Ambit Observatory

Governance that cannot be explained from its own decisions cannot be audited.

Ambit Observatory derives explanations from governance decisions — explanations that survive incident review and regulatory inquiry. It reads the decision ledger produced by Authority — the source of truth for every governed action. It answers the questions that follow a governance event: what happened, why it was allowed or denied, which policy and delegation were in effect, and whether the outcome was correct.

Observatory does not infer behaviour. It derives explanations strictly from Authority’s decision records — grounded in recorded decisions, not reconstructed from events. If explanations are reconstructed from logs instead of derived from decisions, governance is not provable. Observatory does not reinterpret or override decisions — it is a projection of Authority’s decision record.

Authority decides. Observatory explains.

Without Observatory

✗

Log Archaeology

Grep through application logs across multiple services to reconstruct what happened.

✗

Timeline Guesswork

Piece together a sequence of events from scattered timestamps and partial context.

✗

Policy Ambiguity

Argue about whether policy applied — no structural proof that governance occurred.

✗

Reports from Memory

Produce a post-incident report from recollection, screenshots, and best guesses.

With Observatory

✓

Structured Query

Query the decision ledger by actor, action, time range, or delegation — every decision indexed.

✓

Governed Traces

Read a structured explanation with delegation, policy, and decision linked to the action that triggered it.

✓

Evidence Bundles

Export a tamper-evident evidence bundle for the review committee — decisions, not logs.

✓

Pattern Detection

Surface patterns across decisions — denials, approvals, escalations — before the next incident occurs. Derived from decisions, not logs.

Built For

Observatory is not a generic dashboard. It exists for three situations where governance evidence must be explained, not just recorded.

Incident Review

Trace any denied or escalated action back to the delegation, policy, and decision that governed it. Start from evidence, not logs.

Audit Preparation

Export time-bounded governance evidence for regulatory inquiry — decisions, delegations, policy versions, and outcomes.

Policy Refinement

Surface patterns in denials and overrides that signal miscalibrated policy or excessive approval toil — before the next incident.

Architecture

Observatory runs out-of-band, independent of any agent runtime or execution layer. It consumes Authority evidence records and governed traces; it does not gate actions. Observatory cannot influence decisions, execution, or policy evaluation — it only explains what Authority has already decided. Because Observatory operates outside the critical path, it cannot affect governance decisions or action latency. The decision ledger is the source of truth. Observatory exists because Authority produces deterministic, verifiable decision records. For audit committees and board reporting, Observatory provides the evidence surface that derives institutional assurance from governance decisions — structured proof that policy was enforced, not just defined.

Agent

intent

Authority

1 Evaluate policy + delegation 2 Render decision: ALLOW | DENY | ESCALATE 3 Commit receipt (append-only)

synchronous · before execution · eval time recorded

Tool / API

consequential action

Observatory

1 Ingest receipts / governed traces 2 Derive outcome explanations + advisory signals 3 Recommend policy refinements (human review)

asynchronous · after decision

What Observatory Tells You

When an action is denied, Observatory does not just report the outcome. It explains why — grounded in the delegation, policy, and rule that determined the decision.

Observatory Explain Example

What happened

DENY data.provision by ops-agent-03 against production-db-01

Fingerprint

a3132830dd7e…c39e21b

Policy

org/platform/data-provision-v2

Why

pass time_window

pass delegation_required

pass delegation_signature

pass delegation_expired

match delegation_scope — target outside delegation scope (staging only)

Narrative

ops-agent-03 requested data.provision against production-db-01. Delegation del-8k3m-9n2p restricts scope to staging resources only. Target production-db-01 is outside the delegation's permitted scope. Action denied at the delegation scope boundary.

Synthetic example. In production, Observatory derives this from the Authority decision ledger.

Evidence Interpretation

Observatory derives explanations from the Authority decision ledger across four diagnostic dimensions. Each is grounded in governance evidence — not inferred from logs, not reconstructed from metrics.

Governed Traces

Link an action's lifecycle to the decisions, delegation, and policy that governed it.

Actor

The principal and target of the action.

Root-Cause Narratives

Explain why an outcome occurred, grounded in what was authorised.

Governed Trace Example

action: data.provision
principal: ops-agent-03
target: production-db-01
decision: DENY

Root-Cause Narrative

Advisory Signals

3rd denied data.provision against production targets by ops-agent-03 this week. Repeated attempts suggest a workflow expecting production access that the delegation does not grant.
Consider issuing a production-scoped delegation or updating the workflow configuration for ops-agent-03.

Synthetic data for illustration. Not from a live system.

Evidence Bundles

Export time-bounded evidence for audit and incident review.

Advisory Signals

Surface where policy may be too strict or too permissive. Recommends refinements for human review — does not modify policy or influence decisions.

Every explanation traces directly to the Authority decision ledger. Nothing is inferred, estimated, or reconstructed from logs. The evidence surface is only as strong as the decisions it can trace.

Execution Assurance

Observatory provides execution assurance for autonomous systems by generating single-artefact governance attestations from the Authority decision ledger. No dashboard, no external service — a static, self-contained attestation artefact suitable for audit committees and board reporting.

Governance Evidence Report observatory_report.html — generated 2026-02-23T07:11:04Z

PASS Ledger chain verified — 11 records (seq 1–11)

integrity: verified
policy_hash: 3b4aa736101d…8f46760b4c9e
contract_hash: 399958dff9c2…e384fd0159c7

Ledger records

8 decisions + 3 outcome records

Decision records

Pre-execution governance decisions

High-risk escalations

Actions flagged for human approval

Decision matches

Rules that determined the outcome

The ledger chains every record — decision records capture pre-execution governance evaluations, outcome records capture downstream results after execution.

Decision	Count
ALLOW	3
DENY	4
ESCALATE	1

Top matched rules

default_allow3

delegation_required2

destructive_needs_approval1

approval_replay1

context_justification1

Excerpt from a single-artefact HTML governance report. The full report includes latency percentiles, sample decisions, and actor breakdowns.

Observatory explains. Authority decides.

Authority deep-dive