1 thought
Tool:
Mode:

One platform. Many AI tools. Zero governance gaps.

[Lab] unifies identity, policy, and telemetry across Video, Code-gen, and Deep Research—so you can move fast without losing control.

SSO · SCIM · RBAC · Audit API · DLP · Data residency
Lab Platform Architecture
Control
one policy engine for sources, models, outputs, and exports
Clarity
end-to-end lineage from prompt → edits → export/PR
Cost
route to the right model; cache & distill to keep spend in check

Architecture (overview)

Lab Platform Architecture Diagram

Sources & IDP → Governance & Data Plane (Identity, Policy, Telemetry) → Model & Cost Router → Products (Video, CX/VCX, Deep Research) → Admin & APIs.

Core pillars

Identity & Access

SSO/SAML

Okta, Azure AD, Google Workspace

SCIM

Automated user provisioning

RBAC

Role-based access control

Workspaces & projects, least-privilege scopes, service accounts & PATs

Approvals for legal/brand/security sign-off

Policy-as-Code

Write once, enforce everywhere (generate, edit, export, PR).

Content & export

  • • Watermarking
  • • Disclaimers
  • • Region blocks
  • • Retention

Data & privacy

  • • PII/PHI redaction
  • • DLP/secret scans
  • • Source allow/deny

Engineering

  • • Component allow-lists
  • • Token bounds
  • • CI gates

Models

  • • Allow-listed providers
  • • Budget caps
  • • Deterministic replays

Example (human-readable):

exports: watermark=required • regions=[US,EU] | data: pii_redaction=strict | models: allowed=[A.latest,B.saver] • max_cost=$0.20

Telemetry & Audit

Immutable event stream

prompt → retrieval set → draft → edits → checks → export/PR

Evidence Graph

paragraph ↔ source/doc/snippet/author/date

Exports: JSON/CSV evidence packs; webhooks for SIEM

Data Security & Residency

Zero-retention modes

Customer-managed keys

AWS KMS/GCP KMS/Azure KV

Region pinning

Encryption & controls

At rest/in transit, key rotation, egress controls

Model & Cost Router

Route by task & risk

Fall back to higher-quality only when needed

Caching & distillation

Reduce unit cost; quotas & alerts

Replays

For reproducibility and audits

Integration Graph

Certified connectors with ACL-aware sync & write-backs

Video

  • LMS/DAM/CMS
  • Cornerstone, Workday, Blackboard
  • Adobe, Bynder

Code-gen

  • Git, CI, IDP
  • GitHub/GitLab/Bitbucket
  • Actions/GitLab CI/Jenkins

Research

  • Drive/M365, Confluence/Notion/Box
  • Slack/Teams
  • Salesforce/Zendesk, Snowflake/BigQuery

Connector SDK for partners; versioned schemas

Admin Console & APIs

Dashboards

  • • Usage
  • • Policy coverage
  • • Model spend
  • • Connector health

APIs & CLI

  • • Audit Export, Policy, Models, Connectors, Identity
  • • Webhooks for events
  • • CLI: configure envs, test policies, trigger audits

What runs on [Lab]

Video

On-brand, watermarked exports to LMS/DAM

Learn more →

CX / VCX

Repo-aware plans, tests, policy-checked PRs (browser + VS Code)

Learn more →

Deep Research

Cited, permission-aware answers with provenance

Learn more →

On-prem / Private Cloud hosting

Choose where [Lab] runs—SaaS, your VPC, or your data center.

Deployment options

SaaS (multi-tenant)

Fastest path to value; full feature set

Private Cloud (single-tenant VPC)

Dedicated VPC in your AWS/GCP/Azure; peered networking, private egress

On-prem (Kubernetes)

Helm-based install; you manage infra, we provide updates & support

Security & networking

BYOK/CMK

AWS KMS/GCP KMS/Azure KV, HSM optional

Private networking

VPC peering / PrivateLink / Private Service Connect

Data residency

Pin workloads & storage to chosen regions

Egress controls

Allow-listed endpoints; offline mode for selected tasks

Ops & lifecycle

Updates

Rolling upgrades; canary channels; maintenance windows

Observability

Prometheus/Grafana, OpenTelemetry, logs to your SIEM

Backups & DR

Encrypted snapshots; RPO/RTO targets by tier

Support

Standard or premium SLAs, named TAM (enterprise)

Model gateway can run in-VPC; bring your own model endpoints if required

Some third-party features (e.g., specific watermark services) may require outbound access—documented in the runbook

Observability & ROI (leader view)

95%+
governance attach rate (% of logos using SSO + policy + audit)
80%
policy coverage (violations prevented by rule type)
60%
model spend per unit (cost per video/PR/brief vs baseline)
3x
outcome KPIs (time-to-first-video, PR merge delta, % answers with citations)

Implementation plan (30-60-90)

0-30

Day 0–30

  • • SSO/SCIM
  • • Connect 2–3 sources
  • • Set base policies
  • • Pilot one product
31-60

Day 31–60

  • • Turn on audit exports
  • • Router budgets
  • • Certify 3 write-backs
61-90

Day 61–90

  • • Roll to 2nd/3rd product
  • • Publish dashboards
  • • Tune DLP & residency

Packaging & pricing

[Lab] Platform (enterprise-required)

Identity, policy, telemetry, audit APIs, router, connectors

Product SKUs

Video / CX / VCX / Deep Research / Agents

Add-ons

BYOK/CMK

Customer-managed keys

VPC/private routing

Private network options

Data residency pack

Regional compliance

Premium SLA

Enhanced support

FAQ

Is my data used to train models?

No by default; optional anonymized feedback only under policy.

Can we bring our own models/endpoints?

Yes—allow-list providers/versions; route by task; set budgets & replays.

Do we need all products to use [Lab]?

No—start with one and expand; policies & identity carry over.

How do permissions work?

We inherit source permissions and enforce workspace RBAC; cross-workspace access is blocked unless approved.

Can we export everything for audit?

Yes—download evidence packs (JSON/CSV) or stream via webhooks to your SIEM.

One governance layer. All your AI work.

Security