Governance Architecture
Roundtable is not just an AI chat platform — it's a governed AI operating system. Every cross-workspace interaction is authorized by a typed governance contract, authenticated by HKDF-derived cryptographic keys, and encrypted end-to-end with AES-256-GCM.
This page explains how the governance model works, how information flows through contract-controlled channels, and how the topology health engine monitors the entire system in real time.
Consolidated Governance Dashboard
All governance capabilities live on a single /governance page. The dashboard is laid out top-to-bottom:
- Governance Score — A 100-point score with letter grade (A+ to F)
- Topology Visualization — Interactive, node-reactive network graph
- Health Warnings — Collapsible card listing all detected governance issues
- Governance Contracts — Full contract list with create/approve/suspend controls
- Audit Trail — Scrollable, filterable event log with CSV export
There are no separate pages for contracts, bridges, or topology health — everything is consolidated in one view.
Contract-Governed Communication
Every connection between two workspaces is defined by a governance contract — a typed, versioned agreement that specifies exactly what actions are allowed, who must approve them, and what happens when something goes wrong.
Without a contract, workspaces cannot communicate. There is no default-open mode. The platform enforces a zero-trust posture where every cross-workspace interaction must be explicitly authorized.
┌──────────────┐ ┌──────────────┐
│ Pharmacy │──── No contract ────────────▶│ ICU │ ✗ Blocked
└──────────────┘ └──────────────┘
┌──────────────┐ MedicationRequest ┌──────────────┐
│ Pharmacy │══════════════════════════════▶│ ICU │ ✓ Allowed
└──────────────┘ (active contract) └──────────────┘
Contract Structure
Each contract defines:
| Field | Purpose |
|---|---|
| Type | The category of interaction (e.g., MedicationRequest, ComplianceReview, DataQuery) |
| Source → Target | Directional — who can initiate and who receives |
| Allowed Actions | Specific operations the source can perform (e.g., query, delegate, message) |
| Approval Required | Whether human approval is needed before execution |
| Prerequisites | Conditions that must be met (e.g., "source must have HIPAA training") |
| Escalation Target | Where to route if the action is denied or fails |
| Expiration | When the contract expires and must be renewed |
| Version | Incrementing version — each bump generates a new cryptographic key |
:::tip Contracts Are Cryptographic Each contract generates its own HKDF-derived encryption key. Revoking a contract instantly invalidates its key — there is no grace period, no cache to flush, no token to expire. The math stops working. :::
Five Governance Flows
Roundtable enforces five distinct governance flows across the workspace network. Each flow is secured by contracts and audited end-to-end.
1. Information Flow
Information flow defines what data can move where. Contracts are directional — Pharmacy can send medication data to ICU, but ICU cannot send patient vitals to Pharmacy unless a separate contract authorizes it.
┌──────────────┐
│ Executive │
└──────┬───────┘
│
┌──────┴───────┐
│ Contract │ ComplianceReview
└──────┬───────┘
│
┌────────────┼────────────┐
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Finance │ │ ICU │ │ Pharmacy │
└──────────┘ └────┬─────┘ └────┬─────┘
│ │
┌──────┴───────┐ │
│ Contract │ │
│ MedicationReq│────┘
└──────────────┘
Key properties:
- Information only flows along contract edges
- Each edge is encrypted with its own AES-256-GCM key
- The Executive can see all departments, but departments cannot see each other without explicit contracts
- Removing a contract immediately severs the information channel
2. Approval Flow
Some contracts require human approval before the AI can execute an action. This is critical in regulated environments where automated decisions must have human oversight.
Pharmacy AI ICU AI Human Approver
│ │ │
│── MedicationRequest ──────────▶ │ │
│ (approval_required: true) │ │
│ │── Approval request ──────────▶ │
│ │ │
│ │◀─ Approved ───────────────────│
│ │ │
│◀─ Medication list ─────────────│ │
│ │ │
Use cases:
- HIPAA: medication changes require physician sign-off
- Finance: trades above a threshold require compliance approval
- M&A: any cross-team communication requires legal review
3. Delegation Flow
Delegation is the core power of the governance model — one workspace's AI can delegate tasks to another workspace's AI, with the contract controlling what can be delegated.
