Ship AI
with Confidence.
SpanForge is the AI lifecycle platform for solo developers, startups, SMBs, and enterprises — from deciding whether to build, through architecture and engineering, to governance and scale. Every phase covered with the RFC-0001 SpanForge standard, regulatory evidence generation, and cryptographic audit trails.
Comply. Prove. Scale.
Platform at a glance
Five-phase lifecycle
SpanForge — Production compliance and governance for autonomous AI agents. Baseline. Detect. Enforce. Audit.
Most AI projects never ship.
The gap between a working prototype and a governed, auditable, production system is where projects die. SpanForge closes that gap.
of companies abandoned the majority of their AI initiatives in 2025 — up from 17% the prior year
of organisations lack the right data management practices to support AI
of organisations report any measurable enterprise AI business impact
The AI Lifecycle Platform
for every team.
SpanForge is the AI compliance platform for every team — from deciding whether to build, to proving compliance in production. It covers all five phases: Discover, Design, Build, Govern, and Scale.
Built around the T.R.U.S.T. Framework — an open governance standard defining five dimensions every production AI system must satisfy: Transparency, Responsibility, User Rights, Safety Guardrails, and Traceability. SpanForge delivers production compliance at the Scale phase via the RFC-0001 SpanForge standard — cryptographic audit trails, regulatory evidence generation, and drift detection for EU AI Act, GDPR, SOC 2, ISO 42001, and NIST AI RMF.
Explore the five phases →Customers, regulators, and employees understand how AI affects them. AI behaviour is made intelligible to all affected parties — not just technical teams.
A named human is accountable for every AI system. AI cannot be deployed without a designated owner who carries accountability for its behaviour in production. Responsibility extends to cost: the Cost Intelligence Layer makes infrastructure spend visible at Design time and measures actual token costs in production via the SpanForge llm.cost.* namespace — ensuring accountable owners understand the financial implications before committing to them.
Consent, transparency, and recourse for every individual AI affects. Users have the right to understand how AI decisions affect them and to seek redress where required.
Technical constraints embedded in architecture, not just policy. Safety mechanisms are built into the system — not left as aspirational guidance or documents.
Every AI decision must be traceable to its source data, model version, and configuration state. Full audit trail. No black boxes. Every decision is logged with an immutable, timestamped, cryptographically signed record — ready for regulators, auditors, and post-incident review.
Every phase. Every answer.
A structured path from “should we build this?” to “running safely at scale.”
Compliance begins before the first line of code.
Most AI compliance failures are seeded before a single line of code is written. Teams pick solutions before validating problems, skip data governance audits, and start building before anyone has defined what regulatory obligations apply.The Discover phase establishes the compliance baseline: AI readiness assessment, regulatory obligation mapping (EU AI Act risk classification, GDPR applicability, data sovereignty requirements), use case prioritisation, data governance audit, and ROI modelling — all before architecture decisions are made.
Exit gate: Nothing progresses to Design without: a signed-off Problem Statement Canvas, a validated compliance readiness score, applicable regulatory frameworks identified, and a confirmed business case.
Architecture decisions made with compliance evidence.
The Design phase translates a validated problem into a concrete, compliance-ready technical architecture. Model selection with risk classification, data strategy with governance obligations documented, infrastructure decisions with consent flows mapped — everything defined before writing production code.The Cost Intelligence Layer closes the cost visibility gap: infrastructure cost estimates are produced before any resource is committed, and runtime token cost tracking is incorporated via the SpanForge cost namespace. Capability, compliance posture, and cost — all governed at decision time.
Exit gate: Nothing progresses to Build without: architecture documented with compliance obligations mapped, data strategy validated, security reviewed, team capacity confirmed, and a cost intelligence estimate produced with scenario comparison documented.
Compliance-first CI/CD. No shortcuts.
The Build phase is where compliance becomes code. Six mandatory CI/CD gates enforce security, quality, behaviour, performance, governance, and deployment readiness — in that order. All instrumented with RFC-0001 SpanForge event emission from the first commit.Every tool composes against the SpanForge schema. PII redaction, consent enforcement, HMAC audit chain initialisation, and prompt injection resistance are verified gates — not post-deployment checks. Nothing ships without all six going green.
