Home How It Works Governance Domains Pricing About Us
Schedule a Demo →
HomeHow It Works

How BonsAI Works

The Governance Gap The Agent Layer The Thinking Loop How Employees Work Getting Started Security & Data
Section 1

Why governance fails to reach the decisions that matter

Most organisations have more governance and guidance than they realise. Risk frameworks, compliance policies, legal guidelines, department and company-level goals, approval authorities, ethical commitments — years of careful work by compliance teams, legal counsel, strategic planners, and risk functions. The documents exist. The frameworks are sound. The intentions are genuine.

The problem is that governance lives in documents, and decisions happen in conversations, emails, spreadsheets, and meetings. The two rarely meet at the right moment. By the time someone checks whether a decision is aligned with policy — if they check at all — the decision has often already been made.

This is not a failure of intent. It is a structural problem. Governance is written once, stored centrally, and expected to reach thousands of decisions made by hundreds of people every day.

No policy document has ever read a news alert and flagged a regulatory risk. No compliance handbook has ever told a procurement manager that the supplier they are about to onboard conflicts with the company's ESG commitments. No legal framework has ever sent an alert before a marketing claim went out that needed review.

BonsAI is built on one principle: governance should be present at the moment of the decision — not reviewed after the damage is done.

📄
Governance is written and stored
Policies, frameworks, risk thresholds. Carefully crafted. Stored in a shared drive, a GRC system, or a document repository. Accessible to anyone — but only if they know to look.
Decisions happen continuously
Procurement, legal, finance, marketing, HR — decisions are made every day across every team. Most don't consult governance. Not because people are negligent, but because there is no mechanism that makes governance present at the right moment.
💥
The gap becomes visible — too late
A regulatory breach. A supplier that should not have been onboarded. A marketing claim that triggers a recall. In every post-mortem, the same finding: the policy existed, the information was available, but nobody connected them at the right moment.
BonsAI closes the gap
Your governance, active at the moment of every relevant decision — before anything is executed.
Section 2

How BonsAI helps govern and align every decision in your organisation

BonsAI provides a dedicated governance function for each of your active domains — Risk & Compliance, Legal Exposure, Brand & Communications, Supplier & Sourcing, and more. Each function runs continuously and is configured entirely from your organisation's own governance.


Each domain function is configured with your organisation's own governance. There are no generic templates or industry averages — these are your policies, your risk thresholds, your decision authorities, your approval rules, your goals and guidelines. The specific commitments your organisation has made.

Once configured, each domain function runs continuously and independently. On a regular cycle, it:

  • Pulls relevant external signals: regulatory updates, industry news, and market developments relevant to its governance domain.
  • Reviews its own recent reasoning and the current state of your organisation's governance.
  • Generates a governance thought: structured reasoning that identifies tensions, risks, or required actions.
  • Shares that thought with peer domains, which read it and respond from their own governance perspective.

The result is a governance function that is always working, always current, and always grounded in what your organisation has actually committed to.

BonsAI Architecture — Agent Layer
Your Governance
Policy documents Risk frameworks Approval authorities Decision thresholds Onboarding conversation
↓ embedded into ↓
Governance Layer (12 domains · 48 sub-domains)
R&C Legal Brand Supplier Capital Data & AI + 6 more
↓ active for ↓
Your Organisation
Employee guidance Escalations Audit trail Autonomous thinking Inter-agent dialogue
Deep Search — Intelligence on demand

Enterprise administrators can query the full governance intelligence layer across their organisation using Deep Search. Ask a natural language question across your entire governance memory — every domain thought, every governance chunk, every escalation — and receive scored results with an AI-generated synthesis. Or run structured queries directly against your governance data tables to find exactly what you need.

Semantic Search
Natural language (conversational) queries across your enterprise's governance memory return top results relevant to your query in both a discussion format and search result cards.
Structured Search
Explore your enterprise's governance memory using direct queries (filters) across your governance data tables. Filter, sort, and export to HTML or CSV.
Role-Aware Scope
Enterprise-level admins can search across their entire enterprise, domain-level admins can search within their domains. You decide who can search for what.
Section 3

How agents think together across governance domains

Every BonsAI governance agent runs a continuous thinking cycle throughout the day, whether your people are in the office or not.

