Unknown runtime state
Model registries and policy documents rarely prove what is actually running inside customer environments.
DESIGN PARTNER ACCESSSelf-hosted and NeoVail Cloud deployment paths under review
Runtime AI Governance
Runtime Trust for Enterprise AI
NeoVail helps enterprises govern models, agents, MCP servers, and AI infrastructure through regional control planes, customer-local Sentinel enforcement, and audit-supporting evidence.
Illustrative product preview
Nacme-platformprod
Search tools, agents, decisions...⌘K
Runtime / Decisions / Last 1h
Runtime decisions
live · 12 envs · 38 agents
FilterNew policy
Allowed
14,208
+2.1%
Warned
312
+0.4%
Denied
46
-12%
Awaiting approval
7
3 escalated
Decision streamhealthy
Allowlow2s
claude-code/build-bot->fs.read on repo://services/billing/**
policy=prod.runtime.v3 · evidence captured
Approvalmedium4s
codex/refactor-agent->mcp.github.commit on repo://acme-payments/main
policy=prod.runtime.v3 · evidence captured
Warnmedium6s
cursor/cli-1.3->shell.exec on sandbox://node-22
policy=prod.runtime.v3 · evidence captured
Denyhigh9s
gemini-cli/ops-77->mcp.cloud.iam.review on cloud://prod/iam-review
policy=prod.runtime.v3 · evidence captured
Simulatemedium14s
codex/refactor-agent->fs.write on repo://infra/terraform
policy=prod.runtime.v3 · evidence captured
N
Runtime enforcement
policy decisions before execution
N
MCP governance
discover · classify · bind
N
Human approvals
expiry · escalation
N
AI Asset Graph
agents · tools · models
N
Audit evidence
EU AI Act-ready
N
Enterprise identity
OIDC · SCIM · managed identity
The new attack surface
AI agents are no longer just generating text. They are taking actions.
Enterprises are deploying models, agents, and MCP-connected tools faster than governance, audit, and runtime enforcement can keep up. Tool calls, credentials, files, workflows, and regulated systems need decisions before execution.
Agent access sprawl
MCP servers can expose powerful tools, but agent-side permission prompts are not a reliable enterprise control boundary.
Audit evidence delays
Regulated teams need evidence that reflects current runtime state, not spreadsheets assembled after an incident or audit request.
Runtime decision
Every action gets a decision: allow, warn, deny, require approval, or simulate.
NeoVail evaluates tool, identity, risk, policy, and runtime context in the same hop. The decision is bound to the policy version that made it and to the evidence record it produces.
Allow
Action executes immediately with identity and evidence attached.
Warn
Action proceeds with a flagged record for review.
Deny
Action is blocked before a tool, credential, or model is touched.
Require approval
Routed to approvers with expiry and escalation.
Simulate
Dry-run outcome and side effects captured first.
Nacme-platformprod
Search tools, agents, decisions...⌘K
Runtime / Decisions / Last 1h
Runtime decisions
live · 12 envs · 38 agents
FilterNew policy
Allowed
14,208
+2.1%
Warned
312
+0.4%
Denied
46
-12%
Awaiting approval
7
3 escalated
Decision streamhealthy
Allowlow2s
claude-code/build-bot->fs.read on repo://services/billing/**
policy=prod.runtime.v3 · evidence captured
Approvalmedium4s
codex/refactor-agent->mcp.github.commit on repo://acme-payments/main
policy=prod.runtime.v3 · evidence captured
Warnmedium6s
cursor/cli-1.3->shell.exec on sandbox://node-22
policy=prod.runtime.v3 · evidence captured
Denyhigh9s
gemini-cli/ops-77->mcp.cloud.iam.review on cloud://prod/iam-review
policy=prod.runtime.v3 · evidence captured
Simulatemedium14s
codex/refactor-agent->fs.write on repo://infra/terraform
policy=prod.runtime.v3 · evidence captured
Runtime decision flow
From proposal to evidence in a single round trip.
Every action an agent proposes follows the same path. The decision is the audit record, so there is no second reporting pipeline to reconcile.
0101
Agent proposes action
models · agents · cli
0202
NeoVail normalizes identity
OIDC · SCIM · groups
0303
Tool and credential risk
MCP registry · scopes
0404
Policy returns decision
allow · warn · deny
0505
Approval if required
expiry · escalation
0606
Outcome recorded
success · error · drift
0707
Evidence attached
asset graph · export
AI Asset Graph
A connected inventory for enterprise AI systems.
NeoVail maps the assets, identities, policies, and evidence that determine AI risk. The graph makes governance inspectable across model, agent, MCP, and runtime layers.
Models
Agents
MCP servers
Users
Groups
Runtime environments
Sentinel nodes
Policies
Evidence
Audit events
Models
Verified against trusted registry records and expected digests.
Agents
Mapped to users, groups, tools, environments, and policy decisions.
MCP servers
Controlled through gateway allow and deny enforcement.
Sentinel Runtime Enforcement
Customer-local controls for trusted model execution.
