# Dobby AI — Full Context > The Data Policy Platform for AI — one control plane, multiple compliance modules. Today's flagship: Fintech AI Evidence. Dobby is a Data Policy Platform for AI. For centuries, organizations governed data through policy — written rules, approval chains, and audit trails a regulator, auditor, or counterparty could read. AI breaks that pattern: as organizations hand real decisions to AI (credit scoring, fraud triage, underwriting, hiring filters, supplier evaluation), the decisions still get made, but the governance disappears — there is no record a regulator will accept. Dobby exists to put data policy back under control: it connects to a customer's AI activity out-of-band, scans every run against the compliance frameworks that apply, surfaces the gaps with an honest four-state verdict, and exports an audit-ready evidence pack per framework. It is not a gateway, and it is out-of-band: Dobby never sits in the request path. Non-custodial by design — raw prompt/response payloads can be routed to a customer-owned dataset, enforced for regulated modules (Fintech AI Evidence) and available opt-in elsewhere. Built by Dobby AI, Inc., a Delaware C-Corp, in Israel (offices in Tel Aviv and Northern Israel). Website: https://dobby-ai.com Contact: hello@dobby-ai.com --- ## How Dobby works (the part that does not change) 1. **Connect, out-of-band.** Dobby reads run telemetry from the customer's AI workflows — built with CrewAI, LangChain, OpenAI, Google ADK, or a custom SDK. It is not a gateway: it never sits in the request path — always out-of-band. Non-custodial by design: Dobby can route raw payloads to a customer-owned dataset, and does so automatically for regulated modules like Fintech AI Evidence (where the write path refuses to fall back to Dobby's own store) and on request elsewhere. Where that routing is not configured, the raw run payloads are stored in Dobby's own dataset, alongside the metadata, findings, and signed evidence Dobby always holds. 2. **Activate modules per tenant.** Each tenant picks from Dobby's module library which compliance frameworks to enforce. Today's flagship is Fintech AI Evidence; additional modules are in development. 3. **Scan against the activated frameworks.** Every run is evaluated by deterministic rules plus AI evaluation, against the policies in the activated modules and the tenant's own custom policies, across a four-layer hierarchy (Platform → Org → Tenant → Process, stricter-wins). 4. **Find the gaps with a four-state verdict.** Per control: compliant, violated, needs-review, or unverifiable. Dobby never reports false compliance — when the evidence is not sufficient to prove a control, it returns "unverifiable" rather than a false pass. 5. **Export the evidence pack.** A self-contained, audit-ready package per framework: executive summary, control matrix, a severity-ranked gap report with remediation, findings, framework coverage, and a tamper-evident SHA-256 manifest. The deliverable is the artifact a bank's vendor-risk review asks for — not just a dashboard. --- ## Module library (current state) Dobby's architecture is multi-module; the customer-facing offering today is one live module, with positioning-only entries for the rest. ### Fintech AI Evidence — Live EU AI Act (Article 12 record-keeping, Article 14 human oversight), DORA, and SOC 2. Built for AI vendors selling into banks and fintechs who must pass a procurement / vendor-risk review, and for the fintech risk teams on the other side of that review. ### In development - **Enterprise Data Policy** — ISO 27001, NIST CSF, org-wide GDPR. For CISOs at regulated mid-market and enterprise organizations. - **Healthcare AI Compliance** — HIPAA, HITRUST, MDR. For clinical AI vendors and hospital compliance leads. - **Public Sector AI Trust** — NIST AI RMF, FedRAMP. For AI vendors selling to government and agencies. --- ## Who it's for (today) An AI vendor selling into banks and fintechs who must pass a procurement / vendor-risk review — and the risk team reviewing them. The pain is a *today* pain: procurement already asks for AI documentation (model records, oversight evidence, an audit trail), and vendors that cannot produce it stall in the review. --- ## What makes Dobby different - **Out-of-band and non-custodial by design.