Constitutional AI governance — enforced in your workflow, not just documented.
Mentis Governance is an enterprise AI governance operating system built on the MU2 framework. It enforces 110 constitutional laws on every AI-assisted engineering action across any integration surface — REST API, CLI, MCP-compatible client, or CI/CD pipeline — blocking unauthorized writes before they happen and recording every decision in a cryptographic evidence chain.
The governance engine is structured as an 8-layer cognitively-inspired control plane — with working memory, episodic learning, risk detection, and a Dual Process execution engine that routes ≥60% of governance decisions through a fast deterministic path in under 100 milliseconds. ISO 42001 substantially conformant. EU AI Act, SOC 2, HIPAA, GDPR, DORA modules included.
"Mentis Universal 2 is a governed AI engineering operating system. It does not build software — it governs the building of software." — MU2 README
AI agents are building your production systems.
Who is governing them?
95% of enterprise AI pilot deployments fail due to execution discipline gaps, not model capability (MIT 2025, 300 enterprise deployments). The problem is not what AI can do — it is that nobody enforces what it is allowed to do.
Governance that runs before the action — not after.
- A machine-enforced constitutional governance OS — works via REST API, CLI, MCP, or CI/CD, independent of any specific IDE or model
- A Pre-Action Gate that blocks every AI write or tool call violating constitutional rules — before execution, on any integration surface
- An Ed25519-signed, Merkle-chained evidence ledger producing regulator-ready cryptographic audit proof (AARM R7 isolated process)
- An 8-layer cognitively-inspired control plane with working memory, episodic learning, risk detection, and a Dual Process execution engine
- A Reflexion-loop learning system: every failure is captured, analyzed, and injected into the next session so it cannot repeat
- ISO 42001 substantially conformant. EU AI Act, SOC 2, HIPAA, GDPR, DORA compliance modules
- 23 autonomous governance agents running continuously — always-on governance team, not a session-only tool
- A GRC dashboard where governance is stated in policy documentsGovernance stated in documents is theater — this is architecture
- Locked to any single IDE or AI coding tool"The adapter surface is what changes — not the laws." — CEAA
- An AI copilot, code generator, or chat toolIt governs AI tools — it is not one
- Advisory-only — you can bypass it and keep shippingIt blocks. The framework is fail-closed by architecture
- A post-hoc audit system you run before a compliance reviewGovernance runs before every action, always, including between sessions
- A SOC 2 certification — it provides modules and evidenceCertification requires a third-party certification body engagement
- A replacement for human engineering judgmentIt enforces rules humans set — G0 gate always requires human approval
A governance engine designed like a brain.
Mentis Governance is built on the Neural Governance Runtime — a cognitively-inspired control plane structured as 8 independent layers, each with a single responsibility. It perceives the repo state, routes attention, gates actions, maintains cross-session memory, runs continuous verification loops, and coordinates autonomous governance agents. The laws it enforces never change. The adapter surface that connects it to your workflow is what varies.
Software abstraction modeled after cognitive architecture patterns (CoALA arXiv:2309.02427, GWT arXiv:2604.08206, Reflexion arXiv:2303.11366). Not biological AI claims.
Task classification, long-horizon decomposition, scope declaration. Decides what the session is, sets the governance packet, and locks the autonomy ceiling. Nothing downstream can override it.
Intent → gate class → specialist prompt → tool subset. The routing layer selects which of 24 specialist roles receives the task, which gate applies, and which tool subset is authorized. Misrouted intent is blocked here.
Six memory types: Working (session context), Episodic (cross-session experience — hippocampal analog), Semantic (constitution + governance docs — permanent), Procedural (superprompts + failure patterns), Risk, and Project. No session starts blank.
G0–G6 gates applied at every action boundary. SOAR chunking analog: outcome feedback from completed actions strengthens the policy registry. Actions that failed at gate are recorded so they cannot be proposed again in the same session.
Five always-on governance loops running between sessions: daily repo health, PR change, deploy readiness, weekly reflection, product completion. These make the framework an always-on governance team — not a session-only tool.
Autonomy Risk Score (ARS) and CUSUM drift detection. Triggers automatic escalation when deviation or risk accumulates. Metacognitive calibration authority issues CONTINUE, RETHINK, or ROLLBACK signals before the next action.
