Pre-execution interception
Every governed action is submitted to MURAQIB before it executes. Until a clearance decision is returned, the action does not reach the target system. There is no "allow by default" path around the gate.
The honest version
A clearing layer is only as trustworthy as the guarantees it can prove.
What OQIRON is: a pre-execution clearance engine that intercepts a proposed agent action, evaluates it against machine-readable policy, verifies authority, and emits an evidence record — before the action reaches an enterprise system.
What it enforces: the decision is binding. A blocked action cannot proceed; an escalated action waits for human authority. Enforcement happens in the action path, not in a report read after the fact.
What it is not: OQIRON does not own the models or the data stores it governs. Because it observes sensitive actions, it is designed to minimise what it retains: policy evaluation operates on action metadata and classifications, and the evidence record is the audit artifact — not a copy of your underlying data.
Enforced by architecture
Controls that can't be skipped, because they sit in the path.
The weakness of most AI governance is that it runs alongside execution: a dashboard, an after-the-fact audit, a policy nobody re-checks at runtime. OQIRON moves the control into the path the action must traverse.
Machine-readable policy gates
Policy is expressed as evaluable rules — not prose. The same gate evaluates the same way every time, removing the configuration drift and human inconsistency that policy documents invite.
Authority verification
Actions are checked against the authority level permitted to take them. An analyst-initiated action that requires board authority is escalated, not silently executed.
Human-in-the-loop as a primitive
Escalation paths, approval gates, and override controls are first-class parts of the clearance model — built into the decision, not bolted on as an external workflow.
Evidence integrity
Trace any governed action. Replay any clearance decision.
For a regulated institution, a decision you cannot reconstruct is a decision you cannot defend. Every clearance produces a tamper-evident record designed to stand up to an examiner months later.
Tamper-evident records
Each decision is recorded with a cryptographic evidence identifier. The chain is designed so that alteration is detectable — an audit artifact, not a mutable log line.
Full replay
Reconstruct exactly what was evaluated, which policy gates triggered, what the risk profile was, and why the decision landed where it did — action by action.
Regulator-ready packs
Evidence is exportable as a bilingual (Arabic / English) pack aligned to the jurisdictions in scope, so a compliance team hands an examiner a document, not a database query.
Data lifecycle
Your data. Your rules. Minimised at every step.
Because OQIRON evaluates sensitive actions, the safest design is to hold as little as possible. The lifecycle below is built around data minimisation and jurisdictional residency.
01 · Ingestion
Authenticated boundary
Action submissions arrive over authenticated, encrypted channels with schema validation at the edge.
02 · Evaluation
Metadata, not payloads
Clearance operates on action type, classification, jurisdiction, and authority — designed to avoid retaining the underlying business data itself.
03 · Residency
Gulf-hosted
Evaluation and evidence remain within the contracted jurisdiction. Residency is enforced per deployment, aligned to SAMA and NDMO expectations.
04 · Retention
Configurable
Evidence retention follows a configurable policy per institution and data type, with automated enforcement.
05 · Deletion
Programmatic purge
Records can be purged across storage and logs under a defined deletion policy, with the action itself evidenced.
Deployment boundary
The same enforcement posture, wherever it runs.
OQIRON is designed to sit at the institution's boundary without becoming a new exfiltration risk. The clearance model is identical across deployment environments.
Sovereign / on-premise
Deployed inside the institution's own environment for the most sensitive mandates. The action path and evidence never leave the institutional boundary.
Private regional cloud
Hosted on dedicated, Gulf-resident infrastructure with per-institution tenancy and isolation.
Hybrid
Evaluation distributed across environments with data residency enforced per jurisdiction and per workflow.
Standards & assurance
Stated honestly. Audited over time, not claimed up front.
OQIRON is early, and an institutional trust page is the wrong place to overstate. Below is the real posture — what is being pursued, and what is on the roadmap.
ISO/IEC 42001:2023
The AI management-system standard. OQIRON's governance and evidence model is being built to align with 42001; formal certification is in progress, not yet awarded.
ISO/IEC 27001
Information-security management. Targeted as the platform and operating discipline mature toward independent audit.
SAMA · NDMO · PDPL
The clearance and evidence model is designed around Saudi regulatory expectations for financial conduct, data management, and personal-data protection.
A note on honesty. We deliberately do not display compliance badges we have not earned. Where a certification is in progress or targeted, it is labelled as such. Full documentation of current controls is available to institutions under NDA as part of a governance review.
When something happens
One layer to own the response.
Because the clearance path is a single accountable component, incident response does not fragment across vendors.
Instrumented
The evaluation path is monitored, with anomaly detection across the clearance and evidence layers.
Root-cause ownership
One team investigates and remediates the clearance layer — no finger-pointing across a vendor chain.
Written review
Material incidents produce a documented review, remediation plan, and timeline shared with affected institutions.