** Dobby connects to AI activity without sitting inline; its request path never carries customer data. Inline tools (gateways, firewalls) and log-ingestion platforms both ask the customer to route data or hand it over; Dobby's request path never does. On the data plane, Dobby holds metadata, findings, and signed evidence; raw prompt/response content is routed to a customer-owned dataset where one is configured — enforced for regulated modules (Fintech AI Evidence) and available opt-in elsewhere. Where no customer store is configured (e.g. a default or free org), Dobby stores the raw prompt/response content in its own dataset so the compliance scanner can evaluate it. - **The honest four-state verdict.** Dashboard-style compliance tools report pass/fail. Dobby adds "unverifiable" — and the evidence-sufficiency mechanism behind it knows when a control cannot be proven from the available telemetry, rather than reporting a false pass. - **The evidence pack as the deliverable.** A self-contained, procurement-ready artifact (control matrix + gap report + tamper-evident manifest), not a dashboard the buyer must log into. --- ## How to connect your agents Dobby's recommended path is the out-of-band Collector SDK — instrument your agent in a few lines, and stream run telemetry to Dobby after the fact, never in the request path: - Python: `pip install dobby-collector` - Node.js / TypeScript: `npm install @dobbyai/collector` The Collector works with any framework — LangChain / LangChain.js, CrewAI, AutoGen, the OpenAI SDK, Google ADK, Mastra, the Vercel AI SDK, or manual instrumentation. Teams that want in-path enforcement can use Dobby's connectivity modes (Inline, Hybrid, Surrounding, Shadow) instead of or alongside the SDK; the SDK / out-of-band path is the default capture path. Point a workload at a customer-owned dataset to keep raw payloads in your environment (non-custodial — enforced automatically for regulated modules such as Fintech AI Evidence, and available opt-in elsewhere). Quick start: https://dobby-ai.com/docs/quick-start --- ## Inline Control Points (developer SDK) Beyond out-of-band capture, Dobby's Python SDK exposes an inline **control point** — the developer-invoked complement to the out-of-band model. A control point asks Dobby for a policy verdict *before* an agent runs a risky action, lets the developer's own code enforce the decision, and reports back what the code actually did. This is the classic **Policy Decision Point / Policy Enforcement Point** split (XACML / NIST): Dobby is the PDP (it decides), the developer's code is the PEP (it enforces). It is the same family as OPA, Cerbos, Oso, OpenFGA, Permit.io, and Cedar — ask-the-PDP-in-code — but with one thing none of them have: it records what the code *did* with the verdict (honored or overridden), turning enforcement into a measurable **adherence** signal (continuous control attestation) that a gateway cannot produce. A gateway enforces 100% of the time but knows nothing about developer cooperation; the control point measures exactly that, rolled up across the Platform → Org → Tenant → Process hierarchy. Install (control points ship in 0.3.0+): `pip install "dobby-ai-sdk>=0.3.0"` Canonical idiom — enforce() is fail-closed (it raises on a blocking verdict): from dobby_sdk import DobbyClient, DobbyPolicyDenied client = DobbyClient(api_key="sk_live_...", org_id="org_...", tenant_id="tenant_...") try: client.controls.enforce("send_external_email", arguments={"to": addr}) send_external_email(addr) # runs only if the policy allowed it except DobbyPolicyDenied as denied: # your code is the enforcement point: stop, then report the honored stop client.controls.report(denied.verdict.decision_id, honored=True, action_taken="stopped") Alternatively, check() returns a Verdict and never raises on a deny — branch yourself: verdict = client.controls.check("run_command", arguments={"cmd": cmd}) if verdict.allowed: run_command(cmd) else: print(verdict.reason) # verdict.action / verdict.decision_id also available client.controls.report(verdict.decision_id, honored=True, action_taken="stopped") Always call report() with what the code did: honored=True (stopped) or honored=False (overridden — proceeded despite the deny). The honored/(honored+overridden) ratio is the adherence