The whole agent runtime. One spine. Zero ungated side effects.
Orchestrator, model routing, agents, sandboxed execution, and a signed outcome ledger — in one platform built for businesses that can't afford a babysitting team for their AI. Nothing your agents do touches your systems until it has passed five deterministic gates. And you pay for verified outcomes, never for tokens burned along the way.
Five gates. Every action. No exceptions.
Most agent platforms let the model act and audit afterwards. NornGate inverts that: every side effect is denied by default and must earn passage through five deterministic gates before it commits. This is the mechanism behind the two lines it removes from your P&L — the review tax and the token tax.
OPA-class policy engines evaluate
access control: same input, same verdict, every time. Auditable before the incident, not after.
Orchestrator
The orchestrator decomposes work, dispatches it to the right agent, and owns the loop — retries, timeouts, escalation, and completion. Agents reason; the platform decides what runs, in what order, with what permissions. That separation is deliberate: reliability lives in deterministic infrastructure, not inside a model's context window.
Loops are turn-bounded and lease-owned. A task that stalls is reclaimed and retried with capped backoff; a task that loops is cut at its bound; a task that dies is dead-lettered with its full gate history attached. No zombie agents, no runaway spend.
Execution contract
- dispatchTask decomposition, priority queues, per-tenant fairness
- loopsTurn-bounded — hard iteration ceilings per task class
- ownershipLease-based; stalled work is reclaimed, never duplicated
- retriesIdempotent replay, capped exponential backoff with jitter
- failureDead-letter queue with complete gate transcript
Model routing
Inference is COGS. NornGate treats it that way with a two-tier design: the majority of every workload runs on NornGate's own LLM, on NornGate-operated GPUs, at a marginal cost measured in pennies. Steps that need frontier judgment are handed off to the provider you choose — Anthropic, OpenAI, xAI, DeepSeek, or any model reachable via OpenRouter.
Because G3 verifies output against a contract regardless of which tier produced it, the split is safe by construction: work that passes verification on the in-house tier simply never incurs frontier pricing, with no quality gamble. Provider failover is automatic; your workflows never learn which vendor had an outage.
Routing layer
- tier 1NornGate LLM on owned GPUs — bulk workload at pennies
- tier 2Frontier handoff, customer-selected: Claude, ChatGPT, Grok, DeepSeek, or any via OpenRouter
- selectionPer-step, contract-aware — cheapest tier that verifies
- providersMulti-provider behind one interface; automatic failover chains
- cachePrompt caching, namespaced per tenant — no cross-tenant timing side channels
- keysPooled, BYOK, or sovereign — see credential models below
- budgetPer-task and per-tenant spend ceilings, enforced pre-dispatch
Sixteen agents, each with one job
NornGate ships sixteen agents, each named for a Norse god and each mapped to a single engineering function — retrieval, drafting, reconciliation, scheduling, escalation, and the rest. Narrow agents with declared contracts beat one god-model with root access: a scoped agent can only be granted scoped permissions, which is what makes G1 policies short enough to actually read.
Agents hold no credentials. They request actions; the gates decide. An agent compromised by a hostile prompt can ask for anything — and receive only what policy already allowed it.
Agent model
- scopeOne function per agent, one contract per function
- credentialsNone held by agents — actions brokered by the gateway
- registryEvery agent, its permissions, and its Eddic lineage — meet them in The Realms
- memoryTenant-isolated; nothing an agent learns leaks across customers
Yggdrasil: one spine, ten realms
Every service in NornGate hangs off a single service mesh — Yggdrasil — and every subdomain is a realm with its own trust zone. Subdomain = trust boundary is not branding; it means traffic between realms is authenticated, authorized, and logged at the mesh, and a component in one realm cannot reach another realm's data plane at all.
For you, the practical consequence: there is exactly one place where "who can talk to whom" is defined, and it's the same place your auditor reads it.
Mesh properties
- topologySingle-spine mesh; all inter-realm traffic transits Yggdrasil
- trust zonesTen realms, each a subdomain with its own policy perimeter
- identityMutual authentication between services; no anonymous internal calls
- blast radiusRealm-contained by construction
The Norns: what happened, happening, and allowed next
Observability in NornGate is the Norn triad. Urd keeps the past — the append-only ledger of every gate verdict and G4 commit, cryptographically signed and hash-chained. Verdandi watches the present — live gate transits, approval queues, spend against budget. Skuld holds what is permitted to come — the policy set that decides every future action.
The ledger is GDPR-shaped by design: hashes are anchored immutably; payloads stay erasable. When an Article 17 erasure request arrives, the record's content is destroyed while the chain's integrity — the proof that the action occurred and passed its gates — survives intact.
Ledger design
- UrdSigned, hash-chained record of every verdict and commit
- VerdandiLive dashboards: gate transits, G2 queue, budget burn
- SkuldVersioned policy store — every rule change is itself a ledger event
- GDPRHashes immutable, payloads erasable — Art. 17 compatible
- billingInvoices are ledger queries — every line item is a G4 record you can inspect
Three ways to hold the keys
Whichever model you choose, the invariant holds: agents never touch raw credentials. The difference is only where the keys live and who can see usage.
Pooled platform keys
Start in minutes on NornGate's provider accounts. Simplest path for teams without existing model contracts — routing, failover, and budget ceilings work identically. Zero key management on your side.
BYOK, vaulted at the gateway
Bring your own provider keys; they're vaulted in the gateway and only the gateway — never distributed to agents, never present in agent memory or logs. You keep your negotiated rates and provider relationship.
Sovereign IAM roles
NornGate assumes roles inside your cloud IAM. No phone-home: usage is attested by ledger-signed records you verify yourself, not by trusting our telemetry. Built for teams whose auditors ask hard questions.
Billed at G4. Nowhere else.
A billable event is a side effect that passed all five gates and committed. Everything upstream — drafts, retries, denied attempts, sandbox runs — is our cost, not yours.
Tokens, retries, denials
Model calls, failed sandbox runs, policy denials, loop iterations, and every token burned getting to a verified result. If it didn't commit, it didn't cost you anything.
G4-verified outcomes
The invoice sent. The reconciliation posted. The ticket resolved. Each one backed by a signed ledger record — your invoice is an auditable list of things that actually happened.
See what the gates would catch in your workflows
Bring one process you'd hand to an agent tomorrow if you trusted it. We'll map it through the five gates together — and show you exactly what you'd pay for.