Visdom
Governance

Visibility into AI-assisted work. Cost tracking attributed to the PR that caused it. Compliance evidence signed into one ledger — three pillars, one source of truth.

Open TraceVault What You Get

Part of Visdom · VirtusLab's AI-Native SDLC

Your SDLC now has a non-human author

Auditors, engineering leaders and CFOs are asking questions your git history can't answer.

01Who wrote this line?

EU AI Act & SR 11-7 require attribution of model-assisted output. git blame points at the developer, not the model.

02Was the policy enforced?

Model allowlists, forbidden paths, token budgets, required tools — if enforcement isn't automated, it isn't happening.

03Where did the spend go?

AI invoices scale per token, per team, per cache miss. Without session-level attribution, FinOps is guesswork.

04Can you prove the log is intact?

SOX, PCI-DSS and SR 11-7 demand tamper-evident records. Plaintext logs and shared buckets don't qualify.

Regulatory ledger

The compliance clock is ticking

Why governance of AI-assisted code is no longer optional — every number below links to the source.

€35M
maximum EU AI Act penalty — or 7% of worldwide turnover — for prohibited AI practices or governance failures.
EU AI Act, Article 99
SR 11-7
Federal Reserve mandates full model inventory, version control, use logs and independent validation — now applied to coding copilots by bank risk teams.
Federal Reserve / OCC Model Risk Guidance
SOX §404
public issuers must evidence controls over the software that processes financial data — including the AI agents that now write it.
Sarbanes-Oxley, Section 404

Three pillars, one ledger

See what AI does. Track what it costs. Prove it to a regulator — all from the same signed chain, so the three stories never disagree.

Visibility

See every AI-assisted change

Full session traces, tool calls and line-level AI attribution, overlaid on the git history. You can answer "which model wrote this line, under which prompt?" without opening a ticket with the vendor.

Session traces · tool calls · git-level attribution

Cost Tracking

FinOps for AI-assisted code

Token trends, model distribution, cache hit-rate and spend attributed to session, author, team and PR. Hard per-session and per-team budgets stop runaway sessions before they land on the invoice.

Per-PR spend · cache savings · hard budgets

Compliance

Signed evidence, enforced policy

Every entry is hash-chained and Ed25519-signed. Policy — allowlists, forbidden paths, required tools, AI-share caps — is enforced in the dev loop and logged on the same chain. Mapped to EU AI Act, SR 11-7, SOX §404, PCI-DSS, DORA.

Ed25519 · append-only · framework-mapped
TraceVault · VirtusLab

A flight recorder for AI-assisted development

TraceVault is the open-source building block underneath Visdom Governance. It sits in the developer's environment and feeds the three pillars off a single source of truth: visibility, cost tracking and compliance.

See. Every session, prompt, model & version, tool call, edited file and resulting commit is captured — with automatic secret redaction. A git-integrated browser overlays AI attribution line by line, so visibility isn't a separate report but a layer on the code you already read.

Count. The same ledger powers dashboards for token trends, model distribution, cache hit-rate and cost per team / per PR. Hard per-session and per-team budgets cut off runaway sessions at the edge — the FinOps number is the audit number.

Prove. Entries are hashed, chained and Ed25519-signed; the log is append-only, so a single altered byte breaks the chain. Policy (allowlists, forbidden paths, required tools, AI-share caps) is enforced in the dev loop and logged on the same chain — producing framework-mapped evidence instead of a "did the policy run?" gap.

Open source, self-hosted, free forever for the community edition. The enterprise edition adds SSO, encryption-at-rest, auditor-role RBAC, analytics and report templates for the common compliance frameworks.

tracevault.dev →

session #8421 · claude-sonnet-4-6captured
tokens: 38.2k in / 9.4k out · cache 71%$0.42
model gpt-5-foo not on allowlistblocked
edit src/auth/keys.ts · protected pathblocked
AI share 142 lines · PR cap 60%enforced
team budget: 412k / 500k tokenstracked
Ed25519 signature · chain oksigned
Visibility

See the invoice. Attributed to the work.

