Security is the product.

Obelyr is the runtime where AI-built internal software meets the controls your security team already requires. Below is what that means in practice.

Our five principles

What we will not compromise on.

Your AI provider accounts connect from your own machines. Our infrastructure has no path to them.

Policy that reaches a machine is signed inside your own infrastructure. No exceptions. No bypass.

Every state-changing event lands in a structured, append-only log. Built for export in a shape your tools already read.

Obelyr runs without calling home. No telemetry. No phone-home. No “anonymous usage statistics.”

We do not offer a managed version of Obelyr. Your data does not leave your infrastructure because we never built the path for it to.

The control plane has no path to your providers. We never built one.

Security primitives

Policy signing

Signed inside your infrastructure. Unsigned or stale policy is refused.

Audit log

Append-only. Exportable. In a shape your tools already read.

Endpoint transport

Authenticated outbound only. Nothing reaches into your machines.

Identity

Local accounts today. SSO on the roadmap.

RBAC

Four roles: viewer · runner · approver · admin. Role grants audited.

Vulnerability disclosure

security@obelyr.com. We respond within one business day.

Supply chain

Release artifacts published with a software bill of materials and signed checksums. Source escrow available on request.

We don't run a sales pitch. We run a deep dive with whoever from your team needs to verify this.

Self-hosted from day one. Your data. Your machines.