n
  • Skills
  • HITL gate
See the compliance surface
Build · Develop

How your business builds with AI

Your developers' AI coding agents — Claude Code, Cursor, Codex — connect through the MCP broker. Every tool call and model egress is intercepted, policy-gated, DLP-redacted and hash-chained. Repo Coder runs autonomous code changes behind a human-approval gate with full auto-PR provenance.

  • Claude Code
  • Cursor / Codex
  • MCP broker
  • Repo Coder
  • auto-PR
See the engineering surface

Both planes append to the same SHA-256 hash chain → one Ed25519-signed Evidence Pack your auditor verifies offline.

Run plane, live — a governed workflow end to end: policy gate · cost · HITL · one audit chain
How the wiring works

Four wiring mechanisms depending on the platform — base_url override for n8n, HTTP action for Zapier / Make, OpenAPI import for Power Automate / Copilot Studio / UiPath, Named Credential for Agentforce. /mcp-setup renders the exact recipe per platform. Policy gate + DLP + audit + cost fire on every call.

Install once, reuse forever. IT admin installs the connector (OpenAPI) / credential (n8n) / Named Credential (Salesforce) ONCE at tenant level — every downstream workflow inherits the auth + policy + audit chain. No per-Zap configuration. Block one credential → every workflow using it stops on the next call.

Or pull your existing flows in. Proofpane reconstructs them step-by-step as governed workflows — 6 providers wired today (n8n / UiPath / Power Automate / Zapier / Make / Agentforce), full audit chain on every list, fetch, save and run. See it in /install →

Reachable through the tools above: 10,000+ apps and 40,000+ actions (via Zapier, Make, n8n, Power Automate, UiPath). Wire Proofpane once; every action through the daemon or the gateway lands on one audit chain.

The six regulator questions Proofpane answers

“Why is this your production default?” significance + IRR floor

Every production default — which prompt variant ships, which memory strategy lives, which provider is the baseline — passes (a) a statistical significance gate over a content-hashed fixture, then (b) an inter-rater reliability floor (Krippendorff α with bootstrap CI — the same measure clinical-trial reviewers use to prove humans agree above chance). The verdict, the confidence interval, the fixture hash, the DLP rule-set fingerprint that scrubbed it, the approving operator — all frozen on the audit row and shipped in the Evidence Pack. Your auditor reconstructs why this is the current default from the bundle alone. No meeting required. No engineer dragged in. Six years from now, same answer, same hash.

“Show me everything that happened, signed.” tamper-evident audit

Every AI decision your team makes — every prompt, every multi-agent run, every Cursor session — lands in a cryptographically chained log scoped per tenant, so cross-tenant tampering is structurally detectable. Export as a signed Evidence Pack — a standalone offline verifier ships in the bundle so your auditor reads it without backend access, without a Proofpane account, six years from now.

Audit timeline showing hash-chained events — every AI decision logged with cryptographic linkage between rows.

“Map this to my framework controls.” NIST · ISO 42001 · EU AI Act · GDPR · SOC 2

Control library aligned with NIST AI RMF, ISO/IEC 42001, and EU AI Act evidence expectations — pre-mapped per skill, with per-org overrides. A closed-set guard cross-checks every cited control ID against a curated truth set so fabricated references can't pass. Proofpane supports operational evidence; it does not replace legal, regulatory, or certification assessment.

Compliance dashboard: NIST AI RMF · ISO 42001 · EU AI Act · GDPR · SOC 2 framework coverage with per-control mapping to skills + per-org overrides.

