TrustGate AI

Govern your AI before deployment. TrustGate AI reviews AI use cases, prompts, outputs, and policies with specialized audit agents to generate risk scores, findings, controls, and limitations.

Comment

Inspiration

AI systems are being deployed very quickly in areas such as hiring, finance, healthcare, education, and internal business operations. However, many teams do not have a simple way to review governance risks before deployment.

I wanted to build a tool that helps teams ask important questions earlier:

What risks does this AI use case create? Is sensitive data involved? Could the system create bias, safety, privacy, or compliance issues? What controls should be added before launch? What are the limitations of the review itself?

That became TrustGate AI: an early-stage AI governance audit agent.

What it does

TrustGate AI reviews an AI use case, prompt, model output, and optional governance policy text. It then generates a structured governance audit report.

The report includes:

Overall risk score from 0 to 100 Risk level: low, medium, high, or critical Summary of the main concerns Governance findings with severity, category, explanation, recommendation, and evidence Recommended controls Policy gaps Evidence-based scoring notes A mandatory Weaknesses / Limitations section

TrustGate AI uses a panel of 8 specialized governance auditor agents:

Privacy & Data Protection Agent Fairness & Bias Agent Safety & Reliability Agent Transparency & Explainability Agent Human Oversight Agent Security Agent Compliance & Policy Agent Data Governance Agent

The goal is not to replace legal, compliance, or domain experts. The goal is to provide a fast, explainable, early-stage governance signal before an AI system is deployed.

How we built it

TrustGate AI was built as a Next.js and TypeScript web application.

The app has a clean audit workflow:

1.The user enters an AI use case or selects a demo case. 2.The frontend sends the audit input to a server-side API route. 3.The audit provider selects Mock Mode or Qwen Mode. 4.The audit engine returns a structured AuditReport. 5.The UI displays the risk score, findings, controls, policy gaps, evidence notes, and limitations.

For the hackathon MVP, Mock Mode is enabled by default. It uses deterministic rule-based scoring, so the same input always produces the same report. This makes the demo reliable and usable without an API key.

The project is also designed for Qwen Cloud integration. A provider abstraction allows the audit engine to be switched from Mock Mode to Qwen Mode using environment variables. If Qwen configuration is missing or a request fails, the app safely falls back to Mock Mode instead of crashing.

Qwen Cloud readiness

The MVP includes a Qwen-ready provider architecture.

The planned Qwen integration flow is:

Set TRUSTGATE_MODE=qwen Configure QWEN_API_KEY, QWEN_BASE_URL, and QWEN_MODEL Send audit input to the Qwen-compatible endpoint Ask Qwen to generate a structured governance report Normalize the response into the same AuditReport type used by the UI Fall back safely to Mock Mode if configuration is missing or the request fails

This keeps the application reliable during demo while still making the architecture ready for Qwen-powered reasoning.

What makes it different

TrustGate AI is not just a generic AI checklist. It uses a multi-agent governance review structure. Each specialized auditor agent inspects one governance dimension and contributes to an explainable risk score.

The app also includes:

Mock Mode with no API key required Qwen-ready provider abstraction English and Japanese keyword signals for demo use cases Demo contamination prevention when switching from demo cases to custom audits Mandatory Weaknesses / Limitations in every report Full documentation for architecture, demo flow, limitations, deployment, and pitch planning Japanese medical-record use case

One important test case is:

患者の受診カルテを他院にメールで送信したい。

TrustGate AI correctly treats this as a medical-record transfer and email-leakage risk. It focuses on patient data, medical records, external sharing, consent, encryption, recipient verification, audit logging, and data governance.

It does not incorrectly generate clinical triage findings unless triage-related terms are actually present.

Challenges we ran into

One challenge was making the MVP honest and useful without overclaiming. Governance tools can easily sound more authoritative than they really are, so every report includes a visible Weaknesses / Limitations section.

Another challenge was preventing demo case data from contaminating custom audits. If a user loads a demo case and then edits it into a custom case, old optional fields such as prompt, model output, or policy text could affect the result. We fixed this by automatically clearing optional demo fields when a loaded demo becomes a custom audit.

A third challenge was supporting both English and Japanese use cases in a simple MVP. The current Japanese support is keyword-based and intentionally limited, but it is enough to demonstrate multilingual governance signals.

Accomplishments that we're proud of

・The app runs without any API key. ・Mock Mode is deterministic and demo-safe. ・The UI clearly explains risk scores and findings. ・The audit report always includes limitations. ・The project has a Qwen-ready architecture. ・Build, lint, type checks, and regression checks all pass. ・The Japanese medical-record transfer regression case works correctly.

What we learned

We learned that AI governance tools need to be transparent about both their strengths and limits. A useful governance assistant should not simply say “approved” or “rejected.” It should explain why a use case is risky, what evidence triggered the finding, what controls should be added, and where human review is still required.

We also learned that a reliable Mock Mode is valuable for hackathon demos. It allows judges to test the workflow without requiring API setup, while still keeping the architecture ready for real Qwen integration.

What's next for TrustGate AI

What's next Future improvements include:

Live Qwen Cloud model integration ・Structured output validation ・Framework mapping to NIST AI RMF, EU AI Act, and ISO/IEC 42001 ・Audit history and report export ・Human approval workflow ・Team collaboration ・Authentication and role-based access control ・Production monitoring and audit logs ・Alibaba Cloud deployment Limitations TrustGate AI is a prototype and an early-stage governance signal. It is not a certified legal, regulatory, or compliance audit.

Current limitations include:

・Mock Mode uses deterministic keyword and heuristic rules, not real model reasoning. ・Risk scores are approximate and not legally authoritative. ・Japanese and English support is limited to curated keyword signals for demo purposes. ・Qwen live integration is prepared but still requires real API credentials and end-to-end verification. ・The system does not yet include authentication, persistence, audit history, PDF export, role-based access control, or formal framework mapping. ・Human review by qualified governance, legal, security, and domain experts is required before making deployment decisions.

Built With

  • ai-agents
  • alibaba-cloud
  • api-routes
  • governance-risk-scoring
  • japanese-keyword-detection
  • mock-mode
  • next.js
  • node.js
  • qwen-cloud
  • react
  • tailwind-css
  • typescript
Share this project:

Updates