AlchemiStudioAlchemiStudio
Product 01For Admins & Security Teams

Cockpit

Your organization's AI control plane.

Complete visibility and control over every AI agent, model, and tool in your organization — budgets, access, compliance, and audit trails from one place.

Book a DemoSee how it works

2,847 events / hr

100%

Audit coverage

RBAC

Per-agent access

Real-time

Budget enforcement

Guardrails

Build and assign guard pipelines to any agent instantly.

PII Redact
Jailbreak
Toxic Content
Secret Scanning
Custom Regex
4 active guards

Spend Control

Allocate budgets per team, set thresholds, and block overspend.

Monthly$8,241
0$12,000
Engineering72%
Product55%
Marketing38%

Access Policies

Three-tier RBAC — account, group, and individual overrides.

Account Defaults
Engineeringoverride
Product
agent-writerexcept
Models allowed4 / 12

Audit Trails

Immutable log of every agent action, model call, and policy event.

14:03:21
Model call
14:03:18
PII blocked
14:03:12
Tool approved
14:03:09
Budget alert
14:03:01
Policy updated

Six capabilities

Six capabilities.
One control plane.

Each capability is independently powerful. Together they form a complete AI governance layer for your organization.

capability.01ENFORCED

Guardrails

Build guard pipelines from 8 guard types: PII redaction, jailbreak detection, toxic content filtering, secret scanning, LLM judging, content restrictions, topic controls, and custom regex. Assign pipelines to any agent, team, or account — changes apply instantly without redeploying any agents.

  • 8 guard types: PII, jailbreak, toxic, secrets, LLM judge, topic, content, regex
  • Pipeline assignments at account, group, or individual agent level
  • Every intercepted threat logged and traceable in the audit log
  • Changes cascade instantly without agent restart or redeployment
SOC 2HIPAAGDPRISO 27001
Request a Cockpit demo →

Guardrail Studio

2 pipelines · 8 guard types available

Live

Pipeline: customer-support

→ Input
PII
TOX
JBK
SEC
Output ✓
PII DetectionEnabled

Detect and mask personally identifiable information in prompts and responses.

Scope: All pipelinesAction: Block & log
On InputOn OutputApplied to 47 agents
capability.02ENFORCED

Credit Allocation & Spend Control

Allocate AI credits across teams, agents, and projects with precision. Set multi-threshold alerts, configure burn-rate velocity alerts, forecast end-of-month spend, and rebalance budgets mid-period. No agent code changes required — governance is pure Cockpit configuration.

  • Per-team and per-agent credit budgets with hard caps
  • Multi-threshold alerts at configurable 50%, 80%, and 100% marks
  • Burn-rate velocity monitoring to catch spend anomalies early
  • Rebalance and reallocate credits without touching any agent code
FinOpsFinanceBudget Alerts
Talk to us about spend controls →

Spend Tracker

April 2026 · real-time

Total MTD

$23,570

Forecast EOM

$31,200

Alerts

1 active

Sales$7,100 / $10,000

71% of budget used · alert sent

Engineering$14,200 / $25,000
Marketing$1,850 / $5,000
HR$420 / $2,000
capability.03ENFORCED

Access Policies

Control access to models, agents, and connections at three levels: account-wide defaults, group-level overrides, and individual exceptions. Changes cascade instantly through the policy hierarchy — no redeployment, no agent restart. One policy update governs all agents simultaneously.

  • Three-tier hierarchy: account defaults → group overrides → individual exceptions
  • Model allowlists, tool restrictions, and connection approvals
  • Instant cascade — no agent restarts or redeployment needed
  • Exception handling for edge cases without policy drift
RBACZero TrustIAM
Get early access →

Access Policies

Account → Group → Individual · 3-tier override

Account-wideSalesalice@co.combaseline
Models
OA
gpt-4o
Allow
AN
claude-3.5-sonnet
Deny
GG
gemini-2.0-flash
Deny
OA
gpt-4o-mini
Allow
Connections
SF
Salesforce CRM
Allow
SL
Slack
Allow
GH
GitHub
Deny
capability.04ENFORCED

Immutable Audit Trails

Every agent action, model call, and policy decision is logged with tamper-proof integrity. Filter by user, team, model, date range, or outcome. Export directly to your SIEM — Splunk, Datadog, or any webhook-compatible target. Compliance evidence ready in two clicks.

