// Services / AI Workflow Engineering

Turn a regulated procedure
into a verified AI workflow.

Compliance is a design input. We start with the operating procedure: decision points, approval chains, known edge cases, and the systems of record, then build the workflow around that map.

Workflow stack
DAG Qdrant RAG Pydantic FastAPI Axum OpenTelemetry PostgreSQL Redis MCP EU AI Act SOC 2 ISO 27001

// Engineering scope

The work starts with the procedure.

AI workflow engineering gives regulated teams the operating context, preconditions, approval steps, and audit path needed for a reliable runtime contract.

Workflows built for compliance

We map the operating procedure first: who does what, where decisions are made, what evidence is required, and where precision matters most.

  • Actors, systems, and decision branches mapped before build
  • Guardrails for tool use, output scope, and data access
  • Escalation routing with context for fast human review
  • Immutable audit logs and traceable evidence per run
  • Change control for model and workflow updates

Workflow contract

Defines the allowed inputs, permitted tool calls, required evidence, response structure, and the exact conditions under which the system can act autonomously versus escalate.

Control design

The checks, confidence thresholds, approval gates, and policy boundaries that keep the workflow aligned with your risk appetite and source truth as models are updated.

Escalation logic

High-risk or ambiguous cases routed to a human reviewer with the input, model output, confidence score, and policy reference already assembled.

Audit trail

Inputs, tool calls, outputs, exceptions, approval decisions, and version changes recorded per run. Structured for review without needing to replay the workflow.

Private runtime

Deployed inside your cloud, VPC, or on-prem environment with approved connectors, IAM, and network controls.

On escalation design: thresholds work best when they are set per step. A high-stakes classification can escalate at 0.85 while document extraction runs autonomously at 0.70. The reviewer also receives the evidence package needed to make the decision quickly.

// Sentiant engineering note

// Workflow contract

What a workflow contract actually looks like.

The contract is the specification the workflow runs against. It defines what the agent is allowed to do, what it must capture, and what should trigger a handoff to a human. Written before the workflow is built; versioned when it changes.

kyc-intake.contract.yaml
# Workflow contract - KYC document intake # Version: 1.4 | Owner: compliance-eng   workflow: kyc_document_intake version: 1.4 sop_ref: COMP-SOP-0042   # What the agent is allowed to do allowed_tools: - document_parser - pii_redactor - sanctions_lookup - risk_classifier   max_tool_calls: 6 # hard cap per run max_tokens_output: 1024   # Data access boundaries allowed_sources: - s3://kyc-intake-bucket - postgres://kyc-db/cases denied_sources: ["*internet*"]
# Evidence required before output is accepted required_evidence: - document_classification - pii_redaction_receipt - sanctions_check_result - risk_score   # Escalation - per step escalation: risk_classifier: threshold: 0.82 # escalate below this queue: human_review sla_minutes: 30 sanctions_lookup: on_match: always_escalate queue: compliance_officer   # Audit trail config audit: captures: - input_hash - tool_calls - model_output - reviewer_id - timestamp_utc retention_days: 2555 # 7 years immutable: true

// Delivery method

Five stages from procedure to production.

The delivery path keeps verification, escalation, and evidence requirements in scope from the first workshop through to production use.

01

Procedure mapping

Walk through the operating procedure with the process owner. Map every actor, system, decision point, exception path, and SOP variant.

Output: procedure map + risk register
02

Workflow contract

Translate the procedure into a formal contract: allowed tools, data sources, output structure, confidence thresholds, and escalation triggers per step.

Output: versioned contract YAML
03

System integration

Connect approved data sources, identity providers, and audit systems. Validate that connectors operate within the access scope defined in the contract.

Output: connector manifest + IAM config
04

Private deployment

Deploy the workflow runtime inside your chosen environment. Wire in health checks, structured logging, and escalation queues before live traffic.

Output: running gRPC/HTTP endpoint
05

Review & change control

Run evals, monitor escalation rates, audit trail patterns, and false positive rates. Contract changes move through version control.

Output: monthly review report

// Workflow audit

Need to turn one regulated process into a working AI system?

Book a focused workflow audit. We'll give you concrete plan to get started.