Governance Boundary & Coverage FAQ

How SEAL Legal Runtime governs — and what stays outside its seal


SEAL Legal Runtime is Refusal Infrastructure for high-risk legal actions: a pre-execution authority gate in the Commit Layer that governs what may execute within wired workflows.

1. Does SEAL govern every action in our environment?


No.


SEAL Legal Runtime governs high-risk actions you choose to route through it.


  • In-scope: actions wired to SEAL’s pre-execution authority gate (for example: file, send, approve, move money, commit a binding step).
  • Out-of-scope: actions and systems that never pass through that gate.


Coverage grows as you wire more high-risk actions  through SEAL.
Coverage is explicit, not implied. We do not claim universal control over everything in your environment.

2. What does “non-bypassable within wired workflows” actually mean?


Once a workflow is wired to SEAL:


  • there is no alternate “approve” path in that workflow that skips the SEAL gate, and
  • any attempt to execute the governed action must receive a SEAL decision: approve, refuse, or supervised override.


If an action can execute without SEAL’s decision, that workflow is not yet wired and is treated as out of scope.

3. Who decides which actions must go through SEAL?

 

You do.


  • Legal, risk, and operations leaders define which actions are “high risk” and must be governed.
  • Those actions are then wired to SEAL as part of the implementation program.


SEAL enforces your authority model.

 It does not invent roles, policies, or risk thresholds.

4. What happens if someone tries to bypass SEAL?


Inside wired workflows, bypass attempts are treated as governance failures, not clever shortcuts.


Typical outcomes (depending on your design):


  • the action cannot be executed without going through the SEAL gate, or
  •  the request is blocked and recorded as an out-of-policy attempt or governance incident, depending on the organization’s control design.


Within wired workflows, the governed action cannot complete without a SEAL decision. If an organization observes or detects out-of-band execution paths, those should be treated as governance incidents and brought under wiring or control.

5. What happens if SEAL is unavailable?


For governed actions in wired workflows, SEAL is designed to be fail-closed:


  • If SEAL cannot return a decision, the default for governed actions is refusal, not silent approval.


We do not treat downtime as permission.

6. How does SEAL interact with IAM, guardrails, and GRC?


  • IAM decides who can access systems and data.
  • Guardrails / model safety decide what models are allowed to say.
  • GRC holds your policies, controls, and risk posture.


SEAL Legal Runtime uses these as inputs and adds the missing layer:


The Commit Layer — a pre-execution authority gate that decides whether a specific high-risk action is allowed to run now, under this authority.


SEAL does not replace IAM, guardrails, or GRC.
It gives them an execution-time enforcement point.

7. What exactly is recorded in a sealed artifact? Are we over-collecting?


Sealed decision artifacts are designed to be governance-grade, not surveillance-grade.

They record the minimum governance context needed to reconstruct who acted, what kind of governed action was attempted, what decision was returned, and when.

They are not intended to function as full matter files, prompt archives, or strategy records.

Artifacts are intentionally narrow: just enough to support accountability, review, and evidentiary use.

8. Who owns the artifacts and identity data?


You do.

You own both the authority sources and the resulting evidence surface. Identity and roles come from your IdP / SSO and governance systems. Sealed artifacts are designed for client-controlled audit retention and evidentiary use, subject to the deployment and retention model agreed with the client.



Thinking OS™ does not claim ownership of your identity data, matter context, or artifacts.

9. Can SEAL return a decision we disagree with?


SEAL enforces your configured policies, but it is not infallible.


  • For governed actions, SEAL can return supervised override as an outcome.
  • Overrides are explicit, traceable decisions – not backdoor hacks:
  • who overrode,
  • on what basis,
  • under which authority,
  • at what time.


You retain both control (through policy design) and recourse (through supervised override), with a sealed record either way.

10. How do we expand coverage over time?


Coverage typically grows in three steps:


  1. Define high-risk actions in each practice / product line (file, send, approve, etc.).
  2. Wire those actions through SEAL’s pre-execution authority gate.
  3. Review artifacts to identify additional actions that should be brought under governance.


You don’t have to decide everything on day one.
SEAL lets you start with the highest-risk actions and expand in a controlled, evidence-backed way.

11. How do you keep “supervised override” from becoming a loophole?


Supervised override is a governed outcome, not a backdoor.


An override is only available where the organization has explicitly defined a supervisory path for that action class. Both the original refusal and the override outcome are recorded so the firm can show who accepted responsibility, when, and under which governance posture.


Policy about when overrides are allowed remains entirely under the firm’s GRC and professional-responsibility framework.

12. What inputs does SEAL require — and what does it not need?


At minimum, a governed request includes:


  • who is acting and in which role (from your IdP / SSO),
  • what they are trying to do (vertical / motion / action type),
  • where it sits (matter ID, venue / jurisdiction),
  • consent / authority posture, and
  • the relevant policy or rule-basis references.


SEAL does not require:

  • full matter text,
  • model prompts or traces, or
  • privileged strategy or advice.


It evaluates structured governance anchors, not the substance of your client work.

13. How are sealed artifacts verified, and who controls verification?


Sealed artifacts are designed to be integrity-verifiable and suitable for independent review under client-controlled audit and retention arrangements.

Clients and their auditors should be able to confirm that artifacts are authentic, attributable to a governed decision, and have not been altered after issuance.

Public materials describe evaluator-visible properties and evidence surfaces; verification, retention, and control-boundary details are discussed in confidential technical review when appropriate.

14. How do policy changes and versions show up in artifacts?


Authority rules and governance policies are versioned in the client’s own systems. SEAL artifacts are designed to reference:


  • which policy set was in force, and
  • which version governed that decision.


When policies change, new decisions are made under the new version; historical artifacts remain intact and tied to the policy version that applied at the time. Remediation, when required, is done by issuing new decisions — not by editing past artifacts.

15. What is SEAL’s threat model, and what is explicitly out of scope?


In scope:


  • preventing out-of-policy execution for actions routed through the SEAL gate,
  • enforcing identity, consent, and authority checks even when an identity token is misused, and
  • producing a forensic trail of approvals, refusals, and overrides.


Out of scope:


  • actions and systems that never route through the SEAL gate,
  • physical-world behavior outside digital workflows, and
  • compromises of client-owned IdP, keys, or endpoints beyond the runtime boundary.


SEAL is one control among many in a firm’s overall security and ethics posture.

16. Where does SEAL run — cloud, on-prem, or something else?


Deployment model, isolation posture, and control-boundary details are discussed in confidential technical review.


Publicly, the important point is simpler:


SEAL is designed to sit at the execution boundary for governed workflows and produce client-controlled, reviewable decision artifacts, while keeping internal runtime details non-public.


Clients evaluating SEAL should expect clear answers on:


  • deployment scope and isolation posture
  • where governed requests are evaluated
  • where decision artifacts are retained
  • how client-controlled review and evidentiary use are supported


Specific environment and deployment details are handled under diligence, not in public-facing documentation.