Executive AI Analytics AI
│ │
│── "Summarize Q2 revenue by region" ──────────▶ │
│ (contract: DataQuery) │
│ (allowed: query, summarize) │
│ │── Queries BigQuery
│ │── Builds summary
│ │
│◀─ "Revenue summary: NA $12M, EU $8M..." ─────│
│ │
Delegation chains can span multiple hops, with each hop governed by its own contract:
Executive ──Contract──▶ Finance ──Contract──▶ Analytics ──Contract──▶ Data Warehouse
│ │ │ │
│ ComplianceReview │ DataQuery │ WarehouseAccess │
│ (delegate,query) │ (query,summarize) │ (read-only) │
Each hop adds its own contract enforcement. The Executive cannot bypass Finance to reach Analytics directly unless it holds its own contract with Analytics.
4. Escalation Flow
When an action is denied or fails, the escalation flow defines where the request goes next. This prevents dead ends and ensures critical workflows have fallback paths.
Pharmacy AI ICU AI Executive AI
│ │ │
│── MedicationRequest ─────▶ │ │
│ (denied: patient │ │
│ not admitted) │ │
│ │── Escalation ───────────▶ │
│ │ (contract.escalation │
│ │ = "executive") │
│ │ │── Reviews
│ │ │── Overrides
│◀─ Override: approved ─────│◀─ Approved ──────────────│
│ │ │
Escalation targets are defined in the contract, not decided at runtime by the AI. This ensures that escalation paths are predictable, auditable, and approved by governance administrators.
5. Audit Flow
Every governance action is logged immutably. The audit flow captures:
| Event | What's Logged |
|---|---|
| Contract created | Who created it, type, source, target, allowed actions, expiration |
| Contract approved | Who approved, timestamp, any conditions |
| Request sent | Source workspace, target workspace, contract ID, action type, timestamp |
| Request approved/denied | Approver identity, decision, reason |
| Escalation triggered | Original denial, escalation target, outcome |
| Contract expired | Contract ID, expiration timestamp, whether renewed |
| Contract revoked | Who revoked, reason, timestamp |
In the dashboard, the audit trail is presented as a scrollable panel (400 px max height) with category filter pills and CSV export. See Audit Trail below.
:::warning Encrypted Content Is Not Logged Message payloads are encrypted with AES-256-GCM and are never written to the audit log. The audit trail records that a request was made, what type it was, and whether it succeeded — but not the content of the message. This ensures compliance with data minimization principles. :::
Governance Score
The governance dashboard opens with a 100-point score and a letter grade (A+ through F). The score is computed client-side from the live topology and contract data — no additional API call is required.
Scoring Rubric
| Deduction | Points | Trigger |
|---|---|---|
| Critical issue | −15 each | Ungoverned bridges, expired contracts, multi-hop cycles |
| Warning | −5 each | General warnings (excluding unrestricted and SPOFs, which have their own deductions) |
| Expiring contract | −3 each | Contract expires within 30 days |
| Unrestricted contract | −5 each | A contract allows unrestricted bidirectional access (message + delegate both ways) |
| Single point of failure | −3 each | A workspace whose removal would disconnect the topology |
| Ungoverned bridge | −8 each | Bridge exists with no active governance contract |
| Coverage gap | −0.3 per % | Percentage of bridges without a matching contract (e.g., 10% gap = −3 points) |
Letter Grades
| Score Range | Grade | Color |
|---|---|---|
| 97–100 | A+ | 🟢 Green |
| 93–96 | A | 🟢 Green |
| 90–92 | A− | 🟢 Green |
| 87–89 | B+ | 🟡 Yellow-green |
| 83–86 | B | 🟡 Yellow-green |
| 80–82 | B− | 🟡 Yellow |
| 77–79 | C+ | 🟡 Yellow |
| 73–76 | C | 🟠 Orange |
| 70–72 | C− | 🟠 Orange |
| 60–69 | D | 🔴 Red |
| 0–59 | F | 🔴 Red |
The score ring and grade badge update in real time as contracts are created, approved, suspended, or expire.
