Guardian is the protection and identity layer. It ties every request to a real person, decides which data and which tools the AI is allowed to reach, and keeps a clear record you can replay.
Identity · Policy · Audit — checked on every request
Guardian sits between Studio and your data. Every request answers three plain questions: who is asking, is this allowed, and can we show what happened. Each one maps to real work the platform does before and after the AI runs.
Guardian reads identity from your existing single sign-on, so the person behind a request is the same one your IT team already manages. There is no second login, and no separate user list to keep in step.
Before the AI touches anything, Guardian checks who's asking and what they're allowed to see. When a request is declined, that decision is recorded too, with the reason, so a refusal is as visible as an approval.
Guardian keeps a record of what was asked, who asked it, what was decided, and what came back. The record is replayable, so when someone needs to show their work, the trail is already there.
The record is queryable in-platform and streams to your own SIEM, so Guardian's audit trail lands in the same log pipeline as the rest of your estate. Your security team reviews it where they already work.
A single question typed into Studio becomes a request, and that request moves through a fixed set of gates before an answer comes back. This is the order they run in. It is a sequence of checks, not a promise that any one input is safe.
Guardian resolves who is asking through your single sign-on. A request with no resolvable identity does not proceed.
The request is checked against the person's role and the rules of the workspace they are working in. A request outside that scope is declined, with the reason kept on the record.
The user's row and column permissions are carried through to where the AI asks. If a person cannot see certain records directly, the AI does not read them on their behalf.
With scope settled, the request draws on the Atlas semantic layer: the metrics, glossary, and entity model your team defined, so the answer reads from your business rather than the model's guess.
The AI assembles a response from the data it was allowed to read, with citations back to the sources it used, so the answer can be checked rather than taken on faith.
The request, the decision, the sources, and the answer are written to the record. Allowed or declined, the trail is there to replay later.
Two ideas hold this together. First, the access a person already has follows them into every request. Second, what happened is kept where you can find it again. One controls reach; the other lets you show your work.
An agent doesn't get open access to your stack. Each tool, connector, and action it can reach is decided by Guardian, scoped to the person behind the request.
The AI can only call the tools and data connectors the asker is already permitted to use. Scope follows role and workspace, not the model's appetite.
Reading is one thing. Anything that writes or takes an action can require explicit sign-off before it runs.
Tool calls run in a contained space, not with open reach into your systems. A call does what it is scoped to do and nothing more.
Outbound fetches are allow and deny listed, and anything pulled back is treated as untrusted input before it reaches your data.
Tool scoping, action approvals, sandboxed execution, and per-request enforcement all run through Guardian. We will walk your team through exactly how each control is configured for the deployment you're considering.
Retrieved documents and web pages can carry instructions aimed at the model. No one can promise immunity from that. What Guardian can do is stack a few honest defences, so a single trick is less likely to carry through. This is defence in depth, not a guarantee.
A question typed into Studio takes the same path each time. The user sees one thread; the platform sees a request, a policy decision, and a grounded answer.
Studio is the surface the user works on. Guardian is the gate that each request, answer, and audit entry passes through. Atlas is the grounding layer the AI reads from instead of guessing. None of the three works alone. See the platform architecture → for the full diagram.