Platform — NornGate

The whole agent runtime. One spine. Zero ungated side effects.

Orchestrator, model routing, agents, sandboxed execution, and a signed outcome ledger — in one platform built for businesses that can't afford a babysitting team for their AI. Nothing your agents do touches your systems until it has passed five deterministic gates. And you pay for verified outcomes, never for tokens burned along the way.

Five gates. Every action. No exceptions.

Most agent platforms let the model act and audit afterwards. NornGate inverts that: every side effect is denied by default and must earn passage through five deterministic gates before it commits. This is the mechanism behind the two lines it removes from your P&L — the review tax and the token tax.

G0
Ingress
Every request enters through one door. Identity, tenant, and intent are bound before any model sees it.
unbound → dropped
G1
Policy
Deterministic rules decide what this agent may attempt. Default-deny — a rule must exist, or the action doesn't.
no rule → denied
G2
Approval
The rare actions that need a human get one. Everything else flows through — under 5% of transits should ever stop here.
no approver → held
G3
Sandbox
The action executes in isolation first. Output is checked against its declared contract before anything real happens.
contract fail → rolled back
G4
Commit
The verified result lands in your systems and a signed record lands in the ledger. This is the only event you're billed for.
unverified → never lands
Why deterministic gates, not an LLM judge: a model policing a model is itself promptable — the same jailbreak that fools the worker fools the judge. NornGate's G1 policies are evaluated as code, the way OPA-class policy engines evaluate access control: same input, same verdict, every time. Auditable before the incident, not after.

Orchestrator

The orchestrator decomposes work, dispatches it to the right agent, and owns the loop — retries, timeouts, escalation, and completion. Agents reason; the platform decides what runs, in what order, with what permissions. That separation is deliberate: reliability lives in deterministic infrastructure, not inside a model's context window.

Loops are turn-bounded and lease-owned. A task that stalls is reclaimed and retried with capped backoff; a task that loops is cut at its bound; a task that dies is dead-lettered with its full gate history attached. No zombie agents, no runaway spend.

Why it matters Autonomy without an execution contract is how a $40 task becomes a $4,000 incident. Bounded loops and lease-based ownership make the worst case a known, small number.

Execution contract

  • dispatchTask decomposition, priority queues, per-tenant fairness
  • loopsTurn-bounded — hard iteration ceilings per task class
  • ownershipLease-based; stalled work is reclaimed, never duplicated
  • retriesIdempotent replay, capped exponential backoff with jitter
  • failureDead-letter queue with complete gate transcript

Model routing

Inference is COGS. NornGate treats it that way with a two-tier design: the majority of every workload runs on NornGate's own LLM, on NornGate-operated GPUs, at a marginal cost measured in pennies. Steps that need frontier judgment are handed off to the provider you choose — Anthropic, OpenAI, xAI, DeepSeek, or any model reachable via OpenRouter.

Because G3 verifies output against a contract regardless of which tier produced it, the split is safe by construction: work that passes verification on the in-house tier simply never incurs frontier pricing, with no quality gamble. Provider failover is automatic; your workflows never learn which vendor had an outage.

Why it matters Per-token platforms have no incentive to route efficiently — your waste is their revenue. NornGate bills per verified outcome, so every routing optimization lands on your side of the ledger.

Routing layer

  • tier 1NornGate LLM on owned GPUs — bulk workload at pennies
  • tier 2Frontier handoff, customer-selected: Claude, ChatGPT, Grok, DeepSeek, or any via OpenRouter
  • selectionPer-step, contract-aware — cheapest tier that verifies
  • providersMulti-provider behind one interface; automatic failover chains
  • cachePrompt caching, namespaced per tenant — no cross-tenant timing side channels
  • keysPooled, BYOK, or sovereign — see credential models below
  • budgetPer-task and per-tenant spend ceilings, enforced pre-dispatch

Sixteen agents, each with one job

NornGate ships sixteen agents, each named for a Norse god and each mapped to a single engineering function — retrieval, drafting, reconciliation, scheduling, escalation, and the rest. Narrow agents with declared contracts beat one god-model with root access: a scoped agent can only be granted scoped permissions, which is what makes G1 policies short enough to actually read.

