Platform Architecture

The three-layer governance operating system. Two-plane doctrine, component map, and the Assurance Feedback Loop.

ObsidianWall is a governance operating system built around three layers that together implement Programmable Assurance.


The Three Layers

A governance engine answers one question: did policy pass?

A governance operating system answers five:

What happened?        Layer 1 — Governance Execution
Why?                  Layer 1 + Layer 2
Who owns it?          Layer 3 — Governance Accountability
What does it cost?    Layer 2 — Governance Intelligence
What should change?   Layer 2 feeds back into Layer 1

Layer 1 — Governance Execution

What should happen? What happened?

Verdict and Sentinel live here. These components enforce and observe. Outputs are deterministic and attributable. No AI in the decision path.

Layer 2 — Governance Intelligence

What does it mean? What does it cost?

Compass, Governance Intelligence, and Governance Economics live here. These components analyze, translate, and advise. Outputs inform decisions but never make them.

Layer 3 — Governance Accountability

Who owns the outcome?

The Risk Ledger, attestation systems, and exception management live here. Every acceptance, override, and refusal is named, dated, and immutable.


The Two-Plane Doctrine

Every component belongs to one of two planes. The boundary between them is the most important architectural decision in the platform.

PROBABILISTIC INTELLIGENCE PLANE
─────────────────────────────────
  Advises. Analyzes. Recommends.
  Translates. Learns. Estimates.

  AI operates freely here.
  Outputs inform decisions.
  Outputs never make decisions.

  Compass, Analyzers, Recommender,
  Governance Economics, Explainability,
  Forge (intent and translation layer)


  HUMAN APPROVAL GATE
  The plane boundary


DETERMINISTIC GOVERNANCE PLANE
─────────────────────────────────
  Enforces. Records. Attributes.
  Blocks. Authorizes. Proves.

  AI may NOT govern here.
  Every decision is deterministic.
  Every decision is attributable.
  Every decision is reproducible.

  Verdict, Sentinel, Risk Ledger,
  Audit Artifact,
  Forge (compiled policy output)

Why this boundary exists:

When a deployment is blocked and a CISO must explain to a board why, the answer must be:

“This policy, written by this person, on this date, blocked this deployment because this condition failed.”

Not: “The AI decided this was too risky.”

The first answer is defensible in a regulatory audit, a boardroom, and a courtroom. The second is not.


The Components

Forge — Both Planes

The governance authoring engine. The only component that deliberately crosses the plane boundary.

  • Intelligence Plane: AI assists in drafting policy conditions from leadership intent
  • Human Approval Gate: Human reviews, approves, and commits
  • Governance Plane: Compiled policy lives here — deterministic, versioned, signed

The human is the bridge between planes. This is not a workflow detail. It is the architectural guarantee that every policy in ObsidianWall can be attributed to a human author who consciously approved it.

Verdict — Deterministic Plane

Pre-deployment governance decision engine. Reads a Terraform plan or CloudFormation template, evaluates it against a policy, and produces one of five typed governance decisions before deployment executes.

ALLOW
ALLOW_WITH_NOTIFICATION
ALLOW_WITH_APPROVAL_REQUIRED
DENY_WITH_OVERRIDE
DENY

Sentinel — Deterministic Plane

Post-deployment reality observation. Verifies that what actually deployed stayed aligned with what the governance decision authorized. Detects drift. Surfaces divergence.

Compass — Intelligence Plane

Governance intelligence and economics. Analyzes outcomes across decisions. Identifies override patterns, coverage gaps, and policy drift. Translates findings into financial exposure. Closes the Assurance Feedback Loop.

Risk Ledger — Deterministic Plane

Cryptographically signed, tamper-evident record of every governance decision, override, and risk acceptance. When leadership accepts a governance risk, that acceptance is named, dated, signed, and immutable.


The Governance Loop

Leadership articulates intent

FORGE — Intelligence Plane
AI assists drafting

Human approves at the boundary

FORGE — Governance Plane
Policy compiled, versioned, signed

VERDICT
Every infrastructure change evaluated
Governance decision produced

SENTINEL
Reality observed post-deployment
Drift detected and recorded

RISK LEDGER
Every decision, override, and
risk acceptance attributed and sealed

COMPASS + INTELLIGENCE
Outcomes analyzed
Gaps identified
Misalignment surfaced

ECONOMICS
Financial translation for every audience

Feedback into FORGE
Intent refined. Loop closes.

Multi-Audience Delivery

One governance event. Every stakeholder. Their native language.

Audience What they see
Developer Exit code 1. DENY — budget_check failed.
Budget Owner Deployment exceeds budget by $50. Override requires authorization.
CISO Decision ID: abc3a13b. Audit artifact generated. Override path: budget_owner.
Board Infrastructure change blocked. Governance control active. No exposure created.
Auditor Complete artifact. Policy, version, owner, decision, trace, timestamp.

Current State

Component Status
Verdict v0.5.0 Shipped — evaluate, coverage, simulate, sentinel, validate, test, audit
Sentinel (plan-level) Shipped in v0.5.0
Sentinel (cloud APIs) v0.6.0 — Azure RM + AWS CloudTrail
Risk Ledger Architecture in v0.6.0
Compass Alpha Q4 2026
Forge Alpha 2027

Full vocabulary reference: Programmable Assurance Vocabulary