rate, surfaced on the Policy Adherence dashboard per Org / Tenant / Process. In shadow mode the verdict comes back as pass (nothing blocks), so you can roll control points out and measure adherence before you enforce. Docs: https://dobby-ai.com/docs/sdk/python#control-points --- ## Platform capabilities - **4-layer policy hierarchy** — Platform → Org → Tenant → Process, stricter-wins. - **Four-state verdict** — compliant / violated / needs-review / unverifiable. - **Connectivity modes** — Native Telemetry SDK (out-of-band; non-custodial by design — raw payloads can be routed to a customer-owned dataset, enforced for regulated modules and available opt-in) plus Inline / Hybrid / Surrounding / Shadow for teams that want in-path enforcement. - **Governance controls** — a catalog of policy controls (policy-as-code, least-agency, smart routing, supply-chain, hallucination detection, and more), with deterministic and AI evaluation. - **Evidence Pack** — executive summary, control matrix, gap report, findings, framework coverage, SHA-256 manifest. - **Multi-tenant isolation** — workspace isolation with regional data residency (Israel, EU, US), 3-level RBAC, enterprise SSO (SAML / OIDC), SCIM provisioning, GDPR support. --- ## Pricing | Plan | Price | Notes | |------|-------|-------| | Free | $0/mo | Get started, no credit card | | Pro | $99/mo | Growing teams | | Team | $499/mo | Collaboration, advanced analytics | | Enterprise | from $2,500/mo | SSO, custom SLAs, dedicated support | Pricing page: https://dobby-ai.com/pricing --- ## Technical details - Frontend: Next.js 15, React 19, TypeScript (strict), Tailwind CSS - Backend / engine: Python 3.11 (FastAPI) + TypeScript services (Fastify) - Database: Google BigQuery (multi-region: Israel, EU, US) - Cache & queue: Valkey 8 (Memorystore) - Infrastructure: Google Cloud Platform, GKE (Kubernetes), Docker, Cloud Build CI/CD - Authentication: Google OAuth + Enterprise SSO (SAML / OIDC) + API keys - Security: AES-256-GCM encryption, per-tenant key derivation, immutable 365-day audit trail - Payments: Stripe --- ## Company - Dobby AI, Inc. — Delaware C-Corp - Built in Israel — offices in Tel Aviv and Northern Israel - Regional data residency: Israel, EU, US - Founded 2026 --- ## Getting started 1. Sign up at https://dobby-ai.com 2. Create a workspace and choose your data region (IL / EU / US) 3. Connect your AI workflow with the Collector SDK (`pip install dobby-collector` or `npm install @dobbyai/collector`) 4. Activate the Fintech AI Evidence module and scan your runs against EU AI Act + DORA + SOC 2 5. Export your first audit-ready evidence pack Quick start guide: https://dobby-ai.com/docs/quick-start --- ## Blog Articles ### The 4 Control Modes of AI Governance URL: https://dobby-ai.com/blog/four-control-modes The AI gateway was the wrong unit. Governance needs a framework that covers the traffic you control, the traffic you observe, and the traffic you don't know exists. Here are the 4 Control Modes that define the category. Keywords: ai control plane, ai governance framework, llm gateway, ai gateway alternative, ai governance modes, shadow ai governance, mcp governance, ai security framework ### 5-Minute LangChain Observability: Cost, Latency, and Policy Without Rewriting a Line URL: https://dobby-ai.com/blog/langchain-observability-5-minutes Your LangChain agent is a black box in production. Here's how to get cost per run, full trace history, and policy enforcement by changing one environment variable — no SDK swap, no code rewrite. Keywords: langchain observability, langchain monitoring, langchain security, langchain cost tracking, langchain gateway, langchain production observability, langsmith alternative, openai-compatible gateway ### LangSmith vs Control Plane: Observability Isn't Enough URL: https://dobby-ai.com/blog/langsmith-vs-ai-control-plane LangSmith and Helicone show you what your LLMs did. A control plane stops them from doing it. Here is the gap between LLM observability and AI agent governance. Keywords: langsmith alternative, helicone vs langsmith, llm observability vs control plane, ai agent governance tools, llm monitoring limits, ai control plane vs observability ### Why CrewAI Agents Need an External Control Plane URL: https://dobby-ai.com/blog/crewai-external-control-plane