Route through Wingbase.
Your agent's model and tool calls pass through Wingbase using your models and your data plane.
THE PROBLEM
Your agent works. Approving it is the hard part.
Regulated buyers are moving AI agent prototypes toward deployment. The compliance bar is rising with them. A reviewer needs to know what the agent did, which model and prompt version it used, which data and tools it touched, which policies ran, who approved consequential actions, and whether the whole workflow can be retained, inspected, and validated.
Most teams try to assemble that from runtime logs, observability traces, gateway records, screenshots, access-control exports, and consultant-written validation documents. The assembly is slow, expensive, and hard to defend in a Quality or security review.
HOW IT WORKS
One governance layer for all agent actions.
Capture signed evidence.
Every call records prompt and response hashes, model and prompt versions, policy outcomes, latency, retention metadata, and human sign-offs for consequential actions.
Export a reviewable evidence pack.
Workflow-specific evidence packs export the artifacts a Quality, Regulatory Affairs, or security reviewer can sign. 21 CFR Part 11 first; NIST AI RMF and FedRAMP next.
THE ARTIFACT
What's in the pack.
A workflow-specific bundle a reviewer can read, critique, and sign. Built from signed events captured during the workflow's actual execution.
Artifactcaptured
Signed events
Hashed prompt and response, model ID, tool calls, timestamps, event hash chain.
evt_a4f9...Artifactcaptured
Model + prompt versions
Which model, which prompt template, which version, for every call.
model_id · prompt_v3.2Artifactcaptured
Sign-off records
Who approved which consequential action, when, with what context.
approver · tsArtifactcaptured
Policy outcomes
Which policies ran, what they decided, why.
pol.partXI.efs · passArtifactcaptured
Retention & tenancy
Retention windows, tenant boundaries, export controls.
7y · us-gov-eastArtifactcaptured
Workflow lineage
Output traced back through model, prompt, tool, and data inputs.
traceId · rootEvidence PackWorkflow · phi-redactorTenant · acme-rd-prod
Signed events
evt_a4f9Request received · user jane.lopez@nih.govsha256:9af3...21d4
evt_b127Policy match · redact-phi-v3 · matched 2 rulessha256:c4e1...87f2
evt_c8d3Redaction applied · 2 spans · MRN-0042sha256:1b9e...df04
evt_d4a1Model call · claude-3.5-sonnet · 2471 in / 612 outsha256:7af2...0c91
evt_e7f5Audit log written · immutablesha256:9af3...21d4
WHO IT'S FOR
Built for regulated AI deployments.
Customized to your workflow and compliance requirements.
For applied AI leads working alongside Quality, Regulatory Affairs, CSV, and validation teams.
Compliance frameworks we map to:
21 CFR Part 11GMP / GxPCSV / validationQuality audit trail
Typical workflows:
Research records, protocol operations, lab documentation, regulated decision support.
For Chief AI Officers, mission owners, and CISOs deploying agents in mission operations, grant review, FOIA, case management, and citizen services.
Compliance frameworks we map to:
NIST AI RMFFedRAMP-aligned architectureNIST 800-53ATO / Authorizing Official review path
Typical workflows:
Mission ops support, grant review, FOIA, case management, audit, citizen services.
COMPLIANCE ROADMAP
Where we are. Where we're going.
Wingbase supports, maps to, and produces evidence for compliance obligations. Customer counsel, auditors, and regulators make final determinations.
FrameworkStatusWhat's liveTimeline
21 CFR Part 11In progressEvidence pack v1, electronic signature, audit trail controlsH1 2026
NIST AI RMFIn progressControl mapping v1, evidence map for federal pilotsH1 2026
FedRAMPPlannedArchitecture aligned for FedRAMP Moderate2026+
SOC 2 Type IIn progressReadiness underwayH2 2026
SOC 2 Type IIPlanned2027
ISO 27001Planned2027
EU AI Act (Annex IV)PlannedEvidence-pack mapping when customer demand appears2027
FDA GMLP alignmentPlanned2027+
Status reflects current product and compliance program scope. Wingbase produces evidence to support customer audits and regulatory determinations; it does not replace customer counsel, internal Quality review, or auditor judgment.
Wingbase is built by a team of engineers and compliance experts from regulated, cleared industries. We've spent years building the audit, access, retention, and validation layers that other teams treat as someone else's problem.
Every AI agent moving toward production in a regulated workflow eventually runs into the same wall: a Quality, Regulatory Affairs, or security reviewer who can't approve what the agent did. We're building the layer underneath that makes the answer easy to defend.
More about the team and our investors at launch.
POWERED BY OPEN SOURCE
Wingman, the open agent runtime.
Wingbase is built on Wingman, our open-source agent runtime. The core execution layer is auditable in the open. Wingbase adds the governance, signed evidence, and compliance pack on top.
wingman.actorwingman · v0.9.4
$ wingman run phi-redactor --pack part-11
// resolving model + prompt bindings
resolved claude-3.5-sonnet@20241022
resolved prompt phi-redactor-system v3.2.1
// 3 policies attached
✓ pol.partXI.efs pass
✓ pol.partXI.audit pass
✓ pol.hipaa.phi 2 spans redacted
✓ evidence pack sealed sha256:9af3...21d4
$ _
FAQ
Questions reviewers ask first.
Wingbase is the governance product and runs on Wingman, our runtime and harness. Your agent routes model and tool calls through Wingbase. You keep your existing models, contracts, and data plane.
Year 1 deployment is SaaS in our infrastructure with tenant isolation and configurable retention. Customer-managed cloud and air-gapped deployment are on the roadmap.
The evidence pack is built with named compliance stakeholders during design partner and pilot engagements. Each pack is workflow-specific and tied to a framework. Customer counsel, auditors, and regulators make final determinations.
No. SOC 2 Type I readiness is underway. The 21 CFR Part 11 evidence pack is in design-partner iteration. FedRAMP architecture alignment is in place. Full status lives in the compliance roadmap above.
Wingbase records signed events with prompt and response hashes, model and prompt versions, tool calls, and policy outcomes. A sign-off API records human approvals for consequential actions. Both are mapped to 21 CFR Part 11 audit-trail and electronic-signature requirements.
A pilot is scoped to one workflow, one adapter, and one evidence pack, with a Quality or security review readout at the end. Reach out to discuss pricing and scope for your workflow.
No. Wingbase sits alongside them and produces a different artifact. Model providers and gateways record the request. Observability records the trace. GRC tools record the policy register. Wingbase records signed events at the model-call and tool-call boundary, holds human sign-off gates, and exports a workflow-specific evidence pack a compliance reviewer can sign. One audit trail across whatever stack you already have.
Request a pilot conversation above. We'll cover your workflow, the compliance gate you're working with, and whether a pilot is the right next step.
Get started
Talk to us about a pilot.
Bring a workflow, a compliance gate, and a champion. We'll handle the rest.