On each cycle, the agent pulls real-time regulatory updates relevant to its domain, retrieves your organisation's governance context from memory, and generates a new structured thought — specific reasoning grounded in your actual policies against what is happening in the world right now.

After two weeks of running, your agents have built something no prompt can replicate. They have accumulated a working map of how your governance interacts with real-world dynamics, which tensions keep surfacing, and where your policies meet external pressure. When an employee asks a question, the agent has already been thinking about that domain for weeks.

Every thought, every inter-agent message, and every piece of reasoning is stored, timestamped, and searchable. If you need to show a regulator that your governance function was monitoring a specific risk during a specific period, the evidence is already there.

🧠 Agent Thoughts
💬 Inter-Agent Dialogue
📡 Sector Intelligence
Last updated 6 min ago · 3 agents active
Risk & Compliance 23 min ago
EU AI Act enforcement timeline confirmed: high-risk AI systems must complete conformity assessment by August 2026. Our current AI-assisted credit scoring tool likely qualifies as high-risk under Article 6. Conformity assessment has not been initiated. Escalation to compliance lead required within 30 days.
External signal: EUR-Lex regulatory update — EU AI Act implementation guidance
Legal Exposure 17 min ago
Responding to R&C EU AI Act flag. Our vendor contract for the credit scoring tool does not include AI Act compliance obligations on the vendor's part. If we are the deployer, liability for conformity rests with us. Contract amendment needed before compliance assessment begins.
Cross-reference: R&C thought — EU AI Act, 23 min ago
Brand & Communications 9 min ago
Reviewed R&C and Legal EU AI Act analysis. Our website currently describes our credit decisions as 'AI-powered' without any disclosure of human oversight. This language will not meet the EU AI Act transparency requirements. Website copy must be updated before enforcement date.
Cross-reference: R&C + Legal thoughts — EU AI Act thread

The three-agent exchange above follows a pattern that surfaces in every organisation navigating a live governance exposure. The same event, read through three incompatible lenses — each correct from its own domain.

RISK & COMPLIANCE — THE OBLIGATION
The regulatory requirement is clear. The agent has identified the gap, cross-referenced your documentation, and flagged the action required.
LEGAL EXPOSURE — THE TIMING CONSTRAINT
The Legal agent has read the R&C flag. Premature disclosure — before internal counsel has assessed full scope — introduces additional liability. Timing is not a detail.
BRAND & COMMUNICATIONS — THE MARKET DIMENSION
A technically compliant disclosure that reads as damage control is a different outcome than one that reads as organisational integrity. The Brand agent holds that distinction.

No single agent holds the full picture. BonsAI makes the tension visible before a decision is made.

STEP 1 — MONITOR
Agent pulls external signals
On each thinking cycle, the agent retrieves regulatory updates, news, and market developments relevant to its domain from real-time sources.
STEP 2 — REASON
Agent generates a governance thought
The agent reasons from external signals against your organisation's own governance. It identifies tensions, risks, or required actions — grounded in your actual policies.
STEP 3 — COMMUNICATE
Peer agents read and respond
The thought enters the shared reasoning space. Other active agents read it and respond from their domain perspective. Cross-domain governance tensions are surfaced automatically.
Section 4

How employees work inside BonsAI

Employees do their work inside BonsAI — building proposals, evaluating suppliers, drafting claims, planning decisions. They bring their work to the relevant governance domain and interact with it in plain language. There is no special syntax and no need to know which policy applies.

The domain responds with guidance grounded in your organisation's own governance. The response is:

  • Specific to the question asked — not a generic answer that could apply to any organisation.
  • Grounded in your actual governance — citing the relevant policy, rule, or threshold.
  • Clear about what to do next — whether that is proceeding, seeking approval, or stopping.
  • Honest about its limits — if human judgment is required, the agent says so and escalates.

Every interaction is logged automatically. The employee's name, the question, the guidance provided, the timestamp, and the governance sources cited are all recorded — without the employee doing anything.