Agents hold no credentials. They request actions; the gates decide. An agent compromised by a hostile prompt can ask for anything — and receive only what policy already allowed it.

Why it matters Credential starvation turns prompt injection from a breach into a denied request. The blast radius of a bad prompt is a log line, not an incident report.

Agent model

  • scopeOne function per agent, one contract per function
  • credentialsNone held by agents — actions brokered by the gateway
  • registryEvery agent, its permissions, and its Eddic lineage — meet them in The Realms
  • memoryTenant-isolated; nothing an agent learns leaks across customers

Yggdrasil: one spine, ten realms

Every service in NornGate hangs off a single service mesh — Yggdrasil — and every subdomain is a realm with its own trust zone. Subdomain = trust boundary is not branding; it means traffic between realms is authenticated, authorized, and logged at the mesh, and a component in one realm cannot reach another realm's data plane at all.

For you, the practical consequence: there is exactly one place where "who can talk to whom" is defined, and it's the same place your auditor reads it.

Why it matters Flat internal networks are how one compromised component becomes a company-wide incident. Realm boundaries make lateral movement a policy violation the mesh refuses, not a thing you discover in forensics.

Mesh properties

  • topologySingle-spine mesh; all inter-realm traffic transits Yggdrasil
  • trust zonesTen realms, each a subdomain with its own policy perimeter
  • identityMutual authentication between services; no anonymous internal calls
  • blast radiusRealm-contained by construction

The Norns: what happened, happening, and allowed next

Observability in NornGate is the Norn triad. Urd keeps the past — the append-only ledger of every gate verdict and G4 commit, cryptographically signed and hash-chained. Verdandi watches the present — live gate transits, approval queues, spend against budget. Skuld holds what is permitted to come — the policy set that decides every future action.

The ledger is GDPR-shaped by design: hashes are anchored immutably; payloads stay erasable. When an Article 17 erasure request arrives, the record's content is destroyed while the chain's integrity — the proof that the action occurred and passed its gates — survives intact.

Why it matters An audit trail that can be edited is an anecdote. A signed, hash-chained ledger turns "prove what your AI did last quarter" from an engineering project into a query.

Ledger design

  • UrdSigned, hash-chained record of every verdict and commit
  • VerdandiLive dashboards: gate transits, G2 queue, budget burn
  • SkuldVersioned policy store — every rule change is itself a ledger event
  • GDPRHashes immutable, payloads erasable — Art. 17 compatible
  • billingInvoices are ledger queries — every line item is a G4 record you can inspect

Three ways to hold the keys

Whichever model you choose, the invariant holds: agents never touch raw credentials. The difference is only where the keys live and who can see usage.

Model 1

Pooled platform keys

Start in minutes on NornGate's provider accounts. Simplest path for teams without existing model contracts — routing, failover, and budget ceilings work identically. Zero key management on your side.

Model 2

BYOK, vaulted at the gateway

Bring your own provider keys; they're vaulted in the gateway and only the gateway — never distributed to agents, never present in agent memory or logs. You keep your negotiated rates and provider relationship.

Model 3

Sovereign IAM roles

NornGate assumes roles inside your cloud IAM. No phone-home: usage is attested by ledger-signed records you verify yourself, not by trusting our telemetry. Built for teams whose auditors ask hard questions.

Billed at G4. Nowhere else.

A billable event is a side effect that passed all five gates and committed. Everything upstream — drafts, retries, denied attempts, sandbox runs — is our cost, not yours.

Never billed

Tokens, retries, denials

Model calls, failed sandbox runs, policy denials, loop iterations, and every token burned getting to a verified result. If it didn't commit, it didn't cost you anything.

Billed

G4-verified outcomes

The invoice sent. The reconciliation posted. The ticket resolved. Each one backed by a signed ledger record — your invoice is an auditable list of things that actually happened.

See what the gates would catch in your workflows

Bring one process you'd hand to an agent tomorrow if you trusted it. We'll map it through the five gates together — and show you exactly what you'd pay for.