Defensive Intelligence
Defensive
Intelligence
← Insights/Perspective

Why We Built OBEL

What fifteen years in cybersecurity, a decade in automation, and one industry conversation in 2023 taught us about the gap nobody was filling.

DB

Denis Bouton

Founder & Chief Architect

December 10, 20257 min read
SharePostLinkedIn

In mid 2023, we were deep in the world of Robotic Process Automation, working alongside the global leader in that category, helping enterprises automate complex, high-volume workflows across finance, legal, and operations. AI was entering those conversations not as a replacement for RPA but as an accelerant. Customers and industry peers were beginning to ask: what does responsible, safe AI adoption actually look like at an enterprise scale?

That question about responsible and safe AI is what started OBEL. Not a whitepaper, not a market analysis, not a funding thesis. A recurring thread in conversations with people who understood automation well and were trying to understand where AI fit into the governance frameworks they had spent years building.

We came to those conversations with fifteen years of cybersecurity consulting behind us, working with enterprises and government agencies across the full stack: strategy, architecture, implementation, incident response. That background shaped a particular lens: every new technology capability creates a new attack surface, and the organisations that fare best are the ones that treat security as an architectural constraint from the outset, not an audit finding after the fact.

The most dangerous assumption in enterprise AI adoption is that the model is the risk. The prompt is the risk. The data flowing through the prompt is the risk. OBEL exists to govern that entire flow.

- Denis Bouton, Founder & Chief Architect, OBEL™

The insight that shaped the product

We set out to build in 2024. What we quickly discovered was that the market was not ready to fund a governance platform for a technology most enterprises had not yet seriously deployed. The idea was sound. Commercially, the timing was early. We course-corrected mid 2024, tightened the architecture, and kept building.

Two years later, the picture has changed entirely. Enterprise AI adoption has moved from exploration to operational dependency at a pace that has outrun most organisations' governance thinking. What felt like a forward-looking problem in 2023 is now an active, present one. The AI programs that were cautious pilots have become production workflows. The data flowing through them is real. The exposure is real. And the governance infrastructure, in most cases, still does not exist.

The core insight we kept returning to, drawn from our cybersecurity consulting work, was that security and user experience have historically been treated as a trade-off. More control meant more friction: approval gates, restricted access, reduced capability. Organisations accepted this trade-off because the alternative was worse. But it also meant that security measures were worked around by the very people they were designed to protect, because the governed option was too slow, too limited, or too inconvenient.

Security without the trade-off

OBEL was designed from the outset to remove that trade-off. The governance layer (classification, PII scrubbing, audit logging, sovereign blocking) operates entirely at the infrastructure level. It is not a user-facing control that employees need to interact with, remember, or route around. It is the infrastructure through which every AI interaction passes, invisibly, before reaching any model. The employee experience is access to the best available AI tools, fully supported, with no additional friction. The governance is built into the pipe, not bolted onto the interface.

This architecture reflects a principle we carried over directly from enterprise security consulting: the most effective controls are the ones people do not know they are subject to. Not because the controls are secret (they are documented, auditable, and visible to administrators) but because they do not require individual compliance decisions at the moment of use. The scrubber does not ask permission. The classification engine does not prompt for confirmation. The audit vault does not require a user action. Governance happens before the model call. Always.

Six principles written before a line of code

Classification before scrubbing. Sovereign block before the LLM. Scrubbed content only to the model. Audit vault before inference. Fail-shut, not fail-open. Governance owns the prompt layer, not the model. These principles are not configurable. They are the architecture. Everything else is built on top of them.

What we built and why it is structured this way

OBEL is not a model, a fine-tuning service, or an LLM provider. It is a governance layer: a secure, auditable proxy positioned between every user or agent and every AI model they reach. ARGUS-i™, our runtime engine, makes real-time decisions on every request: classify the content, apply the sovereign block gate, scrub what should not reach the model, commit the audit record, then dispatch to inference. If any step in that sequence cannot be confirmed, access is denied.

The RPA background matters here. We understood before we started building that governance at scale cannot be manual. In RPA, the discipline is designing workflows that are deterministic, auditable, and failure-safe, where exceptions are handled by design, not by hoping the operator notices. We applied the same discipline to the AI governance layer. The scrubber runs on every prompt, not on the prompts that look suspicious. The audit record is created before inference, not after. The sovereign block is a hard gate, not a warning. Deterministic governance at the request level, not probabilistic governance at the policy level.

The speed of change has settled the argument

In 2023, the case for AI governance was prospective: here is what will happen if enterprises adopt AI without a security architecture. By 2025, it is retrospective: here is what has happened, and here is the bill. The Samsung incident. The regulatory frameworks that have moved from consultation to enforcement. The cyber insurance questionnaires that now ask specifically about AI interaction logs and automated PII controls. The board questions that technology leaders cannot yet answer.

The organisations that took AI governance seriously early are discovering it has value they did not anticipate when they made the investment. The organisations that deferred it are discovering the cost of that deferral at the worst possible time: during an incident, a renewal, or a regulatory review.

We built OBEL on the conviction that secure-by-design and genuinely useful are not in tension. Two years in, that conviction is holding. The speed of change has not made governance harder. It has made it more necessary, and it has made the argument for doing it right from the start considerably easier to have.

The question is still the starting point

Does your organisation know what data is reaching your AI systems today? Is there a log? What would you produce if a regulator, an insurer, or a client asked for one? If those questions do not have clear answers, OBEL is built for that conversation.

SharePostLinkedIn

More in Perspective

Act before the incident does

Do you know what your AI program is sending out the door?

Most organisations do not - until they have to explain it to a regulator, an insurer, or a client. OBEL gives you the observability to see it and the enforcement to stop it. If this post has raised a question your current stack cannot answer, that is worth an urgent conversation.

Book an urgent briefingStart free trial