Enterprise evaluators hub
Self-serve proof for runtime governance and trust evidence—PoV demo, Trust Loop, AuditPacket, SIEM compose, and dashboard previews. Observe-first; model boundaries before enforce.
Observe-only by default — no autonomous execution in phase 1. SIEM export uses observeOnly: true; bounded authority defaults to enforcementActive: false.
Define → validate → preview → evidence → SIEM → verify
The evaluator spine for security sponsors: declare boundaries, emit portable proof, forward to your SOC, then verify with replay and audit packets—observe-first throughout phase 1.
- 1Define
Governance contract & policy intent (preview)
- 2Validate
Schema + doctrine checks
- 3Preview risk
Synthetic GhostLog posture — not live enforce
- 4Evidence
GhostLog, portable bundles, org export
- 5SIEM
NDJSON/CEF forward with observeOnly
- 6Verify
Timeline replay & evaluator packet
Run the proof path
Run Enterprise PoV
pnpm demo:enterprise-pov from repo root (~20–30 min).
pnpm demo:enterprise-povEnterprise Trust Loop
Deep evaluator walkthrough (~45–90 min) with dashboard checkpoints.
scripts/enterprise-trust-loop-v1.shGenerate AuditPacket
Portable evaluator handoff for security, GRC, and audit reviewers.
pnpm audit-packet:generateSIEM docker eval
Compose stack + sample NDJSON—verify HMAC and observeOnly posture.
deploy/docker-composeTimeline replay
Dashboard preview at /policies/timeline-replay—sign in for workspace scope.
Requires sign-in for workspace tenant scope.
Governance previews
Contracts, authority lineage, and containment—preview badges only.
Preview vs enforced
Use in security questionnaires and procurement—honest about what runs at runtime today.
| Surface | User-visible behavior | Enforced at runtime? |
|---|---|---|
| TrustGovernanceContractV1 | Badges, synthetic GhostLog preview JSON | No — not wired to guard.ts |
| Authority / lineage preview | Trust badges, synthetic events | No |
| Containment / sandbox preview | Risk score, boundary badges | No — metadata only, not VM isolation |
| SIEM export | Forward rows to webhook/SIEM | No new blocks — observe-only forwarding |
| Guard ingest (integrated paths) | Block/allow on configured ingest | Yes — where integrated |
| Trust Lock runtime_strict | Tool call signature on governed swarm path | Yes — scoped path |
| Bounded authority bindings | Audit + activation records | Mostly audit — default enforcementActive: false |
What Recon.AI is
- •AI runtime governance and trust evidence for regulated copilots and agentic workflows.
- •Connects Reflex, guard ingest, and GhostLog to declared governance boundaries and exportable survivability evidence.
- •Leads observe-first: prove what happened in your existing SOC before graduating enforcement on scoped paths.
What Recon.AI is not
- •Not a replacement SIEM (Splunk, Sentinel, Datadog)—forwards trust-shaped telemetry into them.
- •Not HIPAA/SOX/certification—evidence infrastructure and declarative samples only.
- •Not compute sandbox isolation—containment v1 is metadata and preview badges.
- •Not crypto-signed non-repudiation in v0—attestations are hash-only by design.
Recon leads with observation, declared boundaries, and exportable evidence. Enforcement on integrated paths and Trust Lock requires explicit configuration—bounded authority activation defaults off (enforcementActive: false). Illustrative JSON keeps carriesExecutionAuthority: false.
Ready for a scoped pilot?
14-day enterprise pilot or 30-day design partner—both lead with observe-only SIEM eval and portable evidence.