Enforce AI policy.
See what is happening.
Prove it to your auditor.

The Canadian-built control plane between your people and every AI provider: your policies enforced in-line, every decision recorded.

The Mandate Policy Workbench for Bay Street Counsel LLP's 'Litigation & disclosure review' policy. A note near the top reads 'Hybrid detection (regex + ML)'. Below a quick-add row of detector pills, the rules table lists each rule with its detector, a configuration cell, an allow / warn / redact / block / escalate action toggle, and a Principle column. Privileged material is set to block; litigation-strategy language to escalate for a lawyer's review; case parties and client SINs to redact; matter and billing terms to warn; citations to public reported decisions to allow. Two rules carry a governance-principle tag (Data Stewardship and Traceability) in the Principle column. The page header shows the active version, when it was last edited, and Save and Deactivate buttons.
The Policy Workbench: a visual rule builder with typed detectors, one-click actions, and an optional governance-principle tag per rule. No YAML required.
Hosted in Canada today, deployable where you need it · Vendor jurisdiction your counsel can verify

Questions your current tools cannot answer.

  1. Can you name the last time sensitive data entered ChatGPT, and what your organization did about it?

  2. Can you show an auditor a structured record of what your AI policy actually enforced this quarter?

  3. Which legal jurisdiction is your AI vendor actually under? A region label doesn’t answer that, and counsel will ask.

18%

of Canadian organizations have systems in place to govern AI across everyday operations.

IBM Institute for Business Value  ·  May 2026

25%

of full-time office workers who use AI at work rely on enterprise-grade tools. The rest use personal apps or a mix.

IBM  ·  September 2025

57%

of enterprise employees have entered high-risk information into publicly available AI assistants.

TELUS Digital  ·  2025

One audit event. Hash-chained. Verifiable.

Every mediated AI request produces one structured audit event and one usage event, joined by correlation id. Each row is SHA-256 linked to the one before it, and signed checkpoints anchor the trail. Your auditor can verify the export without any Mandate tooling.

Audit event Chain verified
User
j.smith@legalfirm.ca
Tool
ChatGPT (chat.openai.com)
Triggered
SIN pattern · rule SENSITIVE-DATA-001
Action
Redact: 3 fields removed
Timestamp
May 5 2026, 09:04:37 EDT
Correlation
a2f7·9d3e·b1c4·8a00
Hash
sha256:3f9a·…·b712
  • Per-row hash chain

    Each event is SHA-256 linked to the one before it. Alter, delete, or insert any record and the chain breaks.

  • Signed checkpoints

    Periodic Ed25519-signed checkpoints with Merkle roots anchor the trail. Public keys travel with the export.

  • Independent verification

    The export alone is enough to verify. No Mandate tooling required. Verify a sample pack yourself →

One policy engine. Every request evaluated and recorded.

The policy engine sits inline between your users and every AI provider. The decision (allow, warn, redact, block, or escalate) happens at the connection layer, before anything reaches the provider.

Full product detail →

What Mandate puts in place

  • Mediation layer

    API gateway and network forward proxy connectors route every AI request through Mandate before it reaches any AI provider. No client software distributed to employees.

  • Policy enforcement

    Your configured rules apply at the point of use (allow, warn, redact, block, or escalate) based on sensitive data patterns, tool usage, and content classification.

  • Agent governance

    Each AI agent runs under its own named identity. Mandate reads the tool calls it makes, applies the same rules your people get, and writes every agent action to the same tamper-evident record.

  • Tamper-evident audit trail

    Structured audit records for every request: user, tool, policy rule, action, timestamp. Hash-chained and exportable. The record your auditor can actually verify.

  • Canadian-hosted infrastructure

    Runs in Canada today on Canadian-owned infrastructure, under a legal jurisdiction your counsel can evaluate before you sign. The architecture isn’t tied to one country.

30 days. Written criteria.

One administrator sets it up in an afternoon, nothing deployed to employees. Criteria agreed in writing before day one; if the pilot doesn't meet them, we tell you why.

Ready to see what Mandate produces
in your environment?

30 minutes to understand your environment and whether a pilot is the right next step.

contact@mandateco.ca  ·  1-905-630-1908