  • Every model call, tool invocation, and policy event logged
  • Tamper-proof with cryptographic integrity verification
  • Filter by user, team, model, date range, or policy outcome
  • One-click SIEM export: Splunk, Datadog, CSV, or webhook
SIEMSplunkDatadogCompliance
See Cockpit audit trails →

Audit Log

Tamper-proof · SIEM export ready

TimeActorEventHash
09:58:31pipeline-bot
tool.callweb.search(brave) · 312ms
a3f8c1
09:58:30pipeline-bot
llm.completionclaude-3.5 · 1,204 tokens · $0.009
2b7e44
09:57:44admin@co.com
policy.updatePII rule updated · Marketing
9d12fa
09:57:01finance-bot
tool.blockedexternal-api.call → denied
c6a391
09:56:12alice@co.com
agent.createdPipeline Follow-up Bot v2
e72b88
capability.05ENFORCED

Agent & Model Access Management

Control exactly which models each team can access. Approve or deny tool connections. Revoke access for any user, team, or agent in a single action — effective immediately. SSO and SCIM integration means your identity provider governs AI access automatically as teams grow.

  • Per-team model allowlists — teams only see approved models
  • Tool connection approval workflow with full audit trail
  • Instant revocation for any user, agent, or team
  • SCIM provisioning — new employees inherit correct access automatically
SSOSCIMOktaAzure AD
Talk to our IT team →

Model Access Control

Per-team model allowlist

AN
claude-3.5-sonnet
✓ Allowed
OA
gpt-4o
✕ Blocked
GG
gemini-2.0
✕ Blocked
OA
gpt-4o-mini
✓ Allowed
capability.06ENFORCED

Observability & Tracing

See every request, every tool call, and every cost in real time across the entire platform. Drill into any agent run and view the full span trace: LLM calls, tool invocations, token counts, and latency breakdown. Replay any failure without reproducing it in production.

  • Live trace view for every agent run across the entire org
  • Span detail: LLM calls, tool calls, token counts, latency, cost
  • Replay any failure locally — no production reproduction needed
  • Platform-wide observability, not siloed to individual teams
APMOpenTelemetryTracing
Request a Cockpit demo →

Trace Explorer

Every run · full span detail · replay ready

trace #8a2fpipeline-bot✓ Success1.42s

Span timeline

llm.completion
428ms
tool: web.search
312ms
tool: db.write
84ms
tool: slack.post
120ms

Onboarding Tour

From zero to governed in four steps.

Most organizations go from setup to full AI governance in under a day. Here is exactly how it works.

Step 01

Connect your identity provider

Cockpit integrates with Okta, Azure AD, Google Workspace, or any SAML/OIDC provider. Your existing groups and users are imported automatically via SCIM. No manual user list to maintain.

Step 02

Set your first access policy

Pick which models your teams are allowed to use. Set budget caps per department. Assign guardrail pipelines — PII redaction, jailbreak blocking, secret detection — to any group in minutes.

Step 03

Deploy to your teams

Your Copilot and Console users log in with their existing SSO credentials. Every agent they create or run is automatically governed by the policies you just set — no per-agent configuration required.

Step 04

Monitor, audit, and iterate

The Cockpit dashboard shows live spend, active agents, and policy events in real time. The audit log captures everything tamper-proof. Export to your SIEM. Tune policies as you learn how your teams use AI.

Use Cases

Where Cockpit changes the game.

Real-world scenarios where each Cockpit capability earns its place in your AI governance stack.