Reflexion loop (arXiv:2303.11366): failures are captured, analyzed, and injected into the next session via ALEA (Active Learning Execution Architecture). The system learns what breaks your codebase and prevents recurrence without human intervention.
Sanitization, integrity verification, injection defense, taint propagation. Blocks prompt injection, secret-file reads, privilege escalation, and output manipulation at the architectural boundary — before any agent can act on them.
Based on Global Workspace Theory — information becomes governance-complete when broadcast to all agents via the GWB. Selection-Broadcast Cycle: agents compete for attention, one broadcast is selected, all agents receive and integrate. 12 typed signed message types. Post-quantum hybrid signing in production (Ed25519 + ML-DSA-65).
arXiv:2604.08206System 1 — fast, deterministic, ≥80% confidence: YAML policy evaluator, no LLM call, <100ms. System 2 — slow, LLM reasoning: novel, ambiguous, or high-blast-radius decisions. Target ≥60% via S1. Inspired by Kahneman dual-process theory and DPT-Agent (arXiv:2502.11882).
Dual Process Theory, arXiv:2502.11882Three operating states — FOCUSED (nominal, S1 fast path), ALERT (elevated scrutiny +1 gate class), CRISIS (full S2, circuit breaker, immediate escalation). State transitions triggered by SARC violations, goal drift, taint blocks, or integrity failures. Inspired by dopamine/norepinephrine dynamics.
Biological neuromodulation modelSix-Type Memory Architecture — CoALA Mapping
Active task context, declared scope, current gate, tool history. Compacted automatically (WMCP) when context budget approaches limit. Governed by CWMA authority.
Instance-specific records of past sessions: what broke, what decisions were made, what patterns emerged. Written at session close. Retrieved at session start. Improves 13.4% over Mem0 in relevance (internal benchmark).
Constitutional laws, governance authorities, compliance frameworks. The permanent institutional knowledge the framework enforces from.
24 specialist superprompts, failure pattern registry, session protocols. The behaviors and disciplines the framework enacts.
Active risk surfaces, current risks, risk ledger. Surfaces known-fragile files and patterns at session start so agents cannot unknowingly trigger them.
Architecture decisions, subsystem knowledge packets (S01–S12), repo assessment state. The framework's understanding of your specific codebase.
Six steps. Every session. No exceptions.
Every governed AI engineering session follows the same protocol — from intent routing through session close and evidence finalization. The same protocol applies whether you connect via MCP, REST API, CLI, or CI/CD.
Install the MCP governance server or connect via GaaS REST API. Framework generates an integrity baseline (146 hashed files). Governance overlay configured for your repository. ~60 seconds from zero to governed.
Every task starts with intent routing. Natural language → task code + specialist superprompt + gate class. Governance packet defines: checklist categories, forbidden actions, loop limits, model policy. Routing runs in <100ms via S1 fast path when classification confidence ≥80%.
15-step Session Start Protocol: retrieve episodic memory, declare scope, load specialist, run integrity heartbeat, inject ALEA failure patterns. Agent knows what broke before — and cannot repeat it.
Before every write or tool call: PAG checks taint boundary, goal anchor, SARC constraints, loop limits, and 110 constitutional laws. Pass → execute and record. Block → halt with reason. Evidence appended either way.
Every gate resolution, decision, and session event appended to the Ed25519-signed WORM ledger. Merkle STH proof generated at session close. Audit sidecar (AARM R7 isolated process) is the sole write owner — tamper-evident by architecture.
21-step Session Closure Chain: invariant validation, compliance verify, quality score (SQS), evidence finalization, episodic memory write, ALEA update. Score drives next session's gate class. Neuromod state resets or escalates based on rolling 10-session SQS average.
Seven gate classes. Every action classified.
Every AI action is classified G0–G6 at intent routing time. Gate class determines how much autonomy the agent has and what approval is required. Classification is automatic — the agent cannot promote its own gate class.
Destructive, irreversible, or Tier-1 actions. Requires "APPROVED: [action] — [name] — [timestamp]" from a named human operator. Silence is not approval.