CrewAI is great for building multi-agent workflows. It is not a governance platform. Here is why production CrewAI deployments need an external control plane. Keywords: crewai governance, crewai production, crewai control plane, crewai monitoring, manage crewai agents, crewai enterprise ### Per-Tenant Gateway Profiles for Multi-Tenant AI Policy URL: https://dobby-ai.com/blog/per-tenant-gateway-profiles-policy-overrides One gateway, 50 tenants with different policies? Per-tenant gateway profiles give each tenant its own budget, models, and DLP via a 5-layer merge. Keywords: multi-tenant ai gateway, per-tenant llm policy, ai tenant isolation, gateway profile override, enterprise ai multi-tenancy, tenant-level ai policy ### AI Data Leak Prevention: 26 DLP Patterns at the LLM Gateway URL: https://dobby-ai.com/blog/content-shield-dlp-26-patterns AI agents leak PII, credit cards, and API keys daily. 26 DLP patterns at the gateway level catch them before they reach the provider — block, redact, or alert. Keywords: ai data loss prevention, llm dlp, ai content filtering, pii detection ai, api key leak prevention, content shield ai agents ### AI Agent Versioning: How to Roll Back a Config in Production URL: https://dobby-ai.com/blog/agent-versioning-rollback-production When an agent config change breaks production, git revert is not enough. How immutable agent versioning + one-click rollback actually work for AI agents. Keywords: ai agent versioning, agent config rollback, immutable agent config, ai agent history, agent version diff, production ai rollback ### AI Agent Kill-Switch: 5-Second Stop for Runaway Agents URL: https://dobby-ai.com/blog/ai-agent-kill-switch-emergency-stop When an AI agent goes rogue, you have minutes before the bill, the data leak, or the PR incident. A kill-switch is the 5-second stop — here is how to build one. Keywords: ai agent kill switch, ai agent emergency stop, runaway ai agent, llm kill switch, ai incident response, ai agent safety controls ### Shadow AI: The Metric You're Not Measuring URL: https://dobby-ai.com/blog/shadow-ai-metric-youre-not-measuring Your org has 10× more AI in production than you think. Here's why traditional DLP misses it, what the right metric looks like, and how to build a governance score your board can trust. Keywords: shadow ai, shadow ai detection, ai governance metric, ai control plane, unmanaged ai usage, ai governance score, ciso ai governance, ai agent discovery ### Prompt Injection Defense: 14 Firewall Hooks Before the LLM URL: https://dobby-ai.com/blog/prompt-injection-defense-firewall-hooks Prompt injection is the top AI agent attack vector. Here are 14 firewall hooks that run before the LLM sees a request — from auth to DLP to content shield. Keywords: prompt injection defense, ai agent firewall, llm security hooks, prompt injection detection, ai content filtering, llm gateway security ### Agent Mode Quickstart: First Managed LLM Call in 2 Minutes URL: https://dobby-ai.com/blog/gateway-quickstart-agent-mode Register a named AI agent, get a service key, and fire a pre-filled test request — all in 2 minutes. The new Agent Mode quickstart in Dobby's Agentic Gateway. Keywords: agentic gateway quickstart, ai agent service key, gk_svc key, openai-compatible gateway, register ai agent, gateway test request ### Webhooks Are Live on Dobby Gateway URL: https://dobby-ai.com/blog/webhooks-live-on-dobby-gateway Subscribe to signed HTTP events — approvals, kill-switches, policy blocks — from Dobby Gateway. HMAC-SHA256 signed, retried on 5xx, landed in a DLQ on 4xx, inspectable in the admin dashboard. Here's how it works and why we built it the way we did. Keywords: ai agent webhooks, llm gateway webhooks, dobby webhooks, hmac webhook signature, agent approval webhook, ai policy violation webhook ### Connect Google ADK Agents to Dobby: MCP, A2A, and Webhook Integration (3 Paths) URL: https://dobby-ai.com/blog/connecting-google-adk-agents-to-dobby Integrate agents built with Google's Agent Development Kit (ADK) via MCP, A2A, or webhooks. Monitoring, approval gates, and per-agent cost tracking — with working code examples. Keywords: google adk integration, adk control plane, adk monitoring, agent development kit, adk mcp integration, a2a protocol, adk cost tracking, google