The wake-up call

Your team is already using AI.
You just don't know which tools, on which data.

Devoudit is the observability layer for AI governance. Treat policy like production infrastructure — with SLOs, beacons, and an audit trail that can't be drafted in a Google Doc.

Free resource PDF + editable templates
5 docs · 1,284 downloads

The AI Policy Starter Kit

Tool approval checklist, data classification, incident playbook, vendor DDQ, employee 1-pager. Zero to documented, one afternoon.

Enter a valid work email. Check your inbox — arriving in a moment. Something went wrong — try again in a moment. Verification failed — please refresh the page and try again. Sending… By submitting you agree we may send you the kit and occasional Devoudit product updates. Unsubscribe any time.

Trusted by teams at Northwind Cargo Meridian Health Ledger & Co. Orbital IT Veridian Compliance
A policy beacon is to compliance what a health check is to a service. See how beacons work →
80%
of unauthorized AI use is employees, not hackers
12
AI tools the average mid-size company uses without a DPA
4 mo
median time a silent vendor ToS change goes unnoticed
13
categories of prohibited AI use in the EU AI Act
What a policy actually is

A policy isn't a document.
It's a behavior that can be verified.

Most AI policies are PDFs nobody reads. The ones that work are rules with tooling attached — a signal that fires when the rule is followed, and an incident when it isn't.

Policy as documentation Unenforceable

"Employees must not share proprietary data with external AI services."

  • Lives in a Notion page from 2023
  • No signal when it's violated
  • No audit trail when asked by legal
  • Nobody is actually responsible
Policy as infrastructure Enforceable

"Beacon BCN-014 fires when PII is sent to any endpoint outside the approved-vendor list. SLO: 99.9%. Breach → incident."

  • Lives in the same system as your other SLOs
  • Alerts route to on-call, not to a mailing list
  • Every check produces a timestamped audit record
  • Ownership is a field, not a folklore
Anatomy of a beacon

How a policy rule becomes a signal

lifecycle · 4 steps
01

Declare

Write the rule as code. Bind it to a data class, an endpoint, and an SLO target.

beacon "pii.egress"
  slo 99.9
  owner @sec
02

Instrument

Drop an agent at the egress. It watches without blocking. Small, boring, fast.

devoudit agent
  --watch egress
  --ruleset pii
03

Verify

Every event produces a signed, timestamped signal. That signal is your audit trail.

bcn.fire(ok)
  at 2026-04-24T09:12
  sig 0x8f…ea
04

Respond

Violation → on-call alert, incident, postmortem. Same muscle you already have.

alert routed
  pager · SEC-rotation
  status: triage

If your compliance program can't answer "was this rule active last Tuesday at 3pm?" — it's documentation, not policy.

See Devoudit beacons Start the audit trail
The SRE lens

Compliance is broken
because it's treated as documentation, not infrastructure.

Your SRE team already knows how to make abstract quality goals measurable and alertable. We've been doing it for uptime for fifteen years.

The bet behind Devoudit: the same muscle works for AI governance. Below, ten concepts your engineers already live by — and their 1:1 translation.

SRE concept
AI governance equivalent
In practice
SLO
Policy compliance target
"Beacon X must be active on ≥99% of prod deploys"
Alert
Policy violation notification
Routes to on-call, not to a mailing list
Postmortem
Incident report
Blameless — the rule failed, not the person
Runbook
Remediation playbook
The steps to take when the beacon goes red
Health check
Policy beacon
A cheap signal that confirms the rule is live
Toil
Manual audit work
Screenshots, spreadsheets, chasing Slack DMs
Error budget
Acceptable policy drift
You get 0.1% — spend it on releases, not blind spots
Chaos engineering
Red-team AI misuse
Controlled exfil tests against your own beacons
On-call
Compliance rotation
Someone is responsible right now, and it's written down
Observability
Audit trail
If you can't query it, you don't have it
Familiar

Nothing new to learn

Your platform team already runs this playbook. We just wire it into your policy surface.

Measurable

Every rule has a number

If it can't be expressed as an SLO, it's an aspiration — not a policy.

Auditable

The log is the truth

Beacon events are signed, immutable, and queryable. Your auditor gets a URL, not a screenshot.

Early access · April 2026

We're building the observability layer for AI governance.

Design partners shape the beacon library. Two slots left in the current cohort.

Read the manifesto Apply as a design partner →