NNeoVailBook Demo
DESIGN PARTNER ACCESSSelf-hosted and NeoVail Cloud deployment paths under review
// runtime ai governance

Runtime Trust for Enterprise AI

NeoVail helps enterprises govern models, agents, MCP servers, and AI infrastructure through regional control planes, customer-local Sentinel enforcement, and audit-supporting evidence.

// runtime decision streamlive · illustrative
ALLOW
claude-code/build-botfs.read on repo://services/billing/**
policy=prod.runtime.v3 · ev_8f2c41
APPROVAL
codex/refactor-agentmcp.github.commit on repo://acme-payments/main
policy=prod.runtime.v3 · ev_9a10b7
WARN
cursor/cli-1.3shell.exec on sandbox://node-22
policy=prod.runtime.v3 · ev_77d0e2
DENY
gemini-cli/ops-77mcp.cloud.iam.review on cloud://prod/iam-review
policy=prod.runtime.v3 · ev_c3f9d8
SIMULATE
codex/refactor-agentfs.write on repo://infra/terraform
policy=prod.runtime.v3 · ev_1b64aa
Runtime enforcement
policy decisions before execution
MCP governance
discover · classify · bind
Human approvals
expiry · escalation
AI Asset Graph
agents · tools · models
Audit evidence
EU AI Act-ready
Enterprise identity
OIDC · SCIM · managed identity

// the new attack surface

AI agents are no longer generating text. They are taking actions — in your environment, right now.

Tool calls, credentials, files, workflows, and regulated systems need decisions before execution — faster than governance, audit, and runtime enforcement can keep up.

UNKNOWN RUNTIME STATEAGENT ACCESS SPRAWLNO EVIDENCE TRAIL

Unknown runtime state

Model registries and policy documents rarely prove what is actually running inside customer environments.

Agent access sprawl

MCP servers can expose powerful tools, but agent-side permission prompts are not a reliable enterprise control boundary.

Audit evidence delays

Regulated teams need evidence that reflects current runtime state, not spreadsheets assembled after an incident.

// the answer

A control plane for the full AI runtime.

NeoVail connects inventory, policy, enforcement, and evidence into a single system of record. The public website, control plane, intake, and customer-local enforcement stay on separate surfaces.

// runtime architecture

Surfaces, boundaries, and the path between them

Public01
neovail.com and www.neovail.com

Public website

Static marketing pages, legal notices, trust pages, and demo entry points.

Governed02
app.neovail.com

Regional control plane

Policy administration, AI asset graph, evidence review, and customer workflow management.

Intake03
ingest.eu.neovail.com

Regional ingestion

Sentinel telemetry intake with customer-selected residency, handling, and retention rules.

Local04
Sentinel + models + agents + MCP servers

Customer environment

Local enforcement boundary where verification, policy checks, and blocking happen before actions proceed.

Website isolated from control planeRegional intake boundaryCustomer-local enforcement

// runtime decision

Every action gets a decision: allow, warn, deny, require approval, or simulate.

NeoVail evaluates tool, identity, risk, policy, and runtime context in the same hop. The decision is bound to the policy version that made it and to the evidence record it produces.

ALLOW

Action executes immediately with identity and evidence attached.

WARN

Action proceeds with a flagged record for review.

DENY

Action is blocked before a tool, credential, or model is touched.

APPROVAL

Routed to approvers with expiry and escalation.

SIMULATE

Dry-run outcome and side effects captured first.

// product truth

Runtime state and its evidence, side by side.

The console shows what is running and what was decided. Every decision mints an evidence record bound to identity, policy version, and runtime context.

