AI governance breaks down into four questions. Who is asking. Where the data is allowed to go. What must be rewritten before it leaves. Who signs the receipt when money moves. RelayOne answers all four inline, for every request, with signed evidence.

How the four fit together

Sovereignty tracking produces the receipt chain. Employee AI access decides whether a given session may make a call. Network reroute moves calls to safe internal targets when policy requires. Identity and commerce close the loop: every agent transaction is attributable and disputable.

In the managed path, RelayOne sits behind RelayGate; RelayGate does the inline PII strip and credential injection, RelayOne owns policy, identity, and receipts. In the standalone path, RelayOne is a pure governance plane that brokers decisions for any middleware you already run.

Both postures produce the same Ed25519 receipt chain. An auditor does not need to know which path the traffic took; the evidence bundle reads the same.

Every request passes through all four surfaces. The receipt chain aggregates the outcome at egress.

Deeper reading

Control-plane architecture: the four layers in detail
Policy language: CEL-compatible rules with worked examples
Evidence: signed bundle shape, chain of custody
Fleet: multi-tenant governance at scale