GAIA is designed to make AI work auditable before it becomes autonomous. No proof, no production claim. No tenant, no memory. No approval, no sensitive action.
Why it matters: 67% of leaders believe they already leaked data through an unauthorized AI tool, and ~40% of enterprise AI interactions involve sensitive data (WRITER, Cyberhaven, 2026).
Enterprise controls
Every control is labeled with its real status — the same honesty GAIA applies to its own outputs.
| Control | Detail | Status |
|---|---|---|
| Tenant isolation | No cross-tenant recall path; memory banks partitioned per tenant by construction. | enforced in code |
| Approval gates | External / sensitive / economic actions require human validation; model deployment is human-only. | enforced in code |
| Proof taxonomy | verified / reported-pending-proof / blocked / error on every output, including refusals. | enforced in code |
| Secret redaction | Retrieval policy redacts secret-looking content before prompts; output critic gates what leaves. | enforced in code |
| Source-level permissions | Search and recall are limited to each user’s existing access perimeter. | beta |
| Encryption | AES-256 at rest · TLS 1.3 in transit. | standard |
| No training on customer data | Guaranteed contractually; enforced structurally by tenant isolation. | contractual |
| EU data residency | EU hosting by default, configurable per engagement; private/hybrid on Sovereign tier. | contractual |
| GDPR / DPA | DPA signed per engagement; export & verifiable deletion on request. | contractual |
| Audit logs | Proof-ID-linked trail, 90-day retention target, extensible per engagement. | beta |
| RBAC | Owner / Admin / Manager / Member / Viewer / External guest. | roadmap |
| SSO / SAML & SCIM | Okta, Azure AD; SCIM provisioning. | roadmap |
| SOC2-ready controls | Control framework alignment for enterprise audits. | roadmap |
Principles
Memory and tool access require a resolved tenant scope. There is no cross-tenant memory recall path in the pipeline — recall is banked per tenant by construction.
A retrieval policy redacts secret-looking content before it reaches a prompt; an output critic gates what leaves; secret-class memory writes never leave the process.
Keys are displayed a single time at creation. Server-side storage keeps hashes only — there is nothing to leak from the key store.
External sends, economic actions and anything irreversible stop at an approval gate. Autonomy is granted per workflow by a human, never assumed by a model.
The self-improvement loop can register model candidates; deploying one is a human decision. There is no auto-deploy path.
Every output — including refusals and errors — carries a proof ID linking back to its trace. The audit trail is a by-product of the pipeline, not an afterthought.
Proof status taxonomy
Only verified supports a production claim, and only a real attached artifact earns it. Mock, fallback and dry-run results are structurally prevented from being marked verified. Full definitions on the Orchestra page.
Risk → control
| Risk | GAIA control |
|---|---|
| Secret leakage | Output critic + retrieval policy — secret-looking content is redacted before prompts and gated before outputs. |
| Cross-tenant recall | Tenant scope gate — memory is unreachable without a resolved tenant; banks are partitioned per tenant. |
| Fake claim | ProofBundle + status taxonomy — claims without artifacts stay reported-pending-proof. |
| Unsafe action | Approval gate — sensitive, external and economic actions require an explicit human decision. |
| Cost runaway | Budget & routing metrics — tier-aware routing plus per-request cost visibility (roadmap). |
| Model drift | Shadow eval + human deploy gate — candidates are evaluated in shadow; deployment is human-only. |
Data boundaries are designed together in week one — before any of your data touches the pipeline.