You need AI governance, but you don't know where your AI estate starts or ends.

Provena Platform

One platform for every
AI access decision.

Discover tools, govern supplier access, manage agents, and monitor approvals — one evidence layer for procurement, privacy, security, and AI teams without exporting raw data.

6 connected modulesSigned evidence layerRole-differentiated reviewRaw data stays local

Provena — evidence flow

1

Provena Scan

AI estate discovered → 23 systems

2

Evidence Passports

Evidence collected → 23 passports

3

Compass Review

DPO + CISO review → 18 cleared

4

Agent Passports

3 agents governed → boundaries set

5

Tide Monitor

Watching 23 passports · Next expiry: 14d

23 systems governed5 require renewal in 30 days

AI governance starts with inventory, not tooling.

Most organisations deploy governance software before knowing what AI systems they are governing. Provena starts with a Provena Scan — a two-week inventory sprint — so every subsequent decision is based on what actually exists, not assumptions.

Platform modules

Six modules. One connected evidence layer.

Each module produces signed evidence that feeds the others. Use one or all six — every output is interoperable.

Provena Scan

Two-week AI access inventory

Start here. Discover which AI tools, vendors, agents, and model APIs already have access to your data. Produce a risk-tiered AI Access Map and first access decisions before buying any governance tooling.

Fixed scope · Fixed price · 10 working days

Learn more

Evidence Passports

Reusable evidence profiles for every AI system

A structured profile covering data categories, model provider, privacy posture, GDPR legal basis, DPA status, fairness evidence, access decision, and conditions. Complete once. Reference on every renewal.

12 evidence sections · Signal Receipts attached · DPO-ready export

Learn more

Agent Passports

Boundaries and expiry for every AI agent

Define allowed tools, allowed data, credential scope, human approval gates, egress policy, trace logging, and hard expiry for every AI agent — before it can act on company systems.

Tool allowlist at issuance · Human approval gates · Instant revocation

Learn more

Compass Review

Role-differentiated review queue

DPO, CISO, and Procurement each see only the decisions assigned to their role. Approve, restrict with conditions, or block — from a single interface. Every decision is timestamped and logged.

Role-based routing · Audit trail · Bulk export

Learn more

Tide Monitor

Renewal tracking and live alert sweep

Hourly sweep across all passports and agents. Alerts before evidence expires, before renewals lapse, and when diagnostics fail. Integrates with Slack, webhook, or email.

Hourly sweep · Slack · Webhook · Email alerts

Learn more

Edge Capsule

Run diagnostics where your data lives

Execute privacy, fairness, RAG, and security diagnostics on-premise or in your private cloud. Only the signed Signal Receipt leaves your perimeter — never the raw data, prompts, or model weights.

Self-hosted Docker · Receipt-only egress · Ed25519 signed

Learn more

Platform workflow

From unknown estate to governed access.

01

Scan

Provena Scan discovers every AI tool in your estate — including shadow AI — and produces a risk-tiered AI Access Map.

02

Document

Evidence Passports structure the evidence for each system: data categories, model provider, DPA status, legal basis, and access conditions.

03

Review

Compass routes decisions to DPO, CISO, or Procurement. Approve, restrict with conditions, or block. Every decision is logged.

04

Govern agents

Agent Passports set tool boundaries, human approval gates, and expiry for every AI agent before it reaches production.

05

Monitor

Tide Monitor sweeps hourly. Alerts before evidence lapses or agents exceed their authorised scope. Nothing expires silently.

Who uses Provena

Built for every stakeholder in the decision.

Procurement

Require Evidence Passports before approving new AI suppliers. Route evidence requests to vendors automatically.

See how

DPO & Privacy

Review AI access decisions with structured GDPR evidence — data categories, legal basis, DPA, Art. 9 flags — not vendor claims.

See how

CISO & Security

Track model API egress, credential scope, agent boundaries, and security posture across every AI system in the estate.

See how

AI Vendors

Create your Evidence Passport once. Close enterprise deals with DPO-reviewed evidence — not a back-and-forth of questionnaires.

See how

The difference

AI governance — with and without Provena.

Without Provena

  • Unknown number of AI tools in the estate
  • Vendor compliance claims, not structured evidence
  • No DPO or CISO review trail for AI access decisions
  • Agents in production with no owner, scope, or expiry
  • Approvals tracked in spreadsheets — lapse silently
  • Each audit requires rebuilding evidence from scratch

With Provena

  • Provena Scan maps the full AI estate in 10 working days
  • Evidence Passports structure evidence — data, model, DPA, legal basis
  • Compass Review logs every decision: actor, timestamp, conditions
  • Agent Passports define boundaries before production — instant revocation
  • Tide Monitor alerts before any passport or approval lapses
  • Reusable passports: evidence built once, referenced on every renewal

Built on evidence

Evidence travels. Raw data stays local.

No raw data exported

Every diagnostic produces a signed Signal Receipt — not a raw data export. Raw export flags are disabled by default across every check.

Organisation isolation

Every organisation's evidence, decisions, and passports are fully isolated. Nothing crosses org boundaries without explicit consent.

Cryptographically signed receipts

Every Signal Receipt is signed with an Ed25519 key. Recipients can verify authenticity without re-running diagnostics.

Role-based access control

Every route enforces server-side role checks. DPOs, CISOs, Procurement, and AI Leads each see only what their role requires.

Common questions

Provena — addressed.

We already have a vendor risk questionnaire process.

Questionnaires collect claims. Provena collects structured evidence — data categories, model providers, Signal Receipts from diagnostics, DPA status, and access decisions — in a reusable, exportable format that feeds every future renewal.

We only need to govern two or three AI tools right now.

Two or three known tools almost never reflects the true estate. Provena Scan typically uncovers 3–5× the expected number of AI touchpoints — agents, RAG systems, embedded model APIs — that were not on anyone's list.

We want to govern AI but lack DPO or CISO bandwidth.

Compass routes decisions to the right role automatically. DPOs see only privacy decisions; CISOs see only security decisions. No one reviews what is not theirs.

We are worried about sending our AI data to another cloud service.

The Edge Capsule runs all diagnostics in your own perimeter. Only signed Signal Receipts — no raw data — leave your environment. The signing key stays with you.

Get started

Know your AI estate
before your next audit.

Start with a Provena Scan — a two-week inventory sprint that maps every AI tool operating in your environment and identifies which evidence is missing.

AffectLog provides technical and operational evidence to support AI access decisions. Not legal advice, certification, or regulatory approval.