🍮 PUDDING

Provable Unified Data-Driven Intelligent Normative Governance

The open-source compliance and governance framework for agentic AI

The proof is in the PUDDING.

The Problem

AI agents are proliferating.
The governance layer is not.

Every day, thousands of AI agents are deployed with access to sensitive data, critical systems, and real-world actions. Most operate with zero compliance oversight.

🔓

No Data Sovereignty

Sensitive data flows through third-party AI services with zero governance or control.

👻

No Audit Trail

When something goes wrong, there is no provable record of what happened or why.

🧩

No Unified Standard

Every organization reinvents compliance. There is no shared framework for agentic AI.

What is PUDDING?

A governance layer that proves compliance,
not just promises it.

🔒

Local-First

Your data never leaves your infrastructure. Governance happens at the edge, not in the cloud.

🛡️

Provable Compliance

Hash-chained audit logs create tamper-evident proof that policies were enforced.

🌍

Open Standard

Community-driven, open-source framework. No vendor lock-in, no black boxes.

🔌

Agent Agnostic

Works with any AI agent, any LLM provider, any orchestration framework.

Architecture

One layer between
your agents and the world.

PUDDING sits between your AI agents and external services, enforcing policies, sanitizing data, and creating tamper-evident audit trails for every interaction.

AI Agents

LLM AgentCode AgentData AgentCustom Agent

PUDDING Governance Layer

Policy EngineData SanitizerRAG/MemoryAudit LoggerRules Engine

External Services

APIsDatabasesLLM ProvidersCloud Services

Features

Everything you need for
agentic AI governance.

📋

Policy Engine

Declarative YAML policies that define exactly what your AI agents can and cannot do.

🧹

Data Sanitizer

PII/PHI detection across 80+ data types and 12 regulatory frameworks. Real-time scanning.

🧠

RAG/Memory Layer

Local vector store with governed memory. Full control over what your agents remember.

📝

Audit Logger

Tamper-evident, hash-chained logs with optional blockchain anchoring for maximum trust.

⚖️

Rules Engine

HIPAA, SOC 2, FedRAMP, GDPR, NIST, and custom compliance rule sets out of the box.

✅

Verification Modes

Local, distributed, and public anchor verification. Choose your trust model.

Policy as Code

Declarative. Readable.
Enforceable.

Define your compliance policies in simple YAML. PUDDING enforces them automatically across every agent interaction, every time, with full audit trails.

pudding-policy.yaml

policy:
  name: healthcare-agent
  standard: HIPAA
  rules:
    - action: block
      condition: contains_phi
      targets: [external_llm, third_party_api]
    - action: redact
      condition: contains_pii
      fields: [ssn, dob, address]
      targets: [external_llm]
    - action: allow
      condition: sanitized
      targets: [all]
  audit:
    level: full
    retention: 7_years

Regulatory Coverage

Built for the frameworks
that matter.

HIPAASOC 2FedRAMPGDPRNIST AI RMFPCI-DSSFERPACCPACUI/ITARCustom

Open Source

The proof is in the code.
Every line is open for inspection.

PUDDING is licensed under AGPL-3.0. We believe compliance infrastructure should be transparent, auditable, and community-driven. No black boxes. No trust-us promises.

View on GitHub

Roadmap

Where we are going.

Phase 1 - Q1 2026

Core Framework

Policy engine, data sanitizer, audit logger, and compliance rules engine.

Phase 2 - Q2 2026

Open Source Launch

Public repository, documentation, community building, and early adopter program.

Phase 3 - Q3-Q4 2026

Premium Services

Enterprise support, managed compliance, advanced analytics, and custom integrations.

Phase 4 - 2027

Standard Adoption

Industry partnerships, certification programs, and regulatory body engagement.

Team

Built by builders.

Brett Ball

Security & Compliance Architecture

Keenan Tipton

Agent Orchestration & Platform

Built in Huntsville, AL by 10X Foundation