vertex ai agents ### Headless AI Agent SDK: Manage CrewAI and LangChain from CI/CD, Terraform, or Code URL: https://dobby-ai.com/blog/headless-external-agent-management Register, trigger, schedule, and cost-track CrewAI / LangChain / custom AI agents from CI/CD pipelines, Terraform, or another AI agent. New in @dobbyai/sdk v0.2.0 (Python + JavaScript). Keywords: headless ai agent management, ai agent sdk python javascript, programmatic crewai management, external agent api, ci cd ai agent, terraform ai agents, ai agent control plane sdk, dobbyai sdk ### Per-Agent LLM Cost Tracking: How We Built a Gateway for 13 Providers (OpenAI, Claude, Gemini) URL: https://dobby-ai.com/blog/track-per-agent-llm-costs Most teams know their total LLM spend. Few know which agent costs what. How we built an agentic gateway that breaks down cost per agent, per model, per day — across 13 providers, with one line of code. Keywords: track ai agent costs, per agent llm cost tracking, ai gateway cost monitoring, openai cost per agent, llm proxy cost tracking, ai agent finops, multi-provider llm costs, claude gemini cost tracking ### External AI Agent Management: Schedule, Trigger, and Audit CrewAI + n8n from One Place URL: https://dobby-ai.com/blog/external-agent-management Your AI agents run on CrewAI, n8n, Make, LangChain, or custom infrastructure. Add scheduling, webhook triggers, approval gates, and audit trails — without touching agent code. Keywords: external agent management, bring your own agent, manage crewai agents, ai agent scheduling, ai agent webhook trigger, manage n8n agents, byoa, external ai agent monitoring ### AI Agent Observability: 4 Pillars of Monitoring (Audit, Cost, Health, Anomalies) URL: https://dobby-ai.com/blog/ai-agent-observability-monitoring Real-time visibility into your AI agent fleet. The 4 pillars every agent platform needs: audit trails, cost dashboards, health checks, and anomaly detection. Keywords: ai agent monitoring, ai agent observability, agent audit trail, ai agent dashboard, ai agent anomaly detection, llm observability, ai health monitoring, agent telemetry ### AI Agent Security: 5 Critical Risks Most Teams Ignore (and How to Fix Them) URL: https://dobby-ai.com/blog/ai-agent-security-best-practices Prompt injection, credential exposure, data leakage, model poisoning, uncontrolled access — the 5 AI agent security risks most teams miss. Plus the defenses that actually work in production. Keywords: ai agent security, ai agent risks, secure ai agents, ai agent vulnerabilities, prompt injection defense, ai credential security, ai data leakage prevention, ai agent attack vectors ### AI Agents Are at Their Kubernetes Moment: Why 2026 Needs a Control Plane URL: https://dobby-ai.com/blog/kubernetes-for-ai-agents Containers had chaos before Kubernetes. AI agents are there now — scattered across CrewAI, LangChain, OpenAI, and custom code. The parallel, and what a control plane delivers. Keywords: kubernetes for ai agents, ai control plane, container orchestration ai, agent orchestration platform, ai infrastructure 2026, ai agent kubernetes analogy, ai ops, ai platform evolution ### AI Agent RBAC: 3-Level Hierarchy with 6 Permission Roles (Platform, Org, Tenant) URL: https://dobby-ai.com/blog/ai-agent-rbac-access-control Design a 3-level RBAC hierarchy for AI agent platforms. Platform, organization, and tenant roles with 6 permission levels — plus fine-grained controls for multi-tenant enterprise deployments. Keywords: ai agent rbac, ai platform access control, role based access ai, agent permissions, multi-tenant rbac, ai agent roles, enterprise rbac ai, ai permissions hierarchy ### AI Agent Control Plane: The Missing Infrastructure Layer for 2026 URL: https://dobby-ai.com/blog/control-plane-for-ai-agents Kubernetes gave containers a control plane. Datadog did it for servers. AI agents are next — and the stakes are higher. What a control plane actually delivers, and why every AI team needs one. Keywords: ai agent control plane, ai agent management platform, ai agent governance, multi-framework agent orchestration, enterprise ai agent monitoring, ai infrastructure layer, ai agent platform, ai ops ### CrewAI vs LangChain vs OpenAI Assistants: 2026 AI Agent Framework Comparison URL: https://dobby-ai.com/blog/choosing-ai-agent-framework