“How do you stop costs running away — and catch quality drops?” cost-aware by design · 5 detection layers

Token budget control is the spine of the architecture, not a dashboard pasted on top — every call records token + latency + cost into the chain, and five layers catch cost-explosions before they become invoices: (1) a pre-call gate refuses LLM calls over per-org cap (refusal audited); (2) threshold alerts (50% / 80% / 100%) push to Slack + email before you hit cap; (3) per-call anomaly flag on any call > N× recent baseline; (4) month-end forecast projects current burn against cap so a 2-week overspend is visible 2 weeks early; (5) provider price-drift detection — a plausibility band catches silent per-token bumps from Anthropic / OpenAI. Quality runs the same way on a parallel track: closed-set hallucination guard against 259+ control IDs from NIST AI RMF / ISO 42001 / EU AI Act / GDPR / SOC 2, judge-grounded scoring, cross-vendor disagreement (3 providers vote), drift alerts on pass-rate drops. The /cost and /quality dashboards are the views; the design is the contract.

Live: agent caught in a tool loop · auto-paused mid-stream · operator redirects it + resumes · all on the audit chain

Want the full walkthrough? Watch the 1-min Slack + 3-min Salesforce demos →

Quality dashboard: pass rate, hallucination rate, fabricated-ref count, by-skill / by-model / by-provider breakdowns + low-score triage queue.
/quality · pass rate · halluc rate · triage
Cost dashboard: monthly USD spend vs cap, 30-day sparkline, top spenders by skill, anomaly table.
/cost · spend vs cap · top spenders

“How do you improve safely?” human approves every change

Two reflection loops, same approval contract. The first watches the audit log for drift, hallucination, and low-score signals, and proposes prompt edits against the org's own failure cases. The second tracks curated AI-research feeds and auto-sandboxes proposed updates against production behaviour. In both cases only the changes a human approves ever go live.

Internal reflection queue: proposed prompt edits awaiting human approval — every change goes through review before going live.
Internal reflection · audit-log driven
External reflection: research-feed scout that promotes high-relevance items into approval-gated sandbox sessions.
External reflection · research-driven

“Show me the process, not just the outputs.” visual workflows · multi-agent · scheduled

Compose governance tasks, multi-agent primitives (consensus and adversarial review), and scheduled triggers on a visual canvas. An AI builder edits the graph for you. Every node execution writes a row into the same audit chain — the canvas is the planning view, the chain is the proof.

Multi-agent workflow canvas — Classify AI System → Impact Assessment 3-way consensus → Map Obligations, with live execution status and skill palette.
How we’re different

What we are, what we are not, and the layer you’re missing.

Policy-doc GRC tools

Vanta, Drata, Secureframe

Certify that you have a control. Auto-collect SOC 2 / ISO evidence about your infrastructure. Excellent for the certification audit. Gap: Don’t see inside the AI call. Can’t prove the model picked a defensible answer.

Log aggregators

CloudTrail, Datadog, Splunk, ELK

Record what happened across infrastructure. Powerful for incident reconstruction. Gap: Plain logs; not hash-chained, not signed, not scored. An auditor still has to take your word that the row wasn’t edited.

Proofpane

Evidence layer for AI in regulated teams

Hash-chained audit + significance-gated production defaults + inter-rater reliability floor + signed offline-verifiable Evidence Pack. When the regulator asks why this is your default — six months from now or six years — the answer is one URL. Same hash. Same row.

Complementary, not competitive: most Proofpane customers keep their GRC tool for SOC 2 + their log aggregator for SRE. Proofpane is the missing third layer — the one your auditor opens when they ask about a specific AI decision.

MCP + local daemon

One small binary. Two roles. Every MCP signal audited.

A 14 MB single-file daemon runs on the user’s machine. The same binary plays one of two roles depending on how the operator starts it — both stream through the same hash-chained audit log, policy gate, and Evidence Pack.

Cloud-paired role
airgov_daemon run

Opens a long-lived WebSocket back to the cloud. The cloud sends governed tool requests (bash / fs.read / fs.write / grep / …), the daemon executes them locally, streams results back. The user’s machine is the execution boundary — the cloud never touches their files directly.