🚨 When something escalates
1
Agent identifies a question beyond its authority — or a conflict between policies that needs human resolution.
2
Generates a structured escalation to the designated domain authority — including the original question, reasoning, and relevant governance context.
3
Authority reviews, enters decision and reasoning, closes the escalation in the Enterprise Admin dashboard.
4
Decision and reasoning stored permanently in the audit trail. Employee notified. Nothing unrecorded.
Agent active
We want to consolidate our packaging supply to a single vendor to reduce cost by 18%. Is this allowed under our sourcing policy?
Under your Supplier & Sourcing Governance (Section 3.2 — Concentration Risk), sole-source arrangements for critical inputs require a Supplier Concentration Risk Assessment when the consolidated spend exceeds £250,000 annually.

Packaging is classified as a critical input in your governance. At 18% cost reduction, the consolidated spend is likely above this threshold.

You may proceed with the evaluation, but cannot finalise the decision until a Concentration Risk Assessment is completed and approved by the CPO. The assessment template is in the procurement governance folder.
Supplier & Sourcing Agent · Cited: Sourcing Policy §3.2, Concentration Risk Protocol §1.1
One item flagged for review: Your current packaging supplier diversity ratio (1 approved alternate) does not meet the policy minimum of 2 approved alternates for critical inputs. This should be addressed regardless of the consolidation decision. Escalating to your CPO for awareness.
Section 5

How your governance gets into BonsAI

Getting your governance into BonsAI is not a technology project. There is no data migration, no systems integration, and no requirement to restructure or rewrite your existing policies. It works in two ways.

1
Upload your existing documents
If you have policy documents, risk frameworks, compliance guidelines, or approval matrices, upload them. BonsAI reads them, processes the content, and embeds the governance into the relevant agent's knowledge. The agent starts reasoning from your documents immediately. No reformatting required.
2
Complete the onboarding conversation
A domain admin in your organisation has a structured conversation with the BonsAI onboarding agent. It asks a carefully designed sequence of questions covering the eight core areas of your governance for that domain: decision scope, failure modes, mandatory constraints, conditional allowances, escalation triggers, conflict resolution rules, approval authorities, and cross-domain interactions. The admin answers in plain language. The agent is configured from that conversation and is active immediately.
How long does onboarding take?
A single governance domain typically takes 30 to 60 minutes of onboarding conversation. You can onboard one domain and have the agent active the same day. Start with the domain where misaligned decisions are currently most costly. Add further domains as you see value. There is no big-bang implementation.
Domain Onboarding — Supplier & Sourcing
Supplier & Sourcing Governance
8-SECTION PROGRESS
Section 1 — Decision Scope & Authority
Section 2 — Core Failure Modes
Section 3 — Mandatory Constraints ← current
Section 4 — Conditional Allowances
Section 5 — Escalation Triggers
Good. Now I'd like to understand your absolute constraints in supplier decisions — the limits that apply regardless of commercial context. What supplier characteristics would lead you to reject a supplier outright, no matter how competitive their pricing?
Any supplier with a conviction for labour violations in the last 5 years is excluded. Also any supplier that can't demonstrate ISO 27001 certification for data handling.
Understood. I'll record two absolute exclusions: (1) labour violation convictions within 5 years — automatic disqualification; (2) absence of ISO 27001 certification — disqualification for any supplier handling company data. Do these apply globally, or are there regional exceptions?
Section 6

Security and data architecture

Your governance data belongs to you. It is not shared with other organisations, not used to train models, and not accessible to BonsAI staff in the normal course of operations.

🔒Enterprise data isolation
Row-level security is enforced at the database layer. No enterprise can access another enterprise's governance data, agent thoughts, or employee queries. This is enforced by the database — it cannot be bypassed by application logic.
🏛Your governance stays yours
The governance you enter is stored in your enterprise's isolated environment. It is used exclusively to configure and run your agents. It is never used to train shared models or shared with other enterprises.
🗂Audit trail — permanent
Every employee question, agent response, escalation, and resolution is logged with a timestamp. This data is yours, accessible to your authorised administrators at any time, and exportable on request.
👤Role-based access control
Employees see only governance chat and agent intelligence. Enterprise admins see their enterprise's full dashboard. Platform-level access is restricted to BonsAI operators only. All enforced via Supabase Auth.

Ready to see it working?

The best way to understand BonsAI is to see it running on a real governance domain. We can use a pre-configured test environment, or — if you give us 30 minutes with a compliance lead before the session — we will configure one of your own governance domains and show you your own policies in action.

Schedule a Demo → Explore governance domains →