Editor's Note
Most AI startups raised first and figured it out later. We did the opposite. We spent years building the infrastructure first. Now we're taking it to market.

🗓️ Upcoming Deadlines

DUAA is now in effect!

The UK’s Data Use and Access Act 2025 has now moved from policy into implementation. Most data protection reforms came into force on 5 February 2026, with the organisational complaints-procedure requirement scheduled for 19 June 2026 and remaining ICO governance changes still to follow.

EU AI Act

The EU AI Act is also entering its operational phase. The Act entered into force on 1 August 2024, with major obligations becoming applicable from 2 August 2026, subject to phased exceptions.

We Didn't Set Out to Build Another AI Company

Every week there seems to be another AI startup announcing a funding round.

Millions raised.
Another model.
Another wrapper.
Another promise that AI will change everything.

That's not our story.

We didn't start with venture capital.

We started with a problem.

Over the past several years we watched organizations rush to deploy AI while one question kept going unanswered:

Who is actually responsible when an AI system makes a decision?

Not legally.

Operationally.

Who enforces policy?

Who stops an action before harm occurs?

Who creates evidence that regulators, auditors, Indigenous communities, hospitals, governments and enterprises can actually trust?

Nobody.

So instead of writing a pitch deck...

We built.

We Built Before We Asked

For years we quietly designed and engineered what became OBEXGATE.

Not because investors asked us to.

Because we believed runtime governance would eventually become unavoidable.

Today that work includes:

  • more than one million lines of code

  • tens of thousands of automated tests

  • runtime governance enforcement

  • evidentiary audit capability

  • policy engines

  • sovereign deployment

  • healthcare

  • Indigenous Data Sovereignty

  • regulatory compliance across multiple jurisdictions

Before we ever seriously asked anyone to invest.

Why This Matters

Today, we're working with an Indigenous governance organization on a pilot that explores one of AI's most difficult questions:

How do you ensure AI respects not only individual rights, but also collective authority?

For Indigenous communities, data is more than information. It can represent relationships, culture, language, history, identity, and responsibilities that extend beyond any single individual.

Most AI governance frameworks weren't designed with those realities in mind.

We're testing how governance can move beyond policies written on paper and become something that is enforced in real time with decisions that are transparent, auditable, and respectful of the authority that communities themselves define.

While this pilot focuses on Indigenous Data Sovereignty, the implications reach much further.

Healthcare.

Government.

Critical infrastructure.

Financial services.

Any environment where trust, accountability, and evidence matter.

Because governance isn't just about complying with regulations.

It's about ensuring AI systems operate within the authority they're given, and can demonstrate that they did.

We Aren't Typical Silicon Valley Founders

One of us is a half-Thai mother of five whose career has spanned systems engineering, healthcare, AI, governance and large-scale technical architecture.

The other is a Puerto Rican former U.S. Navy nuclear operator who understands disciplined engineering, critical infrastructure and operational reliability.

Neither of us came through the traditional Silicon Valley pipeline.

No accelerator.

No elite VC introductions.

No "raise first, figure it out later."

Just years of building.

Execution Matters

In today's AI market there's enormous attention on valuations.

We think there should be more attention on execution.

Can the system actually work?

Can it enforce governance?

Can it withstand audit?

Can it operate in healthcare?

Can it support Indigenous authority?

Can it produce evidence instead of marketing?

Those questions matter far more than a headline announcing another funding round.

We're Just Getting Started

We're now working with Indigenous organizations, healthcare leaders and governance experts because the conversation is finally catching up to the problem we started solving years ago.

We're proud of what we've built.

But we're even more excited about what comes next.

Because AI doesn't just need to be intelligent.

It needs to be governed.

In Case You Missed It…

AI Governance by the Numbers

550+ AI bills introduced across U.S. states.

13 obligations under the EU AI Act for many high-risk AI systems.

0 regulators have said "trust us" is an acceptable governance strategy.

1 question every organisation should ask:

Can you prove your AI complied with policy at the moment it made a decision?
Try our Risk Assessment

Governance Myth of the Week

Myth: "AI governance is just documentation."

Reality: Documentation tells auditors what you intended.

Runtime governance demonstrates what actually happened.

The future of AI governance isn't another PDF.

It's enforceable policy backed by evidence.

One Question Every Executive Should Ask

If your AI system made a decision today...

  • Who approved it?

  • Which policy was applied?

  • Can you prove that policy was enforced?

  • Could you reproduce the evidence six months from now?

If the answer to any of those is "I'm not sure," governance deserves another look.

OBEXGATE Insight

Most organisations don't have an AI problem.

They have an evidence problem.

They know which policies should exist.

They can't prove those policies were followed when AI acted.

That's the gap runtime governance is designed to close.

This Week's Governance Term

Runtime Enforcement

The ability to evaluate an AI action before it occurs and permit, warn, hold, block or escalate based on governance policy.

It's the difference between discovering a problem during an audit and preventing it from happening in the first place.

🏆 This Week's Obe Award

Awarded to: A Belgian technology company
Regulator: Belgian Data Protection Authority (APD)
Fine: €177,000

What happened?

This wasn't a ransomware attack.

It wasn't an AI model gone rogue.

It wasn't even a data breach.

Instead, the organisation was fined because its Data Protection Officer (DPO) was not able to operate independently but a core requirement under the GDPR. A DPO cannot effectively oversee compliance if they also hold roles that create conflicts of interest or prevent them from acting objectively.

Why this matters

As organisations race to deploy AI, many appoint a privacy lead, compliance officer, or governance manager and assume the requirement has been met.

It hasn't.

Governance isn't just about assigning responsibility but it's about ensuring the people responsible have the authority, independence, and visibility to identify risks before they become regulatory findings.

Without independent oversight, governance quickly becomes a checkbox exercise.

How OBEXGATE would help

OBEXGATE is designed to identify governance gaps before they become enforcement actions.

As part of an AI governance assessment, organisations are prompted to consider questions such as:

  • Who is accountable for AI and data governance decisions?

  • Does the organisation have independent oversight of privacy and compliance?

  • Are governance responsibilities separated from operational decision-making where required?

  • Can governance decisions be demonstrated through evidence and audit trails?

  • Are roles, approvals, and policy enforcement clearly documented?

Strong governance isn't just about technology.

It's about ensuring the right people are empowered to ask the right questions and that organisations can demonstrate those decisions when regulators come knocking.

The Governance Lesson

Good governance depends on independent oversight.

You can have the best AI model, the best security controls, and the most detailed policies in the world but if governance cannot operate independently, regulators are unlikely to be impressed.

Because governance isn't about having someone responsible.

It's about ensuring someone is able to challenge, verify, and demonstrate that the organisation is doing the right thing.

💡 Did You Know?

The word "audit" comes from the Latin audire, meaning "to hear." In medieval England, financial records were literally read aloud so an independent party could verify their accuracy.

More than 700 years later, the principle hasn't changed: trust comes from independent verification, not assumption.

Till next time,

OBEXGATE Team

Keep Reading