Product

How Mandate works

Mandate sits between your users and AI providers. Every request is evaluated against your policies before it reaches any AI service. The outcome is recorded automatically. Your team gets a clear, auditable picture of what's happening with AI across the organization.

The mediation path

Every request. Evaluated. Logged.

Mandate sits inline between your users and AI providers. Every request is evaluated against your policy rules before it reaches any AI service. The audit record is written automatically: no manual logging, no gaps.

The synchronous path stays inside the latency budget of the AI call. Classification and deep audit enrichment run asynchronously, delivering evidence without adding delay to the user.

Mandate Policy Engine: decision outcomes
✓ Allow

Request forwarded to AI provider. Audit record written on the async path. No user-visible change.

⚠ Warn

Request forwarded. Employee notified of policy trigger. Event flagged in admin dashboard.

✂ Redact

Sensitive fields removed before forwarding. Employee sees redaction notice. Sanitized request reaches provider.

✕ Block

Request stopped. Employee receives a policy-compliant explanation. Request never reaches the provider.

Core components

Four components. One governance layer.

Each component has a single job. Together they give your security and compliance team the coverage, evidence, and control they need.

  • Connectors

    API gateway for application and developer traffic; network forward proxy for browser-based AI tools organization-wide. No client-side code distributed to employees. Traffic you route through Mandate is traffic Mandate can govern.

  • Policy engine

    Enforces your rules with outcomes you can document (allow, warn, redact, or block) based on configurable patterns including sensitive data, tool usage, and content classification. Rules are authored in YAML, version-controlled, and immutable after deployment.

  • Audit & usage records

    Structured events for every decision: who, what tool, what policy triggered, what action taken, and when. Joined by correlation ID. Hash-chained for tamper evidence. Aligned to your retention and data minimization choices; prompt body retention is opt-in per tenant.

  • Admin experience

    Configuration, visibility into mediated traffic, and the operational controls your team needs to manage the program day to day, without requiring a dedicated analyst to make sense of raw logs.

Connector configuration

What IT actually configures.

Each connector path requires a single configuration change. The full deployment for either path fits in an afternoon for one person. No client software distributed to employees.

  • API gateway path

    Change one base URL in your application or developer configuration. Requests that previously went to https://api.openai.com/v1 route to your Mandate gateway endpoint instead. Mandate forwards the request to the original provider using your BYOK provider key. No certificate changes, no network reconfiguration, no employee-facing changes.

  • Network forward proxy path

    Configure an explicit HTTPS proxy at the network level via PAC file, system proxy setting, or your existing network policy management tool. TLS inspection is required: Mandate decrypts HTTPS traffic to evaluate the request before re-encrypting and forwarding. Your IT team installs Mandate's CA certificate once; employee browsers and applications require no changes.

  • Coverage scope

    The API gateway path covers application and developer traffic routed through it. The forward proxy path covers browser-based AI tool usage across the organization. Both paths are available; organizations often start with one and add the other. Mandate enforces and logs what it sees; coverage reflects what you route through it.

  • Fail behaviour

    Fail-closed by default: if the Mandate Policy Engine is unreachable, requests are blocked rather than forwarded without governance. Fail-open configuration is available for organizations that require uninterrupted AI access during downtime. The choice is made and documented in writing at kickoff, before day one of the pilot.

Scope clarity

What Mandate is not.

We're specific about what Mandate does so you can make an honest evaluation. Coverage is tied to what you route through Mandate's connectors.

  • Not a Secure Web Gateway

    Mandate is purpose-built for AI traffic governance, not a replacement for your existing SWG, SASE, or DLP tools for all enterprise traffic. It sits alongside them, covering the AI-specific gap they don't address.

  • Not a model or AI product

    Mandate is the governance and enforcement layer around how approved AI tools are used, not a "Canadian ChatGPT" or an AI model provider. Your team keeps using the tools they already use.

Performance posture

Governance that doesn’t show up as latency.

Mandate’s interactive path stays inside the latency budget of the upstream AI call. The policy decision happens inline. Everything else is async.

  • Synchronous path: policy evaluation only

    The inline path evaluates your policy rules and makes the allow / warn / redact / block decision. This is intentionally lightweight: no ML inference on the hot path by default. Your users don’t feel a governance tax.

  • Async path: classification, enrichment, deep logging

    ML classification, audit enrichment, and deep logging run after the response is delivered. The user gets their answer; the evidence is recorded in the background without adding to the round-trip.

  • Synchronous classification is opt-in

    Organizations that require synchronous ML classification for high-sensitivity workflows can opt in. This adds latency to those requests and is the right call for certain use cases. Most customers run without it.

Walk through your environment.
No marketing theatre.

We cover your connectors, data handling requirements, and success criteria in a first call. If a pilot is the right fit, we'll define what success looks like before we start.

Get in touch How the pilot works

contact@mandateco.ca  ·  1-905-630-1908