GuardrailsCISO · Financial Services

Passing your next AI compliance audit

Auditors want proof no customer PII leaked through AI systems in 90 days. With Cockpit, you export the immutable audit log filtered by team and date in two clicks — with every guardrail event listed.

  • Tamper-proof log of every guardrail trigger
  • PII interception rate tracked per team
  • SIEM-ready export in one click
Spend ControlCFO · Enterprise

Preventing the $4,000 runaway model incident

A misconfigured model routing consumed $4,000 of budget in six hours. With Cockpit's burn-rate velocity alerts, you'd see the anomaly at $200 and receive a notification before it becomes a crisis.

  • Burn-rate velocity alerts fire early
  • Hard cap stops spend before budget is exceeded
  • Per-agent attribution shows exactly what ran up the bill
Access PoliciesIT Director · Healthcare

Rolling out AI to 40 teams with zero shadow AI

All 40 business teams are on Copilot, each with different tool access and model permissions. Cockpit's three-tier policy hierarchy means one policy set governs all of them — no per-team configuration needed.

  • One policy set governs all teams simultaneously
  • Group overrides for exceptions without policy drift
  • New teams inherit org-wide defaults automatically
Audit TrailsCompliance Lead · Legal / RegTech

Board-level AI governance report in one export

Board wants a quarterly AI usage and compliance report. Cockpit's immutable audit trail includes every model call, tool use, and policy event. Filter by date, export to CSV, and have the report in minutes.

  • Complete log: model calls, tools, policy decisions
  • Filter by date, team, model, or outcome
  • CSV and SIEM export for any reporting format
Access ManagementPlatform Engineering · SaaS / Tech

Onboarding a new team in under five minutes

A new product team joins. With SCIM provisioning, their group is imported from Okta automatically. Cockpit assigns the org's default model allowlist, budget, and guardrails — zero manual configuration required.

  • SCIM import from Okta, Azure AD, Google Workspace
  • Default policies apply to new groups automatically
  • Instant revocation if a team leaves or policy changes
ObservabilitySecurity Engineer · Enterprise SaaS

Real-time anomaly detection across 200 agents

With 200 agents running across 30 teams, a spike in tool invocations at 2am would be invisible without platform-wide tracing. Cockpit's observability layer surfaces it before it becomes a security incident.

  • Live trace view across every agent org-wide
  • Drill into any run without touching production
  • Unusual patterns visible before they escalate

Full Capability List

Everything Cockpit can do.

Guardrail Pipelines

8 guard types — PII, toxic content, jailbreak, secrets, content filter, LLM judge, custom regex, topic restriction. Assign pipelines to any group or agent.

Credit Allocation & Spend

Allocate AI credits per team. Multi-threshold alerts. Hard-stop enforcement. Burn-rate velocity monitoring. No agent code changes needed.

Access Policies (3-tier)

Account-wide defaults, group overrides, individual exceptions. Cascade instantly. Supports model allowlists, tool restrictions, and connection approvals.

Immutable Audit Trails

Every agent action logged and tamper-proof. Filter by user, team, model, or date range. Export to Splunk, Datadog, or any SIEM via webhook or CSV.

SSO / SCIM / RBAC

SAML and OIDC integration. Automated user provisioning via SCIM. Role assignment at team, workspace, or agent level. Supports Okta, Azure AD, Google Workspace.

Observability & Tracing

Live trace view for every agent run. Token counts, latency, tool calls, cost per run. Drill into any span. Replay failures without reproducing them in prod.

The Platform

Cockpit governs the whole platform.

Every policy you set in Cockpit automatically applies to every product in AlchemiStudio — whether teams use Copilot, Console, or Compute.

Copilot

Business teams build agents inside Cockpit's guardrails. Every workflow is governed automatically.

See Copilot →
Console

Developers deploy agents via Console APIs. Cockpit controls which models and tools are available per environment.

See Console →
Compute

Every agent run spins up in an isolated Compute sandbox. Cockpit policies are enforced before the sandbox even starts.

See Compute →