Vienna OS is an enterprise governance platform for autonomous AI agents. It sits between agent intent and execution, providing policy enforcement, approval workflows, and audit trails.

How does risk tiering work?

Vienna OS classifies actions into T0 (auto-approved), T1 (single approval), and T2 (multi-party approval) based on risk assessment policies you define.

Is Vienna OS compliant with regulations?

Yes, Vienna OS supports SOC 2, HIPAA, SEC, and EU AI Act compliance with appropriate policy configuration and audit trail retention.

Security

Vienna OS is built for enterprises that need provable AI governance. Security isn't a feature — it's the architecture.

Encryption

TLS 1.3 for all connections in transit
Session tokens with secure, httpOnly, sameSite cookies
Cryptographically signed execution warrants (HMAC-SHA256)
Warrant signatures are tamper-evident — any modification invalidates the warrant

Tenant Isolation

Logical tenant isolation — each tenant's data is partitioned by tenant_id
Tenant-scoped API keys and session management
Cost tracking and quota enforcement per tenant
No cross-tenant data access possible through the API

Audit & Compliance

Append-only audit trail — events cannot be modified or deleted
Every agent action logged with: who, what, when, warrant, result, verification
Full execution lineage — trace any action back to its original intent
Audit data retained for 7 years (configurable per tenant)

Governance Pipeline

Zero-trust agent model — agents never have direct execution authority
Risk-tiered approval workflows (T0 auto-approve → T2 multi-party approval)
Time-limited warrants with scope constraints and automatic expiration
Verification Engine confirms execution matched warrant — mismatches trigger alerts

Infrastructure

Hosted on Fly.io with dedicated compute (not shared containers)
US East (iad) region — ITAR/sovereignty-compatible deployment options
Health check monitoring with automatic restart on failure
Rate limiting on all API endpoints (configurable per tenant)

Policy Enforcement

Policy-as-code — rules are version-controlled and auditable
Circuit breakers — automatic shutdown on anomalous execution patterns
Dead letter queue for failed/rejected proposals — nothing is silently dropped
Reconciliation engine detects and resolves state inconsistencies

Compliance Roadmap

Cryptographic warrant architectureEvery execution provably authorized

LIVE

Append-only audit trailImmutable record of all governance decisions

LIVE

Risk-tiered approval workflowsT0/T1/T2 with configurable policies

LIVE

Rate limiting & security headersCSRF, CSP, HSTS protection

LIVE

SOC 2 Type IQ4 2026 — audit initiated

PLANNED

SOC 2 Type IIH1 2027 — continuous compliance

PLANNED

HIPAA BAAH1 2027 — for healthcare deployments

PLANNED

FedRAMP2027 — contingent on government sector demand

PLANNED

Responsible Disclosure

If you discover a security vulnerability in Vienna OS, please report it responsibly. We take all reports seriously and will respond within 24 hours.

security@ai.ventures