Vargate · governance for AI

Independent, cryptographically verifiable governance for AI.

Two products under one roof. Tyr governs autonomous agents inline. Ogma audits human AI usage independently of the vendor.

Try Ogma → See the live demo ↗

Talk to us about Tyr

SOC 2 · ISO 42001 EU AI Act Art. 12 BSL / Apache 2.0

Ogma · live event log streaming

14:32:09 messages.createm.chen@acme · openai/gpt-5 Anchored

14:31:47 api_keys.rotateservice-acct · automated Anchored

02:22:14 messages.create · flaggedr.okonkwo@acme · 47.3k tok · off-hours Anomaly

02:14:09 messages.creater.okonkwo@acme · 4.1k tok Anchored

01:58:22 organization.member.adds.patel@acme → j.doyle@acme Pending

org_KMz4 · acme-pharma blk 18,402,991

01 / Products

Two products. One thesis: the customer should own the record.

Tyr keeps autonomous agents inside their lane. Ogma builds an independent ledger of human AI usage — outside the vendor's perimeter, outside your AI vendor's control.

Enforcement Tyr · "teer"

Tyr by Vargate

The proxy that governs autonomous agent tool calls. Sits inline. Prevents bad actions before they happen.

01
Inline policy enforcement. Block, allow, or require approval for every tool call by name, scope, and arguments.
02
Egress & secret hygiene. Strip credentials, mask PII, contain blast radius before it ever reaches the model.
03
Kill-switch in 200 ms. Pause an agent fleet from a single console when something looks off.

Audit Ogma · "OG-muh" New

Ogma by Vargate

The independent audit layer for human AI usage. Detects anomalies, alerts the right people, makes the trail audit-ready.

01
Pulls from vendor management APIs. No agents, no proxies, no sidecars. Connect with an admin key in 60 seconds.
02
Hash-chained, blockchain-anchored. Every event is signed, chained, and anchored outside the vendor's perimeter.
03
Anomaly & compliance alerting. Off-hours bursts, baseline drift, key rotations — flagged before they reach a board deck.

02 / Tyr · architecture

Six layers of autonomous agent governance.

Tyr is purpose-built for regulated environments where audit completeness, policy determinism, and cryptographic accountability are non-negotiable.

Layer 01

Policy-as-Code Governance

Every agent operates within formally defined boundaries written in Rego/OPA. Policies are version-controlled, deterministic, and cryptographically linked to every decision.

Layer 02

Hash-Chained Audit Log

Every action produces a tamper-evident record linked to its predecessor by SHA-256 hash. Modify one record and the chain breaks from that point forward.

Layer 03

Blockchain-Anchored Non-Repudiation

Periodic Merkle roots committed to a public ledger. Neither Vargate nor the enterprise can backdate, delete, or silently replace the audit history.

Layer 04

GDPR Crypto-Shredding

PII is encrypted with per-subject HSM keys before it enters the audit chain. Erasure means destroying the key — ciphertext becomes computationally unrecoverable while audit structure remains intact.

Layer 05

Decision Replayability

Any disputed action can be reproduced from the original input and the exact policy bundle that governed it. Deterministic evaluation means the answer is always the same.

Layer 06

Two-Pass Evaluation

Routine actions resolve in under 15 ms. Only elevated-risk actions trigger enriched evaluation with behavioral history, anomaly scores, and jurisdiction context.

03 / Tyr · live

Watch the gateway in action.

Toggle an allowed and a blocked tool call. The same path — evaluation, decision, audit, anchor — every single time. Deterministic by design.

tyr.gateway / live policy demo

AI Agenttool call

Tyr Gatewaytwo-pass eval

OPA PolicyRego bundle

Decisionallow / deny

Audit LogSHA-256 chain

BlockchainMerkle root

Median 12 ms · P99 41 ms · deterministic See the live demo ↗

04 / Why independence

Why independence matters.

An audit trail held by the vendor it audits is not an audit trail. It's a vendor report.

Relying on AI vendors to audit their own usage is like a bank auditing itself. The record needs to live where it cannot be amended. By anyone. Ever.