:::tip Node-Scoped Score When a node is selected in the topology (see below), the score recalculates to reflect only the issues that affect that specific workspace. :::
Node-Reactive Dashboard
Clicking any workspace node in the topology visualization re-roots the entire dashboard around that node:
- Topology — The graph re-centers on the selected workspace and highlights its direct connections.
- Score — The governance score recalculates using only issues that affect the selected node.
- Health Warnings — The warnings card filters to show only issues involving that workspace.
- Contracts — The contract table dims rows that don't involve the selected workspace and highlights rows that do with an indigo left-border.
A "Viewing: <workspace>" indicator bar appears below the page header showing the selected node, its contract count, and its issue count. Click Clear Selection to return to the full-network view.
Health Warnings
The old static Health Status section has been replaced by a collapsible Health Warnings card. When issues exist, the card appears between the topology and the contracts table with a severity-tinted border (red for critical, amber for warning). It shows:
- A summary header with issue counts broken out by severity (critical / warning / info)
- Individual issue rows with severity icon, title, and description
- Auto-collapses to a single line when all issues are resolved ("Governance Health: All Clear")
The card is a <details> element — users can collapse it to save space.
What the Governance Engine Detects
| Check | Severity | What It Means |
|---|---|---|
| Ungoverned bridges | 🔴 Critical | Two workspaces can communicate without a governance contract — a policy violation |
| Expired contracts | 🔴 Critical | A contract has expired but the bridge still exists — communication is authorized but ungoverned |
| Circular governance paths | 🔴 Critical | Multi-hop contract cycle detected (e.g., A → B → C → A) — can create approval deadlocks |
| Unrestricted bidirectional access | 🟡 Warning | Both workspaces grant each other full access (message + delegate) in both directions |
| Single points of failure | 🟢 Info | Removing one workspace would disconnect others from the network |
| Expiring soon | 🟡 Warning | A contract will expire within 30 days — plan to renew or revoke |
| Unreachable workspaces | 🟡 Warning | A workspace with bridges is disconnected from the main network graph |
Audit Trail
The audit trail is displayed as a scrollable panel (max height 400 px) at the bottom of the governance page. It supports:
Category Filters
Filter pills narrow the audit view by event category:
| Filter | Matches |
|---|---|
| All | Every event |
| Contract | contract.created, contract.approved, contract.suspended, contract.deleted, contract.expired, contract.migrated |
| Bridge | bridge.message.sent, bridge.message.denied, bridge.delegation.sent, bridge.delegation.approved, bridge.delegation.denied |
| Approval | Any event containing "approved" or "denied" |
| Escalation | Any event containing "escalat" |
| System | org.*, member.*, workspace.* events |
CSV Export
Click ⬇ Export CSV to download the currently filtered audit entries as a CSV file. The export includes: Timestamp, Action, Badge, Primary detail, Secondary detail, Tertiary detail, and Actor email.
