Console Login
Docs / Security

Fail-closed enforcement with provable audit trails.

Gvner is built to be inspected, challenged, and verified. Security is embedded in the execution model.

Docs Home Evidence Model Public Security

Security topic map

Control map

Controls mapped to evidence outputs.

Least-privilege

Scoped execution and deny-by-default.

Immutable audit trail

Tamper-evident decision records.

Fail-closed

Decision timeouts resolve to DENY.

Identity & access

RBAC, scoped keys, dual control.

Execution guardrails

Budgets, approvals, regulatory checks.

Evidence & audit

Exportable evidence artifacts.

Data protection

Retention and minimization safeguards.

Agent governance security

Agent-level controls and evidence.

Identity governance security

Identity control assurance.

Core guarantees

No bypass paths

External runtimes do not execute directly. All actions pass through Gvner.

Fail closed

Missing decisions, timeouts, or ambiguity result in DENY.

Immutable evidence

Every decision includes an evidence hash and audit identifier.

Deterministic decisions

Policy evaluation is reproducible across time and environments.

Control map

Each security claim maps to an explicit control and evidence output.

Least-privilege execution

Explicit scopes, actor boundaries, deny-by-default.

Immutable audit trail

Tamper-evident records and evidence hashes.

Fail-closed enforcement

Decision timeouts and ambiguity resolve to DENY.

Identity and access

Role-based access, scoped keys, dual control.

Execution guardrails

Budgets, approvals, and regulatory checks.

Evidence and audit

Exportable evidence for auditors and regulators.

Data protection

Minimization, retention, and deletion safeguards.

Control map overview

Full control map and cross-links.

Threat model coverage

Unauthorized tool execution is blocked by default
Policy changes require approvals and evidence trail
Audit records are tamper-evident and exportable

Security controls

Identity + access

Role-based access with auditor-only views and scoped API keys.

Network boundaries

Run Gvner behind your boundary or via managed secure endpoints.

Data encryption

Encryption in transit and at rest across evidence storage.

Export integrity

Signed export packs with receipts and verification metadata.