SOREG
AI data governance

Let your team ask your data anything & the model never sees who it's about.

Soreg is the gate between your regulated records and the AI that helps your staff. Questions go in. Only masked data ever reaches the model — whichever model you choose. Real identities are revealed to the people you authorize, and every step is written to the log your examiner will ask for.

Request early access See how it works

Runs in your environment · your keys · no PII leaves your tenancy

Inside your walls
name    Sarah Bennett
ssn     412-••-7705
dob     1981-••-••
account •••• 4021
Real records never leave the building
What crosses the screen
question "who's transferring?"
schema   records_masked
subject  9deedc48…0501
status   Active
no name · no SSN · no account

Authorized staff still see the real names — revealed by the gateway after the model answers, only for the roles you permit, always logged.

soreg — the latticed screen that marks the line you may not cross.

The bind

Your staff want AI. Your regulator wants PII locked down.

Today you're forced to choose between the two. Pasting regulated data into a chatbot is a finding waiting to happen — so the productivity stays on the table.

01

The pressure is real

Staff already want to ask plain-English questions of the systems they run, instead of exporting spreadsheets and pivoting by hand.

02

The exposure is worse

A name, an SSN, an account or medical number reaching a third-party model is exactly the kind of nonpublic data your controls exist to protect.

03

The exam is coming

Under NYDFS §500, HIPAA, and their peers, "we think it's fine" isn't an answer. You need to show what the model saw — and prove it wasn't PII.

How it works

Four steps. The model is boxed in at every one.

Soreg doesn't trust the AI — it constrains it. The model only ever proposes; the gateway decides what runs and what comes back.

01

Ask in plain English

Staff type a question. No SQL, no exports, no copy-paste into someone else's chatbot.

02

The model proposes — the gateway decides

Soreg validates every query before it runs: read-only, masked views only, nothing else executes. A query that reaches for anything it shouldn't is refused, not run.

03

Only masked data is ever queried

The model works over hashed keys and masked columns. It never receives a name, an SSN, or an account number — and you can read the exact payload we send it.

04

Authorized humans see the truth

The gateway re-identifies results server-side — only for the roles you permit, after the model is done — and writes who asked, what the model saw, and what was revealed to an append-only log.

Field-level control

Mask what's regulated. And mask what's yours.

The gate works field by field. You decide, column by column, what any model is ever allowed to see — so the same control that hides a customer's SSN from the AI also hides your pricing, your margins, and your client list from it.

  • For the regulator. PII, PHI, account numbers — masked so they never cross the gate.
  • For the competitor. Cost basis, margins, formulas, pipeline, client identities — the secrets you'd never want sitting in someone else's model.
  • One mechanism. The AI gets the shape of the answer, never the sensitive value — whichever side of the line it falls on.

Compliance is the reason you start.
Confidentiality is the reason you keep it.

What the model may see — your call, per field
customer_namemasked · PII
ssnmasked · PII
unit_costmasked · confidential
margin_pctmasked · confidential
regionvisible
statusvisible
Model-independent

Bring any AI. Or bring all of them.

Soreg sits between your data and the model — not inside any one vendor. The protection comes from the gate, not the AI, so which model answers the question is never a security decision.

  • Any provider. Claude, GPT, Gemini, or an open model on your own hardware. Swap them anytime.
  • Let users choose. Offer your staff their preferred model, or several side by side.
  • No lock-in. The same masking, validation, and audit apply no matter what's on the other side.
Claude
GPT
Gemini
Llama / self-hosted
Each one only sees
subject  9deedc48…0501
status   Active
no name · no SSN
payload sent to the model✓ no PII
model:    your choice (masked-only)
system:   schema + safe values
question: "who's transferring this
           month?"

subject:  Sarah Bennett  9deedc48…0501
ssn:      412-55-7705   — withheld
account:  •••• 4021     — withheld
The receipt

You can read exactly what we send the model.

Most "AI governance" asks you to trust a promise. Soreg shows you the literal request that left your environment — captured at the wire, key redacted — so anyone can confirm there's no regulated data in it.

Hand it to your examiner. It isn't a claim. It's the receipt.

Compliance packages

Pick the framework you answer to.

The gate is the same for everyone. The evidence pack is tailored to your regulator — a configuration, not a rebuild. We compile the mapping; you hand it to your examiner.

Available now

NYDFS §500

Full control-to-requirement mapping for New York's cybersecurity regulation, with the transparency and audit output as the exhibits.

Built and shipping.
In progress

HIPAA / HITECH

The same gate, tuned for PHI — minimum-necessary access, audit controls, and an evidence pack mapped to the Security Rule.

In compilation — ask to be an early site.
Build to order

Your framework

GLBA, SOC 2, state privacy laws, or a regulator we haven't met yet. Tell us what you answer to and we compile the package.

One framework at a time.

The point: the framework is a configuration. Whatever your obligations, the protection underneath is identical — only the paperwork changes.

Who it's for

For any institution that can't afford a leak.

Primary

Lenders & financial services

Mortgage servicers, banks, credit unions, fintech — NPI-heavy systems and staff who'd rather ask than build a report. NYDFS §500 ready today.

Expanding

Healthcare & PHI holders

Providers, payers, and anyone handling protected health information, as the HIPAA package comes online.

Partners

MSPs & compliance advisors

Deliver Soreg to the regulated clients you already serve, with the evidence pack as part of the engagement.

We're onboarding a first group of regulated teams.

If you're weighing AI against your data obligations, we'd like to show you the gate. Tell us a little about your environment and we'll set up a walkthrough.

Request early access Book a walkthrough