The AI governance pipeline
Seven gates. Zero bypass paths.
Every request an AI agent makes passes through the same non-bypassable pipeline, in order. No model is called until each gate has cleared, and the final stage logs the request with full context - so 100% of AI activity is accounted for.
Team Guard
Confirms the requester belongs to a team that is permitted to invoke the agent at all.
Kill Switch
Checks global, division, and team-level shutoffs from a hot cache so a stop takes effect in milliseconds.
Rate Limit
Enforces per-user and per-team request ceilings - 60 requests per minute by default, configurable per tenant.
Budget Check
Verifies the daily token budget. A soft warning fires at 80%; a hard stop blocks the call at 100%.
Scope Validate
Confirms the request stays inside the agent’s declared data boundaries before any model sees the data.
LLM Call
Invokes the underlying Claude or GPT model only after every gate above has passed.
Audit Log
Records the request with actor, timestamp, and full context. Logging is non-blocking, so it can never be skipped to save time.
Six AI controls
The levers that keep agents in bounds.
Kill switches
Three levels of instant shutdown - global, division, and team - backed by a hot cache so a stop propagates in milliseconds across every agent.
Scope registry
Declarative, reviewable data boundaries between agents. Each agent can only ever reach the records its scope explicitly permits.
Rate limiting
Per-user and per-team request ceilings enforced in Redis, defaulting to 60 RPM and tunable to match your throughput and risk tolerance.
Token budgets
Daily token limits per team with an 80% soft warning and a 100% hard stop - predictable AI spend with no runaway calls.
API key management
Provider keys are stored encrypted with rotation and host allowlists, so credentials are never exposed in code, logs, or config.
Security monitoring
Every request is validated and logged with full context, giving security teams a continuous, traceable record of agent activity.
Identity & access
Who gets in, and what they can do.
Single sign-on
SAML 2.0 and OIDC integration so Cortrova logs in through your existing identity provider - no separate password store to manage.
Multi-factor authentication
TOTP-based MFA with step-up authentication required for admin and executive roles before sensitive actions.
Role-based access control
12 built-in roles with per-department permissions, plus custom roles to mirror exactly how your floor is organized.
Login protection
Brute-force defense limits attempts to 5 per 60 seconds and locks accounts after repeated failures.
Encryption & data protection
Encrypted in transit, at rest, and in backup.
TLS 1.2+ in transit
Modern TLS is enforced site-wide; every connection between your floor, the platform, and its services is encrypted end to end.
AES-256 at rest
Disk encryption with AES-256, with per-tenant key isolation so one customer’s keys can never decrypt another’s data.
Hardened credentials
Passwords are hashed with bcrypt at 12 rounds - slow by design to resist offline cracking.
Daily encrypted snapshots
Encrypted backups run daily with point-in-time recovery, so a bad day never becomes a lost week.
Audit & privacy
A trail your auditors can query.
Cortrova logs every change and every AI decision to one immutable record, then gives your team the privacy workflows regulated buyers expect.
- ✓ Every mutation is logged with actor, timestamp, and before-and-after state - 100% coverage, not a sampled subset.
- ✓ AI requests and user actions share one immutable audit trail your auditors can query directly.
- ✓ Configurable session timeout, idle timeout, and concurrent-session limits keep stale sessions from lingering.
- ✓ GDPR data export, right-to-erasure, and anonymization workflows are built in, alongside CCPA do-not-sell handling.
Deployment
Run it where your data has to live.
The same governance pipeline, RBAC, encryption, and audit guarantees apply no matter how you deploy - so your data-boundary constraints never force a security trade-off.
Cloud
A managed, single-tenant-isolated deployment with the full governance pipeline and daily encrypted backups handled for you.
On-premises
Run Cortrova inside your own network and data boundary while keeping every control, role, and audit guarantee intact.
Air-gapped
Fully disconnected installs for ITAR and classified environments - no outbound calls, no exceptions, same security posture.
Standards & compliance
Built in, not bolted on.
FAQ
Questions, answered.
How does Cortrova govern its AI agents?
Every AI request passes through a non-bypassable 7-stage pipeline: team guard, kill switch, rate limit, budget check, scope validation, the model call, and an audit log. There are zero bypass paths, so no agent can reach data or run a model without clearing every gate, and 100% of requests are logged.
Can we stop the AI instantly if something looks wrong?
Yes. Kill switches operate at three levels - global, division, and team - backed by a hot cache so a shutoff takes effect in milliseconds. You can pause a single team’s agents or halt all AI across the platform at once, without a deploy.
How do users authenticate, and how is access controlled?
Cortrova supports SSO via SAML 2.0 and OIDC, TOTP-based MFA with step-up authentication for admin and executive roles, and role-based access control with 12 built-in roles plus custom roles and per-department permissions. Login attempts are rate-limited and accounts lock after repeated failures.
How is our data encrypted and isolated?
TLS 1.2+ is enforced for all data in transit and AES-256 disk encryption protects data at rest, with per-tenant key isolation so one tenant’s keys can never decrypt another’s data. Passwords are hashed with bcrypt at 12 rounds, and encrypted snapshots run daily with point-in-time recovery.
What does your audit coverage actually capture?
Every mutation is logged with the actor, a timestamp, and the before-and-after state - 100% coverage rather than a sampled subset. AI requests and user actions share one immutable trail, so an auditor can trace any change or any agent decision end to end.
Can Cortrova run in an air-gapped or ITAR environment?
Yes. Cortrova deploys in the cloud, on-premises, or fully air-gapped to match your data-boundary constraints, and is ITAR-aware and CMMC 2.0 Level 2 ready. An air-gapped install makes no outbound calls while keeping the full governance pipeline, RBAC, encryption, and audit guarantees intact.
Review the architecture
Walk the security model with your team.
Book a security demo and review the governance pipeline, controls, and audit trail with your IT leadership or auditors - cloud, on-prem, or air-gapped.