The same ledger that proves what AI did also answers how much it cost, which model burned the tokens and which team, repo or PR the spend belongs to.

  • Token usage trends Daily and weekly consumption, broken out by model, team and repo — not a single monthly number.
  • Cost tracking Spend attributed to session, author and PR, reconciled against vendor pricing as it changes.
  • Cache savings Hit-rate per model and per project — surface the prompts that are quietly doubling the bill.
  • Model distribution Which models the org actually uses. Side-by-side with the allowlist, so drift is visible.
  • Team & author activity Adoption and throughput per team, with attribution by author — not a seat count.
  • AI share of code Git-integrated, line-level overlay: exactly what AI wrote, where it landed, in which commits.
TraceVault dashboard, light theme — total spend, active devs, sessions, tokens, session quality, top-authors leaderboard, compliance score and cache savings
light Spend, sessions, tokens, top-authors leaderboard, compliance score, cache savings
TraceVault dashboard, dark theme — same KPIs as the light variant
dark Same view, dark theme — drops into existing IDE / ops screens

Community: basic traces + policy engine. Enterprise: full dashboard & reports.

Three tracks · one ledger

Compliance, policy and cost — off a single source of truth

Visdom Governance doesn't invent a new framework or a new dashboard silo. The same signed TraceVault ledger feeds your auditors, your platform team's guardrails, and your FinOps numbers — so the three stories never disagree.

EU AI ACT

Transparency & attribution

Which model produced which output, under which prompt — for every AI-assisted change.

SR 11-7

Model inventory & use

Full record of models in use, versions, and every decision the organization made with them.

SOX §404

Change controls on code

Evidence that policies governing AI-assisted code changes were enforced, not merely written down.

POLICY

Allowlists & forbidden paths

Approved models only. Sensitive directories off-limits. Required tools present. Blocks logged.

BUDGETS

Per-session & per-team caps

Hard token budgets and AI-share thresholds stop runaway sessions before they become an invoice line.

FINOPS

Spend attribution

Token trends, model mix, cache hit-rate, cost per team and per PR — tied back to the session that caused them.

Pluggable where it needs to be. The signed ledger feeds your GRC tool, your observability stack and your cloud cost dashboard — no duplicate pipelines.

Compare

Why this combo?

Plenty of point tools exist for each track. Visdom Governance is what happens when audit, enforcement and FinOps come off the same signed ledger — so they can't drift.

Visibility + Compliance

vs audit / policy alternatives

  • Vendor dashboards — usage per seat; not tamper-proof, not portable, not a policy engine.
  • Policy PDFs — "developers must only use approved models." Unenforced by definition.
  • Git hooks / DLP — catch one slice, after the fact, with no record of the policy in force at the time.
  • TraceVault — open source, Ed25519-signed hash chain; session + tool + code + attribution; enforces policy in the dev loop.
Cost Tracking

vs FinOps alternatives

  • Vendor billing CSV — monthly total per workspace; no attribution to team, PR or session.
  • Cloud cost tools — solve infrastructure spend; blind to token economics and cache behaviour.
  • Spreadsheet tracking — out of date the day after it's exported; no hard budget enforcement.
  • TraceVault — per-session spend attribution, cache hit-rate, hard team budgets — signed into the same chain.

The building block is pluggable. The requirement — one signed source of truth for what AI did, what it was allowed to do, and what it cost — is not.

FAQ

Part of Visdom

Visdom Governance is one of four components in Visdom, VirtusLab's AI-Native SDLC.

Context FabricViDIAPre-indexed code expertise, dependency graphs, PR historyCode ReviewVCRMulti-layered AI code review with risk assessmentSandbox & AppSecSecurityRuntime containment and continuous application security scanningVisibility, Cost & ComplianceGovernanceSigned audit trail, cost attribution, policy enforcement

Read the thinking behind it: The AI-Native SDLC series

Ship with AI.
Keep the receipts.

Capture every AI-assisted change in a signed ledger. Enforce the policy that's already written. See the bill, attributed to the PR that caused it.

Start with TraceVault Talk to VirtusLab