High-risk actions requiring approval before any execution begins. Gate closes until approval token is recorded in evidence chain.
Work proceeds autonomously but cannot be committed or deployed without approval checkpoint. Common for security-adjacent changes.
Semi-autonomous with mandatory checkpoints every 2 hours. Agent continues between checkpoints; operator reviews at each gate.
Standard feature work. Agent executes autonomously, notifies operator asynchronously. Evidence chain written at every decision point.
Low-risk read-only tasks (code review, documentation). Evidence still written. No approval needed.
Constitutional violation, evidence chain break, or integrity failure. Agent stops all execution. Operator must diagnose before any work resumes.
Governance law: Silence is not approval. If an operator does not explicitly approve a G0/G1 action, the framework does not proceed. The agent cannot interpret no response as yes.
Every session governed by FAANG-level engineering discipline.
Every governed engineering session in Mentis Governance automatically applies the relevant categories from the Enterprise Engineering Checklist (EEC) — 26 categories covering every dimension of production-grade software delivery. These are not aspirational guidelines. They reflect what senior engineering teams at the highest-scale organizations verify before shipping to production.
Categories are auto-selected per task type by the intent router — only the relevant disciplines are loaded for each session (e.g. schema changes trigger EEC-05 Database + EEC-22 Compliance; new features trigger EEC-01 through EEC-04 and EEC-07; security work triggers EEC-06 through EEC-09).
Research Basis — 12+ Standards
Intent declared before files opened, blast radius classified, CAP theorem chosen, ADRs created, rollback plan before irreversible change.
TypeScript interfaces before implementation, WCAG 2.1 AA accessibility, Core Web Vitals (LCP < 2.5s), no `any` types, XSS prevention, SRI hashes.
Parameterized queries only, idempotency on all writes, DLQ with exponential backoff, graceful shutdown, no PII in logs.
Schema-first (OpenAPI 3.1), OWASP API Security Top 10 2023 verified, semantic HTTP status codes, deprecation with 6-month notice.
Forward-only migrations, N+1 prevention, explain plan on queries >10K rows, GDPR deletion capability, RLS for multi-tenant data.
Auto-selected per task type by intent router. No session runs without the relevant engineering discipline loaded.
No category is aspirational. Every item reflects what a FAANG-level engineering team verifies before shipping to production. The EEC is compiled from 16 industry standards and applied automatically to every Mentis Governance session — not as a suggestion, but as a governance enforcement baseline. Sessions that fail checklist categories are scored accordingly in the Session Quality Score.
The full governance enforcement stack.
Every file write, schema change, deployment, and tool call is checked against 110 constitutional laws before it executes. Fail-closed. Silence is not approval. G0 gate class requires named human approval. Agent cannot self-promote its gate class.
Every governance decision, gate resolution, and session event is recorded in an append-only WORM JSONL file with Ed25519 digital signatures and SHA-256 hash chaining. Merkle STH proofs (RFC 6962) allow third-party verification. AARM R7 — isolated audit sidecar process owns all ledger writes.
The governance engine is structured as an 8-layer cognitively-inspired control plane: Executive Control (A), Attention/Routing (B), Memory (C), Action Gating (D), Continuous Verification (E), Risk Detection (F), Reflection/Learning (G), and Governance Immune (H). Each layer operates independently — no circular delegation of authority.
Based on Global Workspace Theory (arXiv:2604.08206) — information becomes governance-complete only when broadcast via the GWB to all agents. Selection-Broadcast Cycle: Competition → Selection → Broadcast → Integration. 12 typed signed message types. In NG-21+: Ed25519 + ML-DSA-65 post-quantum hybrid signing.
System 1 (fast, deterministic, ≥80% confidence) routes decisions through the YAML policy evaluator — no LLM call. System 2 (slow, deep LLM reasoning) handles novel, ambiguous, or high-blast-radius decisions. Target: ≥60% of governance decisions via S1 fast path (<100ms). Governed by DPEE authority.
The same governance laws. Every integration surface.
Mentis Governance is not tied to any single IDE or AI tool. The adapter surface changes — the constitutional laws do not. Connect via REST API, CLI, MCP client, CI/CD pipeline, or Kubernetes — governance is uniform across all surfaces.
