AI Security and Governance for Managed Growth Agents
Growth agents should be fast, but not reckless. gr0.ai designs workflows around scoped data, human approval, auditability, and control.
Governance principles
Human approval
Approval workflows are the default for any external-facing work. Customers approve in the gr0.ai portal. Internal-only outputs (research summaries, draft outlines) can run without approval per workflow config.
Scoped data access
Each agent gets only the data it needs. OAuth scopes are minimum-necessary. API keys are stored per-org, encrypted at rest with envelope encryption (AES-256-GCM, per-org KEK). Connections are revocable from the portal.
Audit logs
Every agent run, tool call, retrieval, and external action is logged with timestamp, agent ID, org ID, member ID, inputs, outputs, and approver. Super-admin can drill into any run from /admin/orgs/[id].
Role-based controls
Owners, approvers, viewers, finance, super-admin. Each role sees only what it should. Per-workflow override for approval requirements.
Model + provider policy
Models routed per workflow: Claude for reasoning, OpenAI for embeddings, etc. Customer can BYOK (bring your own keys) for any provider via the BYOK system. No customer data trains any base model.
Regulated industry workflows
Healthcare, legal, financial services workflows ship with stricter approval defaults, do-not-say language rules, scoped data handling, and per-vertical guardrails. PHI and similar sensitive data require an explicit scoped agreement before workflow design.
Prohibited use cases
No agents that impersonate humans without disclosure. No election influence. No unsolicited spam. No scraping behind login walls. No deepfakes. We document the full list in the AI Policy.
Incident handling
Suspendable globally, per-org, and per-user. Notice + appeal flow built in. Suspensions are audit-logged. Incidents triggering legal escalation route to Sean directly.
Client responsibilities
Customers maintain ownership of their data, integrations, and approval decisions. Disabling approval on external-facing work is the customer's call; they own the outcome of those messages.
Related policies
Have a security review on your side?
We'll walk through your approval requirements, data scoping, and audit needs in your AI Growth Audit. Compliance-sensitive industries get scoped separately.