Skip to main content
    iTmethods

    What is the Trust Layer for Enterprise AI?

    The Trust Layer for Enterprise AI is iTmethods' positioning for the platform formed by Reign and Forge. Reign governs every AI model, agent, prompt, and tool call across the enterprise — producing the continuous evidence that auditors and regulators can use. Forge runs the underlying managed runtime — sovereign, secure, observable, hyperscaler-native across AWS and Azure. Together they let regulated enterprises move at AI speed without compromising governance.

    The Trust Layer is not a product SKU; it is the architecture. Reign is the governance plane. Forge is the runtime substrate. The relationship is captured in three words: Forge runs · Reign governs.

    Why a Trust Layer?

    Enterprise AI velocity is outpacing enterprise AI governance. Models, agents, MCP servers, and embedded AI features are landing inside the regulated estate faster than the second and third lines of defense can keep up. The result is fragmented tooling, inconsistent controls, and audit exposure that surfaces only when an examiner asks for evidence:

    • AI is being adopted faster than model risk, audit, and security functions can validate
    • Governance tools, model registries, and observability stacks are fragmented across business units
    • Regulators are moving from documentary to runtime evidence — SR 11-7, OSFI E-23, EU AI Act, FDA PCCP
    • A board-defensible AI program needs continuous controls, not point-in-time attestations

    What Reign does

    Reign is the governance plane of the Trust Layer. It is built around the Three Lines of Defense, expressed as a four-component Spine that runs across SaaS, dedicated, customer-cloud, and air-gapped deployments:

    • AI Gateway — policy enforcement at runtime; identity-bound, MCP-native; every AI and agent call gated and logged (1st Line)
    • Model Risk Validation — independent challenge: approved-model registry, validation harnesses, drift detection, predetermined change-control plans (2nd Line)
    • Audit Ledger (CAVR) — Continuous Audit, Validation & Reporting; tamper-evident records for every AI and agent decision (3rd Line)
    • Assurance Packs — submission-ready evidence packages mapped to the regulatory framework your industry answers to (Independent Assurance)

    What Forge does

    Forge is the runtime substrate of the Trust Layer. It is the managed runtime iTmethods has been operating for regulated enterprises since 2006 — now extended to host AI workloads, agent runtimes, and MCP servers under the same trust posture as the rest of the enterprise stack:

    • 55+ managed tools across DevOps, observability, security, data, and AI infrastructure
    • Native support for MCP servers, agent runtimes, and LLM gateways inside the managed envelope
    • Sovereign deployment — AWS and Azure hyperscaler-native, plus customer-cloud and air-gapped for the most sensitive programs
    • SOC 2 Type II, ISO 27001, and the audit posture regulated enterprises already accept

    Forge runs · Reign governs — what the relationship looks like

    The Trust Layer is the composition. Forge provides the managed runtime — the secure, observable, sovereign substrate where AI workloads actually execute. Reign provides the governance plane that sits across that runtime — gating calls at the AI Gateway, validating models in Model Risk Validation, ledgering decisions in the Audit Ledger (CAVR), and producing Assurance Packs for the regulator. Three properties make the composition coherent:

    • Single trust posture — the same controls, the same audit trail, whether the workload is a CI/CD pipeline, an MCP server, or an agentic application
    • One operational envelope — Forge operates the runtime; Reign operates the governance; iTmethods operates both
    • One evidence architecture — the same machine-readable evidence satisfies SOC 2, model-risk, and AI-specific frameworks across one stack

    Who needs the Trust Layer

    iTmethods is building the Trust Layer for the enterprises whose AI programs are scrutinized by regulators with operational, not advisory, authority:

    • Banks and capital markets — SR 11-7, OSFI E-23, FCA, MiFID II, EU AI Act high-risk obligations
    • Life sciences — FDA PCCP, GxP, 21 CFR Part 11, EMA validated-systems expectations
    • Defense, intelligence, and public sector — ITAR, NIST 800-171, CMMC, IL5/IL6 environments where air-gapped deployment is non-negotiable
    • Critical infrastructure and regulated industrials — sovereign-data requirements and operational-resilience frameworks

    See the Trust Layer in your environment

    Reign and Forge are co-developed with a small FY26 design-partner cohort of regulated enterprises. If you're operating mission-critical AI under SR 11-7, OSFI E-23, EU AI Act, FDA PCCP, or CMMC scrutiny, the cohort is for you.