Industry Applications
The governance model maps directly to compliance requirements across regulated industries:
Healthcare (HIPAA)
┌──────────┐ MedicationRequest ┌──────────┐
│ Pharmacy │════════════════════▶│ ICU │
└──────────┘ └────┬─────┘
│
PatientReview
│
▼
┌──────────┐
│Executive │
└──────────┘
- Contracts enforce need-to-know access to patient data (PHI)
- Approval flows map to physician sign-off requirements
- E2E encryption ensures infrastructure cannot access PHI
- Audit trail satisfies HIPAA accounting of disclosures
Financial Services (SEC/MiFID II — Chinese Walls)
┌──────────┐ ┌──────────┐
│ M&A │─── No contract ───▶ │ Trading │ ✗ Wall enforced
└──────────┘ └──────────┘
│ │
ComplianceReview ComplianceReview
│ │
▼ ▼
┌──────────────────────────────────────────────┐
│ Compliance │
└──────────────────────────────────────────────┘
- No contract between M&A and Trading = cryptographic Chinese wall
- Both communicate through Compliance via separate contracts with separate keys
- Even infrastructure admins cannot read cross-wall communications (AES-256-GCM)
- Governance engine detects any attempt to create an unauthorized bridge
Defense & Intelligence (Need-to-Know)
┌──────────┐ ClassifiedBrief ┌──────────┐
│ Intel │══════════════════▶│ Command │
└──────────┘ └──────────┘
│ │
│ OperationalOrder
│ │
│ ▼
│ ┌──────────┐
│ │ Field │
└── No contract ────────▶│ Ops │ ✗ Need-to-know enforced
└──────────┘
- Intel can brief Command, but cannot reach Field Ops directly
- Command can issue orders to Field Ops via a separate contract
- Each contract has its own encryption key — compromise of one channel does not expose others
- Contract expiration enforces automatic access revocation
AI Alignment Reviews
Business and Enterprise plans include AI-powered governance alignment analysis against regulatory frameworks.
Supported Frameworks
| Framework | Focus Areas |
|---|---|
| HIPAA | Technical safeguards, administrative safeguards, organizational requirements, breach notification |
| SOC 2 | Trust services criteria (CC1-CC9, A1, C1, PI1) |
| FINRA | Supervision, books & records, business continuity, consumer privacy |
| Custom | Paste your own governance specification |
What Gets Analyzed
The AI reviews your actual architecture data — no message content, user PII, or file contents are sent:
- Workspace topology (names, statuses, connections)
- Contract configurations (types, permissions, expiration, escalation targets)
- Bridge governance (governed vs. ungoverned connections)
- Audit trail summary (action types, actor counts, coverage)
- Governance metrics (coverage percentage, active/pending/expired contracts)
Deterministic Scoring
Scores are computed deterministically from gap severities — the same architecture will always produce the same score:
| Gap Severity | Point Deduction |
|---|---|
| Critical | -15 |
| High | -8 |
| Medium | -4 |
| Low | -2 |
| Strength bonus | +2 each (max +10) |
Grade scale: 97+ = A+, 93+ = A, 90+ = A-, 87+ = B+, 83+ = B, 80+ = B-, 77+ = C+, 73+ = C, 70+ = C-, 60+ = D, below 60 = F
Rate Limits
| Plan | Reviews/Month |
|---|---|
| Team | Not available |
| Business | 3 |
| Enterprise | Unlimited |
PDF Export
Every report can be exported as a PDF with full scoring breakdown, gap analysis, recommendations, and the mandatory disclaimer.
Disclaimer: Alignment scores measure technical governance controls only. They do not constitute legal, regulatory, or compliance advice. Consult qualified counsel for compliance determinations.
What Roundtable Actually Is
Roundtable combines capabilities that enterprises currently buy from four separate vendors:
| Capability | Traditional Vendor | Roundtable |
|---|---|---|
| Governance workflows | ServiceNow | Contract types, approval flows, escalation paths |
| Authorization & access control | Okta / Azure AD | HKDF contract keys, per-contract permissions, zero-trust posture |
| Enterprise architecture | Ardoq / LeanIX | Topology visualization (Heraldry + Roundtable views), health monitoring |
| AI orchestration | Custom / LangChain | A2A protocol, multi-provider workspaces, tool routing |
The difference: these aren't four products bolted together. They're one architecture where governance, authorization, topology, and AI orchestration are the same system — enforced by the same cryptographic primitives, monitored by the same engine, and audited in the same log.
:::info For Enterprise Buyers If you're evaluating Roundtable for regulated workloads (HIPAA, SOX, MiFID II, ITAR), contact us for a security architecture review and a walkthrough of how governance contracts map to your compliance requirements. :::