A governance-first evidence workspace for the public sector
A policy and social-impact advisory organisation, with a UK regional public authority
A retrieval-and-investigation workspace that helps a public body assemble cited, defensible evidence — advisory-only by hard constraint, with every answer traceable to its exact source.
Advisory-only
no automated decisions, by design
Every answer
cited to the exact source passage
Mapped
to NCSC, UK GDPR, ATRS & Cyber Essentials
The challenge
The work this system had to absorb.
Public bodies need to turn large evidence bases into defensible analysis without letting an AI make or influence decisions it has no business making — and they have to show a regulator exactly how it works before go-live.
What we built
A system in production, not a slide deck.
A dashboard, a two-tier evidence base, an agentic investigation workspace and three structured report types.
An investigation agent driving bounded tools — hybrid evidence search, area profiles, document fetch, and live public statistics from ONS and OHID.
A compliance pack mapping the system to the standards a UK combined authority asks for before go-live.
Governance, in the code
The controls are written into the architecture.
This is the part most firms can’t show you. Governance here isn’t a policy document. It’s constraints the system enforces on itself, every time it runs.
Advisory-only by hard constraint in the system prompt: no bid scoring, no contract influence, no automated decisions, aggregated and anonymised data only.
Chunk-level citation provenance — page, character offset, source tier and link — so every answer is traceable to the exact passage.
Row-level tenant isolation designed to fail closed; UK data residency for embeddings and storage.
All model calls routed through Microsoft Foundry under enterprise data-processing terms, with no training on the data.
Outcomes
What it has done.
Honest and labelled: dated where the figures are point-in-time, and described as controlled tests or early-stage where that is the truth.
Built and deployed to our own infrastructure, with a compliance posture mapped to the NCSC 14 Cloud Security Principles, UK GDPR (DPIA and Article 30), the Algorithmic Transparency Recording Standard and Cyber Essentials.
Disciplined engineering: 36 automated tests across the codebase, with citation provenance verified end to end.
How it’s engineered
The approach under the hood.
A retrieval-augmented, agentic workspace with all generation routed through Microsoft Foundry, hybrid search over a tiered evidence base, and live connections to official public statistics.
Frameworks this build aligns to
Standards we design around and prepare clients for. Not certifications we hold.
- NCSC Cloud Security Principles
- UK GDPR & the ICO
- ATRS
- Cyber Essentials
Keep reading
More systems we’ve built and governed.
Find out where your AI exposure sits.
We'll tell you plainly what's worth doing, what isn't, and what a board or regulator will expect to see. No pitch deck.
No obligation · no pitch.