Vendor-supplied Vendor console & logs

CustodianThe AI vendor

MutabilityVendor-controlled retention & format

Integrity proofNone — trust the source

AnchoringInternal only

Auditor stance"Vendor said so."

Independent · Ogma Vargate ledger

CustodianVargate, independent of every AI vendor. Self-hostable for enterprise.

MutabilityAppend-only, hash-chained

Integrity proofSHA-256 chain · per-event

AnchoringPublic chain · daily root

Auditor stance"Verifiable, independently."

05 / How Ogma works

From admin key to audit-ready in under a minute.

No agents to install. No traffic to redirect. Ogma reads what your AI vendors already expose — and turns it into a record you can stand behind.

Step 01→

Connect

Paste your Anthropic admin key (more vendors coming Q4). Sixty seconds, zero infrastructure changes.

Step 02→

Ingest

Ogma pulls events from each vendor's management API in near real time. Backfill is automatic.

Step 03→

Audit

Each event is hash-chained; daily roots are anchored to a public chain. Tamper-evident, end to end.

Step 04

Alert

Anomaly rules and compliance baselines fire to Slack, email, or webhook before the audit committee asks.

Hash-chained audit trail Blockchain-anchored BSL / Apache 2.0 licensed AGCS controls implemented

06 / Inside Ogma

The page a CISO opens at 02:30.

Tabular, tamper-evident, exportable. The auditor reads the same screen you do — that's the point.

ogma.vargate.ai / events org_KMz4 · acme-pharma · last 24h

Events / 24h

38,419

+ 2.1% vs 7d avg

Anomalies open

2 awaiting review

Last anchor

2 m ago

blk 18,402,991

Chain integrity

Verified

38,419 / 38,419

14:32:09 messages.createm.chen@acme · anthropic/claude-sonnet-4-6 · 12.4k tok d4a9f7c2e1b9…21c4 Anchored

14:31:47 api_keys.rotateservice-acct-pipeline · automated 9c12be4af7a3…fa07 Anchored

02:22:14 messages.create · flaggedr.okonkwo@acme · 47.3k tok · off-hours · RULE-117 fe823104c911…04e9 Anomaly

01:58:22 organization.member.adds.patel@acme → j.doyle@acme aa14de7102c4…b9c1 Pending

07 / AGCS

Defining the standard for agent governance.

The Agent Governance Certification Standard (AGCS) is a three-tier certifiable framework. Vargate is the founding technical secretariat and reference implementation.

Tier 1Baseline

Supervised Agent Baseline

Policy definition, audit completeness, human escalation. The minimum any regulated team should expect from an autonomous agent in production.

Policy as code Audit completeness Human escalation

Tier 2Cryptographic

Cryptographic Accountability

Hash chains, policy replay, GDPR reconciliation. The audit trail can stand on its own; decisions can be reproduced; subject erasure is enforceable.

Hash chains Policy replay GDPR reconciliation

Tier 3Forensic

Forensic-Grade Non-Repudiation

Blockchain anchoring, HSM operations, hardware attestation. Suitable for jurisdictions and disputes where neither party can be assumed neutral.

Blockchain anchoring HSM operations Hardware attestation

Read the draft standard ↗

08 / Architecture

Purpose-built infrastructure.

Every component is a discrete, auditable service connected through well-defined interfaces. No monolith. No magic.

AI Agentautonomous caller→ tool call

MCP Gatewaytwo-pass evaluationtyr.gateway:8000

OPA EngineRego policy evalallow / deny

Decisionsigned result→ chain.append

Redisbehavioural history

SQLitehash-chained log

SoftHSM2per-subject keys

Blockchainmerkle root anchor

Bundle Serveretag polling

Dashboardreact UI :3000

09 / Pricing

Ogma · simple, predictable

Per-record pricing. No seat costs.

Audit trails should scale with usage, not with your org chart. Volume tiers from pilot to enterprise; SOC 2 reports and audit handoffs included from day one.

0–500k records · pilot 500k–5m records · team 5m+ records · enterprise

Try Ogma See full pricing →