"Universal 2's governance is the same everywhere. The adapter surface is what changes — not the laws." — CEAA (Cross-Environment Adapter Authority)
POST /v1/gate — LLM-agnostic pre-action gate check from any HTTP client. POST /v1/route — intent → task code + specialist + gate class. GET /v1/tenant — tier info. Session lifecycle via /v1/session/*. Default port 8080. Auth: API Key (staging), DID + mTLS (production).
Primary integration surface: 57 governance tools via Model Context Protocol, compatible with any MCP client — including Cursor, Claude Code, VS Code, Codex, OpenCode, Claude Desktop, and custom tooling. The governance laws are the same across all clients. Only the adapter surface changes.
30+ command groups: u2 session, u2 gate, u2 policy, u2 compliance, u2 orchestrate, u2 memory, u2 benchmark, u2 ml. The CLI exposes the same governance layer as the MCP tools — run full sessions, gate checks, and compliance verification from any terminal without an IDE.
7 autonomous governance workflow files. governance-check.yml: build, audit, PR loop, daily loop (06:00 UTC), weekly reflection, integrity gate, red-team suites. autonomous-governance.yml: DriftDetector (02:00), SecurityScanner (01:00), DependencyScanner (Mon 03:00), ComplianceVerify (04:00 daily), BiasMetrics (Sun 05:00).
Production deployment via Helm chart: MCP server, API gateway, and dashboard deployments to Kubernetes. Each component runs as an independent Node process. Audit sidecar (AARM R7) is an isolated HTTP process on port 7432 — the sole write owner of the evidence ledger.
Air-gapped deployment mode: no telemetry unless MU2_OTEL_ENDPOINT is set. No call-home requirements. @mentis/policy-evaluator-wasm: portable ESM/CJS SDK bundle for embedding governance checks in any Node.js environment. OpenTelemetry OTLP span export for existing observability stacks.
Integration flow
Built for regulated industries.
Each compliance module includes authority documents, control mappings, and machine-readable policies that feed directly into the governance runtime — not a separate compliance portal.
Substantially conformant — internal audit IA-001. Full AI management system documentation: policy, risk register, management review, training records, NC log.
Annex VI self-assessment, Declaration of Conformity template, risk classifier for downstream operators. Enforcement deadline August 2, 2026.
Most CC controls compliant. Processing Integrity Policy, Business Continuity Plan, Incident Response Plan. Autonomous CI agents verify daily (04:00 UTC).
PHI scenario mapping, BAA guidance, access control policies. BAA available on Sovereign tier. Physical safeguards deferred to operator.
ROPA template, Art. 22 automated decision-making mapping, high-risk EU AI Act intersection documented. 72-hour breach notification workflow.
ICT third-party risk mapping for financial services. Incident classification, continuity requirements, ICT risk management framework.
62/72 subcategories covered (86%). MAP, MEASURE, MANAGE, GOVERN functions documented with MU2 control mappings.
A-01 through A-10 mapped and covered: prompt injection, memory poisoning, tool misuse, privilege escalation, output integrity, and more.
Research-backed pricing. Transparent from day one.
These are Mentis Governance managed service tiers — covering setup, configuration, compliance module delivery, SLA, and dedicated support. The underlying MU2 OSS framework is free at github.com. Credo AI and Holistic AI charge $50K–$600K/year with no published pricing. We publish ours.