CrewAI for multi-agent workflows, LangChain for flexibility, OpenAI Assistants for simplicity — or custom. A 2026 side-by-side comparison, and why how you manage agents matters more than which framework you pick. Keywords: crewai vs langchain, ai agent framework comparison, best ai agent framework, choose ai framework, openai assistants vs langchain, ai agent framework 2026, crewai tutorial, agent framework selection ### Human-in-the-Loop AI: 5 Approval Gate Patterns That Keep Agents Safe URL: https://dobby-ai.com/blog/human-in-the-loop-ai-agents Fully autonomous AI agents sound exciting — until one overspends your budget or sends the wrong email. 5 approval gate patterns that keep agents productive, auditable, and safe. Keywords: human in the loop ai, ai agent approval gates, ai agent kill switch, ai agent safety controls, ai agent governance approvals, hitl ai, ai approval workflow, ai agent guardrails ### Manage CrewAI, LangChain, and OpenAI Agents from One Dashboard URL: https://dobby-ai.com/blog/multi-framework-agent-management Your team uses CrewAI for orchestration, LangChain for RAG, and OpenAI Assistants for customer flows. Unified management, monitoring, and cost tracking — from one dashboard, across every framework. Keywords: manage ai agents multiple frameworks, crewai langchain openai, multi-framework ai agents, unified agent management, ai agent control plane, framework agnostic ai, manage crewai agents, cross-framework ai ### AI Agent Cost Control: 7 Token Budgets and Quotas That Stop Runaway LLM Spend URL: https://dobby-ai.com/blog/ai-agent-cost-control A single runaway AI agent can burn your monthly LLM budget in a weekend. 7 controls — token budgets, per-provider quotas, circuit breakers — that keep AI agent spend predictable. Keywords: ai agent cost control, llm cost management, token budget ai agents, ai finops, llm spending limits, ai agent budget management, llm rate limiting, openai claude cost control ### Dobby AI Quickstart: Connect Your First AI Agent in 5 Minutes URL: https://dobby-ai.com/blog/getting-started-with-dobby A practical step-by-step guide to connecting your first AI agent to Dobby, setting up governance policies, and running your first fully monitored and audited task. Keywords: dobby ai getting started, ai agent platform tutorial, connect ai agents, ai agent setup guide, ai agent workspace, dobby quickstart, ai agent onboarding, first ai agent ### MCP Protocol Explained: How AI Agents Call Real Tools and APIs (JSON-RPC) URL: https://dobby-ai.com/blog/mcp-protocol-explained The Model Context Protocol (MCP) gives AI agents structured access to tools and APIs via JSON-RPC. What it is, how it works, and why Anthropic, Claude, Cursor, and ChatGPT all speak it. Keywords: model context protocol, mcp protocol explained, ai agent tools, mcp server, ai agent ide integration, json-rpc ai tools, anthropic mcp, claude mcp, cursor mcp ### AI Agent Governance: 5 Controls Every Enterprise Needs (Policies, Approvals, Audit) URL: https://dobby-ai.com/blog/why-ai-agents-need-governance Without centralized governance, AI agents create security risks, budget overruns, and compliance gaps. 5 controls — policies, approvals, audit trails, cost limits, kill-switch — that make agents enterprise-safe. Keywords: ai agent governance, ai agent security, ai agent compliance, enterprise ai governance, ai agent policy enforcement, ai approval workflow, ai audit trail, soc2 ai agents ### Agentic Gateway Explained: Auth, Cost Tracking, and Policy for Every LLM Call URL: https://dobby-ai.com/blog/agentic-gateway-explained The agentic gateway is a unified proxy that authenticates, meters, and enforces governance on every LLM and MCP request. Why every AI platform needs one, and how to build it. Keywords: agentic gateway, llm api gateway, ai agent proxy, llm cost tracking, mcp server, llm rate limiting, ai policy enforcement, llm traffic control --- ## Key Pages - Home: https://dobby-ai.com - About: https://dobby-ai.com/about - Pricing: https://dobby-ai.com/pricing - Blog: https://dobby-ai.com/blog - Contact: https://dobby-ai.com/contact - Documentation: https://dobby-ai.com/docs - Quick Start: https://dobby-ai.com/docs/quick-start - Trust & Security: https://dobby-ai.com/trust - Status: https://dobby-ai.com/status