Implementations
Programmable Assurance is an open discipline. Any platform, tool, or framework can implement it — but listing here is reviewed, not automatic. See Submitting an Implementation below.
This page lists known implementations.
Commercial Implementations
Section titled “Commercial Implementations”ObsidianWall
Section titled “ObsidianWall”The first platform implementing Programmable Assurance.
ObsidianWall starts in the infrastructure domain — pre-deployment governance for Terraform and CloudFormation — with a roadmap extending governance intelligence, economics, and authoring across the full platform.
| Component | Status | Description |
|---|---|---|
| Verdict | Live — v0.5.0 | Pre-deployment governance decision engine |
| Sentinel | Live — v0.5.0 | Post-deployment reality observation |
| Compass | Q4 2026 | Governance intelligence and economics |
| Forge | 2027 | Governance authoring with human-gated AI |
How ObsidianWall implements the four principles:
- Intent must be executable — Verdict evaluates governance policies as executable conditions before infrastructure deploys
- Enforcement must be continuous — Sentinel verifies post-deployment state stays aligned with what was authorized
- Every decision must be accountable — Every evaluation produces an immutable audit artifact attributed to a named policy and role
- Outcomes must feed back into intent — Compass (Q4 2026) closes the feedback loop with governance intelligence and economics
obsidianwall.com → · obsidianwall.dev →
Open Source Implementations
Section titled “Open Source Implementations”None listed yet.
Research Implementations
Section titled “Research Implementations”None listed yet.
What Qualifies as an Implementation
Section titled “What Qualifies as an Implementation”Listing on this page is not self-service. A tool is not “implementing Programmable Assurance” simply because it claims to — it must demonstrate the principles with public, inspectable evidence.
Two tiers:
Compatible with Programmable Assurance — Demonstrably implements at least one of the four principles, with public documentation or code showing the actual mechanism (not just a marketing claim).
Implements Programmable Assurance — Demonstrably implements all four principles, each with verifiable evidence:
- Intent must be executable — show the executable policy format
- Enforcement must be continuous — show it runs at decision-time, not only in periodic audits
- Every decision must be accountable — show the audit artifact or attribution record structure
- Outcomes must feed back into intent — show the feedback mechanism connecting observed outcomes back to policy
Most existing Policy-as-Code and GRC tools will qualify for the first tier but not the second — that is expected. The second tier is intentionally a higher bar.
Submitting an Implementation
Section titled “Submitting an Implementation”Every submission is reviewed before listing. There is no automatic process.
To submit:
- Email the team with your tool name, public documentation link, and — for each principle you believe your tool satisfies — a specific link to the documentation or code showing the mechanism, not just a description.
- The submission is reviewed against the criteria above.
- If approved, you’ll be listed at the appropriate tier with a short summary, in the style of the ObsidianWall entry above.
- Listings may be revisited or removed if the evidence becomes stale or no longer accurate — this is not a permanent badge.
You can also open an issue at the programmableassurance GitHub organization if you prefer.