MCP server role
airgov_daemon mcp

Plugs into Claude Desktop, Codex, Cursor, Continue, or any MCP-compatible client over stdio. Every tools/call the client makes runs through the same policy gate, lands on the same hash-chained audit row, and counts toward the same Evidence Pack. Wire Proofpane in once, govern any of them.

5 signals audited (the full MCP spec ceiling within strict server role)

mcp.tool_call

Every tool the client invoked — name, args preview, outcome, DLP redactions.

mcp.client.connected

Which Codex / Claude / Cursor version connected, with declared capabilities.

mcp.tools.discovered

What tool surface the client thinks it has, captured on every tools/list.

mcp.roots.observed

Server-initiated roots/list — which filesystem roots the client exposed.

mcp.notification

Passive capture of cancelled / progress / roots_changed events.

+ 2 inline defenses (the daemon doesn’t just watch — it gates)

mcp.hitl.*  (prevention)

Sensitive tools block in-flight until an admin approves on /mcp-setup. Decision lands as requestedapproved / rejected / expired on the same hash-chained audit log.

dlp.scrub  (local-first redaction)

PII / secret patterns are redacted on the user’s machine before the audit row leaves it. Only a hit-count summary ships to the cloud — never the raw token, email, or key.

MCP killswitch

One toggle, every IDE, audited

The daemon is a transparent multiplexer: Claude Desktop, Cursor, VS Code Copilot, Codex, and Continue all see ONE aggregated tools/list from us. Behind us we run N downstream MCP server subprocesses — Slack MCP, GitHub MCP, Filesystem MCP, your custom MCP server. Per-server toggle in the Proofpane UI; latency from click to subprocess SIGTERM is <2 s wall-clock.

You don’t start from a blank slate. The daemon scans the MCP servers your team has already wired into Cursor, Claude Desktop, VS Code, Codex and Continue and imports them into the governed registry — each flagged “review me” until an admin approves. That risky third-party MCP server someone added last quarter stops being a blind spot and becomes one auditable, one-click-revocable row — every tool call it serves now runs through the same policy gate, HITL, DLP scrub, and hash-chained audit as everything else.

Click

Admin toggles a row in /mcp-setup.

Push

Cloud → daemon WebSocket: mcp_servers_updated.

SIGTERM

Daemon kills the subprocess with the configured grace window.

Vanish

Client re-fetches tools/list — the tool is gone. No client restart, no config edit.

Every toggle lands a hash-chained audit row with the operator, timestamp, and before/after. An auditor asking “did anyone call Slack-MCP after Louie disabled it on 2026-06-15?” gets a one-line SQL answer.

What we deliberately don’t do
  • LLM proxy / man-in-the-middle
  • OS-level hooks (Accessibility, kernel)
  • Browser extension
  • Screen scraping
  • Keystroke logging

Strict MCP-server role only. The Layer-3 surface above is what gets “AI security” vendors flagged by security review. We stay on the protocol boundary so deploying Proofpane is a single signed binary the operator can read end to end — not a kernel extension, a browser extension, or a network MITM your CISO has to certify.

Bring your own automations

Pull them in. Govern them. Evolve them.

Already running workflows in n8n, UiPath, Zapier, Make or Power Automate? Point Proofpane at them — we pull each one in and reconstruct it as a governed workflow: every step mapped to an audited skill, with human-review and risk gates inserted wherever it touches sensitive data or makes a consequential call. Then they don’t go stale — the same evidence loop that proves your compliance feeds a self-improvement cycle, so your governed workflows keep getting better on their own.

Full-fidelity pull

Your automation’s logic comes across intact — not a hand-rebuild from scratch.

Governance, inserted

Hash-chained audit, policy gate, DLP scrub and HITL on every reconstructed step.

Infinite evolution

Approved prompt refinements + drift-triggered fixes keep them improving, not staling.

Works wherever your team uses AI
Get early access Sign in
Built in Aotearoa New Zealand · [email protected]
© 2026 Proofpane