How we work
Every engagement follows the same shape: understand, test, constrain, evidence, re-review. The method is the product. This page sets it out in full.
The stages
-
Review and discovery
We start with a short consultation, then the review: what your agents do, what they can touch, which regulations apply and why. The review produces findings and prioritised recommendations that stand on their own, whether or not a programme follows.
-
Baseline
Before anything changes, we record the current state: the agents' permissions, tools and data flows, the obligations mapped to them, and where the gaps are. Without a baseline, any later claim of improvement would be unfalsifiable, so we refuse to work without one.
-
Sandbox and guardrails
Where sandboxing is in scope, the agent runs in a controlled environment against the documented failure cases. The output is a guardrail set: enforceable constraints, each tied to the risk or rule that requires it. Changes to your systems are proposed, agreed and then made. Nothing ships without your sign-off.
-
Evidence
Every stage feeds a written record: what was examined, what was tested, what the agent did, what constrains it now, and when each item was last reviewed. Written so an engineer can act on it, your counsel can rely on its facts, and an auditor can read it.
-
Re-review on change
Regulation moves, models change, products ship. Any of these re-opens the loop: re-map, re-test what changed, update the guardrails and the evidence file. Changes of direction are agreed in writing, not slipped into a retainer.
Principles
-
Evidence before claims
We do not tell you an agent is safe or a deployment is compliant. We show you what was tested, what was observed, and what remains open.
-
Method travels with every finding
Any finding we report comes with how it was produced, when, and how much weight it can bear. A finding without its method is an opinion.
-
No guarantees sold
Nobody can guarantee a compliance outcome or an agent's behaviour. Anyone promising either is selling certainty they do not have, and we decline to compete with them on those terms.
-
Client data stays private
Your systems, prompts and findings are never used in our marketing, never named in a case study without written permission, and never used to pitch anyone else.
-
Done for you, not done in the dark
We do the work; you can see all of it. Scope in writing, changes with sign-off, and an evidence file you could hand to a sceptical auditor unedited.
What we will not do
- Fabricate results or publish invented case studies.
- Guarantee compliance outcomes or agent behaviour.
- Present anything as working before it has shipped and been proven.
- Give legal advice or position ourselves as a substitute for your counsel.
- Keep an engagement running when the evidence says it is not working.
See the method applied to your agents
The review is where the methodology meets your deployment. One email starts it.
Request a compliance reviewOr write directly: support@optaralabs.com