The Governed AI Gateway
Bridging the gap between developer velocity and enterprise reality.
PLCY is the inevitable AI governance layer: an open-source gateway that classifies, redacts, routes, rate‑limits, and logs every AI request so companies / developers can scale AI with confidence instead of risk.
Informed by experience securing regulated industries and aligned with the EU AI Act and emerging AI regulations.
AI Is Moving Faster Than Governance
Usage Is Outpacing Oversight
75% of staff are already using GenAI at work, but only ~33% of organizations have formal AI policies.
Shadow AI via tools like Lovable, Bolt, v0, and Cursor is dissolving the perimeter.
Most AI pilots die in the lab because teams can't prove safety, compliance, or cost control to the business.
Every gain in productivity is currently paid for with more legal, security, and compliance risk.
PLCY: The AI Governance Layer
PLCY sits between your apps/agents and the AI models they call.
It classifies, redacts, routes, rate‑limits, and logs every request through a near‑zero‑latency sidecar, giving enterprises one place to define, enforce, and prove AI policy.
Reduce liability
Enforce data, residency, and usage policies before anything leaves your VPC.
Unblock production
Give Security, Legal, and Compliance the controls and audit evidence they need to say "yes" to AI deployments.
Standardize AI
One governed gateway for all tools and models, instead of bespoke guardrails everywhere.
The Core Stack
Detect PII, secrets, and toxic content
Mask or transform sensitive data before egress
Geo-fence and select models based on policy and cost
Enforce cost and technical ceilings
Emit immutable OpenTelemetry records for full auditability
Detect PII, secrets, and toxic content
Mask or transform sensitive data before egress
Geo-fence and select models based on policy and cost
Enforce cost and technical ceilings
Emit immutable OpenTelemetry records for full auditability
Deployed as a Kubernetes sidecar, PLCY adds near‑zero network latency and can run completely inside your VPC.
Two Planes for Total Control
Architecture Snapshot
OSS Data Plane
(PLCY Core)
- ✓Open source (Apache 2.0) gateway + OPA running in your VPC
- ✓Runs as a Kubernetes sidecar for near‑zero network latency and no external API dependency.
- ✓Fail‑closed by design – if PLCY is unavailable, traffic defaults to secure, not permissive.
- ✓Deterministic detection (regex, entropy, heuristics) – mathematically provable checks.
- ✓Fully auditable code path – security teams can inspect the gateway and OPA logic end‑to‑end.
- ✓Multi‑model ready – one governed gateway for OpenAI, Anthropic, local models, and anything that comes next.
SaaS Control Plane
(PLCY Cloud)
- ✓"Day 2" operations handled for you – zero‑downtime upgrades, DR, and compliance‑ready configs out of the box
- ✓Central "single pane of glass" for all gateways, models, regions, and tenants.
- ✓One‑click Policy Packs (PII redaction, secrets scrub, cost guard, HIPAA, etc.) instead of hand‑rolled code.
- ✓Role‑based access for security, platform, and compliance teams with full approval trails.
- ✓Long‑term retention of immutable OpenTelemetry logs for audits and investigations.
- ✓Health, version, and config drift monitoring across your PLCY Core fleet.
- ✓Opinionated defaults that map to frameworks like SOC 2, HIPAA, PCI and the EU AI Act.
Enterprise security teams will not send PII and trade secrets through a black box. Open source makes PLCY auditable and adoptable.
Who PLCY Is For
Security & Compliance
(CISOs, DPOs, Risk Teams at Enterprises & Startups)
"We need guardrails, not more shadow AI."
Outcomes:
- ✓Fewer leaks
- ✓AI‑specific controls
- ✓Audit‑ready logs
- ✓Meet regulatory requirements (GDPR, HIPAA, SOC 2)
Platform & Engineering
(CTOs, Heads of Platform, SREs at Scale-ups & Tech Companies)
"We need one standard way to connect apps and agents to models."
