Unlike static governance documents (PDFs, wikis, policy manuals), K0nsult's governance runtime enforces rules in real-time during workflow execution. Policies are not suggestions — they are executable constraints that block, approve, escalate, or log every action as it happens.
A governance document says "invoices above 50k require dual approval." A governance runtime prevents the invoice from being processed until both approvals are recorded.
"Static governance tells you what should happen. Runtime governance makes it happen. That is the difference between a policy and a system."
| Component | What It Does | How It Enforces |
|---|---|---|
| Policy Engine | Evaluates rules before each action | Blocks unauthorized actions at API level |
| Decision Logger | Records every decision with context | Immutable INSERT-only PostgreSQL table |
| Approval Gateway | Routes Level C/D decisions to humans | Pauses execution until approved |
| Risk Scorer | Calculates risk score per action | Auto-escalates when score > threshold |
| Compliance Checker | Maps actions to regulatory requirements | Flags non-compliant outputs |
| Kill Switch | Emergency stop for all agents | Single API call suspends everything |
Every action in K0nsult passes through this decision pipeline. No exceptions, no bypasses.
Action Requested
│
▼
┌─────────────────────┐
│ Policy Engine │ Checks: permissions, data class,
│ checks rules │ approval level, rate limits
└─────────┬───────────┘
│
▼
┌─────────────────────┐
│ Risk Score │ Composite score: data sensitivity +
│ calculated │ user trust + action type + history
└─────────┬───────────┘
│
┌──────┼──────────────────┐
│ │ │
▼ ▼ ▼
┌──────┐ ┌──────────┐ ┌──────────┐
│Low │ │Medium │ │High │
│A / B │ │C │ │D │
└──┬───┘ └────┬─────┘ └────┬─────┘
│ │ │
▼ ▼ ▼
Execute Queue for Block +
+ Log human Escalate
approval + Log
│ │ │
│ ┌──┴──┐ │
│ │Wait │ │
│ └──┬──┘ │
│ ┌────┴────┐ │
│ Approved Denied │
│ │ │ │
▼ ▼ ▼ │
┌─────────────────────┐ │
│ Audit Trail │ <───┘
│ recorded (immutable)│
└─────────┬───────────┘
│
▼
┌─────────────────────┐
│ Compliance check │ Maps output to regulatory
│ on output │ requirements
└─────────┬───────────┘
│
┌──────┴──────┐
│ │
▼ ▼
Deliver Reject
result + Log reason
| Level | Risk | Approval | Speed | Example |
|---|---|---|---|---|
| A | Minimal | Auto-approved by policy | Instant (<100ms) | Read public data, format output |
| B | Low | Auto-approved + logged | Instant (<200ms) | Send notification, update record |
| C | Medium | Human approval required | Minutes to hours | Process payment, modify access |
| D | High | Dual authorization + audit | Hours to days | Delete data, change policy, bulk operations |
This is the core distinction that makes K0nsult different from every governance framework that lives in a document.
| Aspect | Static (PDF docs) | Runtime (K0nsult) |
|---|---|---|
| Enforcement | Manual review, relies on humans reading docs | Automated, real-time, blocks non-compliant actions |
| Audit trail | After the fact, retrospective, often incomplete | During execution, every decision logged as it happens |
| Policy updates | Document revision, approval cycle, distribution | Instant rule change, effective immediately |
| Human oversight | Scheduled reviews (quarterly, annual) | Real-time approval gates for every high-risk action |
| Compliance proof | Self-reported, assembled manually for auditors | System-generated evidence, exportable on demand |
| Incident response | Discover breach, convene meeting, draft response | Kill switch: single API call halts all execution |
| Scalability | More agents = more documents = more review burden | Same engine governs 1 agent or 1,000 agents |
"A PDF policy cannot stop an unauthorized action. A runtime policy can. That is the difference between governance theater and governance engineering."
The audit trail is the backbone of K0nsult's compliance story. Every decision, every action, every approval or denial is recorded in an immutable, hash-chained log.
| Field | Type | Description |
|---|---|---|
| audit_id | UUID | Unique identifier for the audit entry |
| timestamp | ISO 8601 | Exact time of the decision (UTC, microsecond precision) |
| actor_id | String | Who or what triggered the action (user, agent, system) |
| action_type | Enum | EXECUTE, APPROVE, DENY, ESCALATE, BLOCK, KILL |
| resource_id | String | Workflow, policy, or data object affected |
| decision | Enum | ALLOWED, DENIED, ESCALATED, BLOCKED |
| risk_score | Float | Computed risk score at time of decision (0.0 - 1.0) |
| policy_ids | Array | Which policies were evaluated for this decision |
| evidence | JSONB | Full context: input data, rule matches, approval chain |
| prev_hash | SHA-256 | Hash of previous audit entry (chain integrity) |
The audit table uses INSERT-only permissions. No UPDATE, no DELETE. Database user for audit writes has no ALTER TABLE privileges. This is enforceable immutability at the database level.
The kill switch is K0nsult's last line of defense. One API call halts all agent execution across the entire instance.
| Phase | Action | Duration |
|---|---|---|
| 1. Trigger | POST /api/kill-switch with authorized credentials | < 1 second |
| 2. Propagate | All agent runtimes receive HALT signal via pub/sub | < 5 seconds |
| 3. Freeze | In-flight executions paused (not terminated); state preserved | Immediate |
| 4. Log | Kill switch event recorded in audit trail with reason and actor | Automatic |
| 5. Notify | All designated stakeholders notified (webhook, email, SMS) | < 30 seconds |
| 6. Restart | Requires dual authorization to re-enable execution | Manual |
Workflow automation tools build workflows. K0nsult governs them. This distinction is not a feature — it is a category.
| Capability | Workflow Tools | K0nsult |
|---|---|---|
| Build workflows | Yes | Integrates with existing |
| Enforce approval chains | No | Yes — built into runtime |
| Log why decisions were made | No | Yes — immutable audit trail |
| Prove compliance to regulators | No | Yes — exportable evidence |
| Emergency halt all agents | No | Yes — kill switch |
| Real-time risk scoring | No | Yes — per-action scoring |
"n8n can build any workflow. But it cannot enforce who approves what, log why decisions were made, or prove compliance to a regulator. K0nsult can."