- MCP governance server (35+ tools) — any MCP-compatible client
- GaaS REST API (/v1/gate, /v1/route) for headless integration
- Pre-Action Gate enforcement on all AI writes
- Ed25519-signed evidence ledger with SHA-256 hash chain
- Session Quality Score + ALEA failure-pattern learning
- EU AI Act + ISO 42001 compliance modules
- 24 specialist superprompts — intent-routed automatically
- Episodic memory across sessions
- 99.5% SLA · 48-hour support response
- All 57 MCP tools + full GaaS REST API
- All 6 compliance modules (EU AI Act, ISO 42001, SOC 2, HIPAA, GDPR, DORA)
- Merkle STH proofs — RFC 6962 tamper-evident ledger
- Multi-agent coordination (MACA) + Global Workspace Bus
- 23 autonomous governance agents (continuous loops)
- GitHub Actions autonomous governance workflows (7 files)
- SSO integration + Kubernetes/Helm deployment
- Agent Passport + Taint Propagation + Neuromod states
- 99.9% SLA · 24-hour support · Dedicated Slack channel
- Everything in Enterprise
- White-label constitutional framework under your brand
- Dedicated VPC or on-premises deployment
- Custom constitutional amendments (legal + engineering review)
- SPIFFE/SVID + Ed25519 + ML-DSA-65 post-quantum agent identity
- Business Associate Agreement (BAA) for HIPAA contexts
- Annual security review + penetration test report
- Air-gapped deployment — no call-home requirements
- 99.95% SLA · 4-hour response · Dedicated engineering support
OSS Framework — Always Free. Self-host MU2 with evidence ledger, EU AI Act tools, CLI, GaaS REST API, and GitHub Actions workflows. No SLA or managed support. No credit card required. github.com/BespokeMentis/mu2-framework
Enforcement vs. documentation.
| Capability | Mentis Governance | GRC Platforms (Credo AI, Holistic AI) | Basic Tooling (Git, linters) |
|---|---|---|---|
| Governance enforcement model | Pre-action gate — blocks before execution | Post-hoc audit and documentation | None |
| Audit evidence standard | Ed25519-signed Merkle-chained ledger (AARM R7) | Policy attestations and checklists | Git commits and logs |
| Constitutional law enforcement | 110 laws compiled into machine-readable runtime | Framework alignment templates | None |
| Cognitive architecture | 8-layer NGR: memory, learning, risk, immune | Not applicable | None |
| API / IDE independence | GaaS REST, CLI, MCP (any client), K8s, SDK | Separate platform, web UI only | None |
| Cross-session learning | ALEA + episodic memory — failures never repeat | Manual policy updates | None |
| Always-on governance loops | 5 continuous loops + 23 autonomous agents | Scheduled audits | None |
| ISO 42001 posture | Substantially conformant (audit IA-001) | Compliant (varies by vendor) | Not covered |
| EU AI Act readiness | Annex VI self-assessment + conformity decl | Guidance documents | Not covered |
| Entry price point | $0 OSS / $36K/yr Foundation managed | $50K–$600K+/yr (Credo AI, Holistic) | Free (no governance) |
Verified May 2026. Competitor capabilities based on public documentation and independent research.
For every leader accountable for AI outcomes.
Governed AI-assisted SDLC with audit-ready evidence. Quality floor enforced across every session. Consistent behavior regardless of which tool, model, or environment your team uses.
ISO 42001, EU AI Act, SOC 2, HIPAA, GDPR, DORA modules built in. Cryptographic proof regulators will accept. No separate audit prep sprint — evidence is always current.
OWASP Agentic AI Top 10 covered. Agent Passport + Taint Propagation. Neuromod CRISIS state triggers circuit breaker. Pre-Action Gate blocks security boundary violations before they happen.
CI governance loops, SLSA supply chain, 7 autonomous GitHub Actions workflows, Helm/Kubernetes deployment. Governance as code — the same laws in every environment.
OSS tier free to start. GaaS REST API and CLI from day one. Upgrade to Foundation when you need compliance posture for enterprise deals. Air-gapped deployment for sensitive sectors.
White-label constitutional framework under your brand. Dedicated VPC or on-prem. Custom constitutional amendments. SPIFFE/SVID + post-quantum ML-DSA-65 agent identity for zero-trust multi-agent systems.
Quantifiable. Not marketing claims.
Common questions, direct answers.
Is this only for Cursor users?+
How is this different from Credo AI or Holistic AI?+
What is the "cognitively-inspired" architecture?+
What does ISO 42001 substantially conformant mean?+
What happens at G0 gate — can the AI proceed?+
Can we white-label the framework?+
Ready to govern your AI agents
constitutionally?
Book a governance assessment. We audit your current AI engineering workflow, identify where governance gaps create compliance and quality risk, and recommend the right tier and integration surface for your organization.
info@bespokementis.com · OSS framework free · REST API from day one · No credit card required to start