Exit gate: Nothing ships without all six CI/CD gates passing — security, quality, behaviour, performance, governance, and deploy checks all green. SpanForge instrumentation confirmed. Audit chain initialised.
T.R.U.S.T. Framework. Regulatory evidence.
The Govern phase converts the T.R.U.S.T. Framework from policy into audit-ready evidence. Compliance mapping against EU AI Act, GDPR, SOC 2, ISO 42001, and NIST AI RMF — automatically generated from SpanForge event streams via the ComplianceMappingEngine.Risk registers, governance maturity assessment, explainability records, consent audit trails, model registry attestations, and board-level reporting packs — all structured around the five T.R.U.S.T. dimensions and ready for regulatory scrutiny. Evidence packages are HMAC-signed for tamper-evidence.
Exit gate: Nothing goes to production without: T.R.U.S.T. Framework mapped against applicable regulatory frameworks, compliance evidence package generated and signed, incident playbook assigned, and named accountable owner documented.
RFC-0001. Immutable audit trails. Live.
The Scale phase is where compliance is continuously demonstrated — not just claimed. The SpanForge Platform connects to deployed AI agents via OpenTelemetry and the RFC-0001 SpanForge standard, recording every LLM call, tool invocation, consent event, guard block, and cost record as a cryptographically signed, tamper-evident receipt.Behavioural drift detection, PII boundary enforcement, consent violation alerting, HMAC audit chain verification, and cross-provider token cost attribution — running continuously before regulators, auditors, or incident reports find the problem first.
Exit gate: SpanForge active before the first production request. RFC-0001 event emission confirmed. HMAC audit chain live. Behavioural baseline established. Drift monitoring configured. On-call owner named and playbooks tested.
100+ tools across the lifecycle.
The SpanForge CI/CD pipeline.
Six mandatory gates. Every AI artefact runs the gauntlet before reaching production.
SECURITY
No exposed keys. No PII in prompts or training data.
QUALITY
Prompts valid. Token budgets respected. Config correct.
BEHAVIOUR
Behaviour tests pass. No regressions. Hallucination score acceptable.
PERFORMANCE
Within latency SLA. Handles expected load.
GOVERNANCE
Consent respected. Output policies enforced. Injection-resistant.
DEPLOY
Live monitoring. Drift detection running. Incident playbooks in place.
Compliance for AI agents
that actually run in production.
You can’t govern what you can’t see. SpanForge instruments your autonomous agents, establishes behavioural baselines, and raises the alarm the moment something drifts, violates consent, or breaches a confidence threshold — before regulators, users, or incident reports find it first.
Baseline everything
Establish behavioural baselines at first deployment. Every subsequent run is measured against them.
Detect drift before users do
Statistical drift detection across outputs, confidence scores, and token distributions.
Consent boundary enforcement
Define what data your agent is permitted to access. SpanForge raises the alarm when boundaries are crossed.
Automated playbooks
Pre-defined response runbooks trigger on any alert — pause, escalate, reroute, or log.
Human-in-the-loop hooks
Low-confidence decisions get queued for human review before any output reaches a user.
Audit trail
Immutable, timestamped logs of every decision. Ready for regulators, auditors, and post-incident reviews.
One command. One gate.
No platform required.
Each standalone executable implements one T.R.U.S.T. gate check and drops into any CI/CD pipeline. Free, open-source, pip-installable or binary download. No account. No platform dependency. The fastest way to start building governed AI.
$ pip install spanforge-secrets
Scans prompts and training data for exposed secrets, API keys, and non-compliant PII before they enter the pipeline.
$ pip install spanforge-behaviour
Runs behaviour tests and hallucination scoring against your LLM. Catches regressions before they reach production.
$ pip install spanforge-policy
Validates consent, enforces output policies, and tests prompt injection resistance on any OpenAI-compatible endpoint.
$ pip install spanforge-redteam
Runs a known adversarial pattern library against your deployed AI system. Required for RAM-AI scores above 0.7.
Each executable produces structured JSON output that maps directly to the T.R.U.S.T. Evaluation Scorecard. The platform and certification are the destination. The executables are how you find it.
Comply. Prove. Scale.
SpanForge is the AI compliance platform for every team. The SpanForge production compliance platform, RFC-0001 SpanForge standard, Cost Intelligence Layer, and standalone T.R.U.S.T. gate executables are all actively being built — sign up for early access or follow along as we ship.