Outcomes:
- ✓Standardized gateway
- ✓Sidecar pattern
- ✓Policy packs instead of hand‑rolled Rego
- ✓Reduce engineering overhead
Partners
(AI tools like Lovable, Bolt, v0, Cursor & Developer Tool Companies)
"We want to sell into security‑sensitive enterprises without becoming a security vendor ourselves."
Outcomes:
- ✓PLCY as the embedded governance layer
- ✓Turn tools from "fast but risky" into "enterprise‑ready"
- ✓Win enterprise deals faster
Developer Teams
(Frontend, Backend, Full-Stack Developers at Companies Building AI Features)
"I just want to call an LLM API without worrying about compliance red tape."
Outcomes:
- ✓Ship AI features faster
- ✓Built-in governance without extra code
- ✓Focus on product, not policy implementation
- ✓Simple drop-in integration
AI-First Startups
(Founders & Teams Building AI-Native Products)
"We need to move fast AND be enterprise-ready from day one."
Outcomes:
- ✓Build trust with early customers
- ✓Avoid technical debt from DIY governance
- ✓Investor-friendly compliance posture
- ✓Scale without rewriting security layer
Regulated Industries
(Healthcare, Financial Services, Legal & Government Organizations)
"We can't use AI unless it meets HIPAA/SOC 2/FedRAMP requirements."
Outcomes:
- ✓Industry-specific compliance out of the box
- ✓Audit trails for every AI interaction
- ✓Data residency and redaction controls
- ✓Risk mitigation for sensitive data
Why PLCY, Why Now
AI usage is exploding inside organizations while oversight lags badly behind. Security and compliance risk has become the veto, killing pilots before production. At the same time, the EU AI Act and similar regulations are mandating exactly the kinds of controls PLCY provides – turning governance from a "nice to have" into a regulatory requirement.
Regulation as catalyst
"Brussels effect" forces global standards, not local ones
Fragmented competition
Security suites are safe but slow; gateways are fast but risky; PLCY owns the governed quadrant in between
Open‑source + cloud flywheel
OSS core drives trust and adoption, PLCY Cloud and Policy Packs drive revenue
Autonomous agents everywhere
From coding assistants to customer service bots, AI agents are making decisions without human-in-the-loop—governance can't be an afterthought anymore
Shadow AI sprawl
Employees are using ChatGPT, Claude, and dozens of AI tools outside IT's control—creating massive compliance blind spots that boards can no longer ignore
AI spend moving from R&D to production
Companies are shifting from AI experiments to production deployments at scale—requiring enterprise-grade governance that homebrew solutions can't provide
Why Connect Every AI Initiative to PLCY?
Nine executive imperatives for enterprise AI governance
Regulatory compliance, by design
Enforce GDPR/CCPA, sector rules (HIPAA, SOX, GLBA, COPPA, FERPA, etc.) centrally; prove it with audit logs.
Certification alignment
Map controls to ISO 42001 (AI), ISO 27001/27701 (ISMS/PIMS), SOC 2; streamline audits with pre-built evidence.
Security & IP protection
Prevent secrets/PII exfiltration; watermark/label outputs; control external API and data egress.
Quality & brand safety
Guard against hallucinations/unapproved claims; require citations; enforce tone & style.
Fairness & accountability
Apply bias checks and HITL on high-risk decisions; keep complete provenance.
Cost & performance control
Budgets, model routing (small/fast vs. large/accurate), caching; usage insights for ROI.
Velocity without chaos
Standard policies once; many teams reuse. Faster approvals, fewer bespoke reviews.
Vendor flexibility
Swap or mix models (open-source, cloud, on-prem) behind one consistent policy layer—no lock-in.
Incident readiness
Central kill-switches, versioned rollbacks, unified telemetry for root cause analysis.
Working with design partners in digital health, fintech, legaltech, and high‑velocity engineering teams.
Get Early Access to the Governed AI Gateway
Tell us who you are and how you're using AI today. We'll reach out with next steps for pilots, partnerships, or investor conversations.