AI that defends itself in front of the regulator.

Modir’s AI orchestrator is a separate sidecar — Python, FastAPI, LangGraph, NeMo Guardrails, Langfuse — that takes a structured request, walks it through a graph, and returns a structured response. Five graphs ship today: briefing (pre-meeting brief), commentary (locale-aware portfolio narrative), nba (next-best-action ranked suggestions), triage (service-request classification), and suitability_draft (compliance review draft). Each is opinionated about its inputs, its tools, and its output schema.

Every node in every graph is wrapped: input guardrails redact PII (regex for SSN, IBAN, Iqama, NIN), reject jurisdictionally inappropriate prompts, and confirm the actor’s role; OPA’s ai_actions package gates any tool call that would mutate state; output guardrails check toxicity, hallucination heuristics, and locale conformance; Langfuse captures the full trace span with token counts and cost. LiteLLM is the single LLM gateway — it routes to Anthropic Claude or OpenAI by default, enforces per-tenant rate limits and budget caps in Redis, and lets sovereign tenants pin a private model endpoint instead.

The hardest case is the mutation case. When AI suggests “open a service request” or “draft a suitability narrative for compliance review,” the suggestion does not run as the AI’s identity. Instead, it produces an AIInteraction row with status='pending_approval', and an aiInteractionWorkflow waits for a human approval signal. On approval, the actual mutation runs as an ordinary API call from the approving user’s identity — the audit log shows the human, with metadata.aiInteractionId linking back to the AI source. The regulator sees what a regulator should see: a human signed it, a human is responsible.

RAG is per-tenant. Embeddings live in pgvector, scoped by tenant_id at index time. At retrieval time, every chunk is checked against OPA data_access with the requester’s relationships from OpenFGA. A chunk the requester cannot read in the database, they cannot read in the AI either. There is no privilege escalation through retrieval.