Skip to content
Architecture

How Kynexa governs enterprise AI interactions.

A complementary control plane between enterprise identities, data, context, models, tools, agents and AI applications. Policy is evaluated inline and activity is recorded as structured audit events.

Reads at source · single-tenant · every policy decision logged.

Reference architecture
One control plane between enterprise systems and AI systems
Single-tenant layer
01 / Inputs
Identities and source systems
EmployeesOIDC / SAML / SCIM
SaaS & drivesRead at source
DatabasesMetadata indexed
Docs & wikisLineage preserved
Content is read and indexed in place; governed metadata carries sensitivity, lineage and category context.
02 / Kynexa Core
Semantic governance and control
Enterprise AI Control Plane
Metadata, policy, gateway control and audit live in your tenant.
ConnectorsScan and process
Context graphSemantic metadata
Policy serviceInline decisions
LLM gatewayProvider routing
MCP gatewayScoped tools
Agent governanceMemory and action scope
Audit serviceStructured events
03 / Outputs
Governed AI systems
RAG apps
Copilots
Agents
Models
Tools & MCP
Vector stores
Retrieval, model calls, tool use, agent actions and memory operations proceed only under the applicable policy decision.
Data stays at source
Metadata in tenant
Policy inline
Every decision logged
A complementary, single-tenant layer where metadata, policy, gateway control and audit live in your tenant.

A three-lane reference architecture. Identities and source systems on the left are read and indexed in place. The single-tenant Kynexa control plane in the center includes connectors, semantic metadata and context graph, policy service, LLM gateway, MCP and tool gateway, agent and memory governance, and audit service. Governed AI systems on the right include RAG applications, copilots, agents, models, tools, MCP servers and vector stores. Data stays at source, metadata stays in tenant, policy is evaluated inline and every decision is logged.

The problem we solve

Governance bolted onto each AI application is inconsistent and hard to audit across the estate. Enterprises need one control point between their identities, data sources and their AI systems that reads at source, enforces inline and records every decision.

The end-to-end flow

Reference flow
Data stays at sourcePolicy inlineAudit by default
IngestRead source systems in place
01

Connect & scan

Connectors list and read items from your sources using OAuth or API keys, with Vault-backed credentials.

02

Process

The file processor extracts unified text, chunks and embeddings; embedding calls route through the provider-agnostic gateway.

StructureTurn content into governed metadata
03

Understand

Semantic metadata adds entities, labels, sensitivity and categories at element level.

EnforceEvaluate policy before use
04

Govern

The policy manager authors, evaluates and simulates policies over that metadata, on retrieval, reasoning and output.

05

Serve

Governed RAG, model routing, tool access, agent actions, and memory operations proceed only under the applicable policy decision.

ProveRecord status and evidence
06

Prove

Structured events record data access, policy decisions, models, tools, identities, memory, outputs, and decision reasons.

Control matrix

Enforcement points

Where the control plane acts between identities, data sources and AI systems.

Control surfacePolicy inputEnforcement pointAudit evidence
Read-at-sourceConnector scopeConnectors (Secure Connections)Access log
Policy enforcementRole · intent · sensitivityPolicy service (inline)Decision log
Model & tool gatewaysApproved catalog · scopeLLM / MCP gatewaysGateway trace
AuditAll decisionsAudit serviceStructured events
Principles

Architecture principles

Your data stays at source

Kynexa reads and indexes; it does not relocate data.

Provider-agnostic

One gateway across model and embedding providers; bring your own vector store.

Auditable by default

Every policy evaluation is logged as a structured event.

Single-tenant deployment

Deployed as a complementary layer isolated in your environment.

Technical FAQ

No. It reads and indexes at source and stores only governance metadata in your single-tenant environment.
Yes. Kynexa is deployed as a complementary, single-tenant layer in your environment, with no shared data plane.
Get started

See Kynexa govern your AI — in 30 minutes.

Bring a real use case. We'll set up governed retrieval, reasoning and audit on your stack.