Sentinel nodes run in the customer environment to verify runtime state, detect drift, and enforce policy without moving sensitive runtime evidence onto the public website.
Runtime model verification
Validate deployed models against trusted registry records and approved deployment context.
Digest drift detection
Detect when a runtime artifact no longer matches the expected digest, version, or provenance record.
Policy enforcement
Apply enterprise policy at runtime with clear outcomes, evidence, and escalation paths.
Simulation mode
Roll out controls safely by observing would-block outcomes before moving into enforcement.
MCP Governance
MCP access enforced at the gateway, not by agent promises.
NeoVail treats MCP servers as governed enterprise assets with identity-aware access, gateway-based allow and deny decisions, and a full audit trail.
Server registry
Track approved MCP servers, ownership, risk, and allowed environments.
User and group access
Map access to enterprise users and groups instead of relying on local agent configuration.
Gateway decisions
Enforce allow and deny policy before tools are invoked.
Audit trail
Record who attempted what, through which agent, against which server, and why it was allowed or blocked.
Beyond point tools
A control plane for the full AI runtime.
NeoVail is not just an MCP proxy, coding-agent hook, local sandbox, policy DSL, or compliance dashboard. It connects those control surfaces into a single system of record.
N
runtime control planeNeoVail
Runtime control plane
AI Asset Graph
Audit evidence exports
Enterprise identity alignment
Cross-agent MCP policy decisions
MCP proxy
point toolInline tool gating
No asset graph
Agent hook
point toolLocal prompt audit
No runtime decision
Local sandbox
point toolFilesystem isolation
No evidence pack
Policy DSL
point toolRule authoring
No registry
Dashboard
point toolPost-hoc reporting
No enforcement
Integrations
Built for the identity, runtime, and tooling enterprises already run.
NeoVail meets your environment where it lives: frontier model APIs, local model servers, agent CLIs, MCP gateways, identity providers, and compliance pipelines.
Identity
OIDC · SCIM · groups
WOWorkOS
OKOkta OIDC
AZAzure AD
SCSCIM 2.0
AI runtimes
frontier + local
OPOpenAI
ANAnthropic
BEBedrock
LOLocal models
Agent tools
CLI + IDE agents
CLClaude Code
COCodex
CUCursor
COCopilot CLI
MCP
servers · gateways
MCMCP servers
GAGateways
TOTool registries
ADAdapters
Notifications
inbox + chatops
SLSlack
EMEmail
WEWebhooks
PAPagerDuty
Compliance
evidence + exports
EUEU AI Act
DODORA
AUAudit exports
SISIEM
Compliance and Residency
Evidence built for regulated AI operations.
NeoVail is designed to support EU AI Act readiness work, DORA-aligned evidence workflows, regional control planes, customer-local runtime telemetry, and audit evidence exports. These statements describe product intent and should not be read as a legal certification or regulatory conformity assessment.
Designed to support EU AI Act workflowsDesigned to support DORA evidence workflowsRegional data residency
Security posture
Designed for the teams who approve AI in production.
NeoVail’s public website remains separate from control-plane operations. The product architecture is built around regional tenancy, local enforcement, least privilege, and runtime evidence.
N
Regional tenancy
Control planes designed around regional deployment and residency requirements.
N
Customer-local Sentinel
Runtime checks and enforcement run near customer models, agents, and MCP servers.
N
Default-deny posture
Unknown tools and unbound MCP servers can be blocked before execution.
N
Least privilege
Access decisions can include users, groups, tools, scopes, environments, and policy versions.
N
Audit evidence
Every decision links identity, policy, runtime context, and outcome into an exportable record.
N
Website separation
The public site stores no customer evidence, secrets, telemetry, or enforcement state.
Architecture
Separated surfaces for website, control, intake, and enforcement.
The public website is separate from the SaaS control plane, regional telemetry intake, and customer-local enforcement layer.
Runtime architecture
Surfaces, boundaries, and the path between them
publicgovernedintakelocal
Public01
neovail.com and www.neovail.com
Public website
Static marketing pages, legal notices, trust pages, and demo entry points.
1
Governed02
app.neovail.com
Regional control plane
Policy administration, AI asset graph, evidence review, and customer workflow management.
2
Intake03
ingest.eu.neovail.com
Regional ingestion
Sentinel telemetry intake with customer-selected residency, handling, and retention rules.
3
Local04
Sentinel + models + agents + MCP servers
Customer environment
Local enforcement boundary where verification, policy checks, and blocking happen before actions proceed.
4
Website isolated from control planeRegional intake boundaryCustomer-local enforcement
Demo
A focused seven-minute walkthrough.
The NeoVail demo shows how governance teams move from inventory to runtime evidence without relying on fragile manual checks.
01
AI Asset Graph
02
Trusted model registry
03
Sentinel heartbeat
04
Simulated model drift
05
Blocked MCP request
06
Audit evidence export
Book a NeoVail demo
See how NeoVail governs models, agents, MCP servers, and runtime evidence across enterprise AI environments.