Sign in Subscribe

OpenMandate: Governing AI Agents by Authority, Not Instruction

OpenMandate: Governing AI Agents by Authority, Not Instruction

Over the past year, most of the discussion around deploying AI into legal workflows has centred on capability. Can the model summarise this? Extract that? Flag risk in a clause?

That focus makes sense in early experimentation, but it makes far less sense once you move into anything that touches client data, regulated advice, or internal decision making. At that point the question has to change, it's no longer about what the model can do, instead it's about what the system will allow it to do.

Because the problem is that most AI agent frameworks in use today still rely on instruction rather than enforcement.

  • You hand the model a system prompt telling it not to provide legal advice.
  • You ask it to escalate when a query falls outside scope.
  • You request that it only use certain tools.

Then you hope that instruction holds across context shifts, user pressure, or long conversations that subtly change the task framing. In consumer settings that may be tolerable. In regulated environments it creates an immediate supervision problem. Saying "well we told the AI not to do that" does not carry much weight if it accesses the wrong data source or attempts to execute a financial transaction.

From Prompt Governance to Runtime Governance

OpenMandate was built to tackle this directly.

Rather than relying on the model to interpret policy in natural language, OpenMandate treats the model as an untrusted execution engine that proposes actions. Every one of those proposals passes through a deterministic processor chain before anything happens in the real world.

At runtime the system can:

  • Intercept user input before it reaches the model
  • Block tool calls the model attempts to make
  • Enforce jurisdictional scope
  • Trigger escalation to a human reviewer
  • Reject or modify the final response before it reaches the user
  • Apply hard limits on tokens, turns, or usage budgets

The model still generates text and still reasons about the task, but what it cannot do is step outside the authority defined for it by the organisation deploying it.

That authority is expressed in a declarative YAML mandate.

Making Policy Auditable

The mandate defines what an agent is permitted to do, what it is prohibited from doing, and what it must do in order to remain compliant with internal or regulatory expectations:

  • Capabilities such as tool access and data scope are explicitly whitelisted.
  • Prohibited behaviours, such as providing professional advice in certain contexts, are blocked.
  • Mandatory requirements, such as disclaimers or citation rules, are enforced on output.
  • scalation triggers can be defined by jurisdiction, topic, or user intent.

Separating this policy layer from the application code allows legal operations or compliance teams to review the governance rules directly. They do not need to read code to understand whether an agent can write to a client matter database or access billing systems.

More importantly, every enforcement decision can be logged. OpenMandate lightly records processor execution paths, tool requests, and mandate failures into a persistent audit trail. If an agent blocks an action or escalates a query, the organisation can see which part of the mandate drove that outcome. That begins to move AI supervision closer to the traceability expected from document automation or workflow tooling.

Treating the Model as a Proposer

In a conventional agent stack, the trust boundary sits between the user and the model. The model is trusted to interpret policy, honour permissions, and behave appropriately.

OpenMandate moves that boundary outward.

  • User input passes through governed processors before the model sees it.
  • The model proposes tool usage or responses.
  • Those proposals are validated against the mandate.
  • Only permitted actions are executed.

The model becomes a component within a governed system rather than the system itself.

For legal teams already thinking about supervision obligations, that maps more closely to existing delegation patterns. A trainee may suggest an action, but a partner still decides whether it can proceed. Here the processor chain fulfils that supervisory role in code.

Domain Specific Skill Packs

Because governance requirements vary by domain, OpenMandate supports pluggable skill packs. A UK employment pack, for example, can bundle:

  • Jurisdiction specific escalation rules
  • Permitted research tools
  • Prohibited advisory patterns
  • Approved prompt fragments for statutory interpretation

When an agent is instantiated, it imports the relevant pack and exposes only the tools permitted by its mandate. This avoids the common problem where a general assistant is technically capable of performing actions that are out of scope for the matter at hand.

Combined with a lightweight triage router that directs user queries to specialist agents, this begins to resemble governed task execution rather than conversational assistance.

Legal AI risk rarely sits in the average response. It sits in the one answer that should have triggered escalation but did not or in the one tool call that exposed a sensitive data source because the conversational context shifted.

Moving governance from prompt text into runtime enforcement does not eliminate model risk. It does allow organisations to constrain the effects of model behaviour in a way that is inspectable, testable, and auditable.

For firms exploring how to deploy agentic systems into client facing or operational workflows, that distinction is going to become increasingly important.

The relevant question is no longer whether the model can be trusted but whether the system can prevent it from acting outside its authority.