Nacme-platformprod
Runtime / Decisions / Last 1h

Runtime decisions

live · 12 envs · 38 agents
FilterNew policy
Allowed
14,208
+2.1%
Warned
312
+0.4%
Denied
46
-12%
Awaiting approval
7
3 escalated
Decision streamhealthy
ALLOW
claude-code/build-botfs.read on repo://services/billing/**
policy=prod.runtime.v3 · evidence ev_8f2c41
2c41
APPROVAL
codex/refactor-agentmcp.github.commit on repo://acme-payments/main
policy=prod.runtime.v3 · evidence ev_9a10b7
10b7
WARN
cursor/cli-1.3shell.exec on sandbox://node-22
policy=prod.runtime.v3 · evidence ev_77d0e2
d0e2
DENY
gemini-cli/ops-77mcp.cloud.iam.review on cloud://prod/iam-review
policy=prod.runtime.v3 · evidence ev_c3f9d8
f9d8
SIMULATE
codex/refactor-agentfs.write on repo://infra/terraform
policy=prod.runtime.v3 · evidence ev_1b64aa
64aa
// evidence recordillustrative · redacted
{
  "evidence_id": "ev_c3f9d8",
  "verdict": "deny",
  "agent": "gemini-cli/ops-77",
  "action": "mcp.cloud.iam.review",
  "policy": { "id": "prod.runtime.v3", "hash": "b58c…e01f" },
  "runtime": { "host": "gpu-07", "model": "llama-3.1-70b", "precision": "fp8" },
  "signature": "ed25519:9f4d…77aa",
  "chain": { "prev": "ev_77d0e2", "seq": 48122 }
}

// mcp governance

MCP access enforced at the gateway, not by agent promises.

NeoVail treats MCP servers as governed enterprise assets with identity-aware access, gateway-based allow and deny decisions, and a full audit trail.

Server registry

Track approved MCP servers, ownership, risk, and allowed environments.

User and group access

Map access to enterprise users and groups instead of relying on local agent configuration.

Gateway decisions

Enforce allow and deny policy before tools are invoked.

Audit trail

Record who attempted what, through which agent, against which server, and why it was allowed or blocked.

17+
model-serving runtimes detected
vLLM · NIM · Triton · TGI · Ollama · more
ed25519
signed Sentinel heartbeats
verifiable audit trail
1 round trip
decision and evidence together
no second reporting pipeline
0
customer data on this website
public surface stays public

// integrations

Built for the identity, runtime, and tooling enterprises already run.

NeoVail meets your environment where it lives: frontier model APIs, local model servers, agent CLIs, MCP gateways, identity providers, and compliance pipelines.

Identity

OIDC · SCIM · groups

WOWorkOS
OKOkta OIDC
AZAzure AD
SCSCIM 2.0

AI runtimes

frontier + local

OPOpenAI
ANAnthropic
BEBedrock
LOLocal models

Agent tools

CLI + IDE agents

CLClaude Code
COCodex
CUCursor
COCopilot CLI

MCP

servers · gateways

MCMCP servers
GAGateways
TOTool registries
ADAdapters

Notifications

inbox + chatops

SLSlack
EMEmail
WEWebhooks
PAPagerDuty

Compliance

evidence + exports

EUEU AI Act
DODORA
AUAudit exports
SISIEM

// compliance and security

Evidence built for the teams who approve AI in production.

NeoVail is designed to support EU AI Act readiness work, DORA-aligned evidence workflows, regional control planes, customer-local runtime telemetry, and audit evidence exports. These statements describe product intent and should not be read as a legal certification or regulatory conformity assessment.

Designed to support EU AI Act workflowsDesigned to support DORA evidence workflowsRegional data residency

Regional tenancy

Control planes designed around regional deployment and residency requirements.

Customer-local Sentinel

Runtime checks and enforcement run near customer models, agents, and MCP servers.

Default-deny posture

Unknown tools and unbound MCP servers can be blocked before execution.

Least privilege

Access decisions can include users, groups, tools, scopes, environments, and policy versions.

Audit evidence

Every decision links identity, policy, runtime context, and outcome into an exportable record.

Website separation

The public site stores no customer evidence, secrets, telemetry, or enforcement state.

// start small

Start with a 2–4 week read-only pilot.

A fixed-fee runtime inventory and drift pilot in your environment. Read-only by architecture, evidence-grade deliverables, no platform commitment.

See the Pilot

Book a NeoVail demo

See how NeoVail governs models, agents, MCP servers, and runtime evidence across enterprise AI environments.

Book a Demo