Governance
Workspace Governance
PCAA does not stop at the action. OSuite binds governance posture to the workspace so approvals, evidence, privacy boundaries, and exports inherit the same operating context.
Why
Governance posture belongs to the workspace, not to a single session or operator.
Enterprise operators need more than action history. They need to know which region a workspace intends to keep data in, how long evidence should be retained, who owns compliance decisions, and which operating profile governs approvals. OSuite now treats that posture as first-class workspace state.
Workspace profiles record expected data residency and retention so action evidence and compliance exports can be interpreted in the correct operating context.
Approval and escalation semantics can now be understood relative to a declared privacy and governance posture instead of a generic workspace shell.
Privacy contact, compliance owner, and regulatory profile make the workspace look more like a real business boundary and less like a temporary project bucket.
Tenantless accounts first, workspace boundary second
OSuite now treats new SaaS identities as tenantless accounts until a workspace is explicitly created or selected. That sounds subtle, but it is the difference between a launch-era default tenant and a real enterprise boundary. Governance posture only becomes active once the workspace boundary is real.
In practice, the account center can stay alive without inventing a fake project, while the shared workspace shell makes it obvious when governance, billing, agent routing, and approval semantics have not been activated yet.
This boundary also lets OSuite separate durable account identity from workspace authority. Enterprise IAM now becomes a capability question, not a side effect of whichever email happened to create the first workspace.
The deployment also now distinguishes production, demo, and self-host distributions explicitly. That keeps demo artifacts and launch-era fixtures from bleeding into the enterprise runtime surface, while preserving a dedicated lane for guided trials and marketing-host walkthroughs.
Governance profile
Declare the expected jurisdiction or hosting region so exports and reviews can be read against the right sovereignty posture.
Set the expected retention window for governance evidence and downstream review material.
Give auditors and operators an explicit privacy contact rather than forcing them to infer responsibility from admin membership.
Name the person or function responsible for the workspace governance posture.
Describe the operating frame, such as Japan enterprise, global SaaS, internal-only, or regulated partner surface.
Capture how often the workspace should be reviewed so operating rigor is visible in the control plane.
Declare the minimization posture required before regulated or customer-sensitive data is handled.
Show where governance incidents route when operator or customer escalation is required.
Make the person or function who answers evidence requests explicit.
Record whether partner, customer, or assessor review has happened yet.
Declare the target trust posture for linked identities and attestation lanes.
List which interop or runtime lanes may carry governed work inside this workspace.
Governance packs
The workspace profile now feeds four enterprise governance packs: governance ownership, data governance, identity assurance, and protocol interoperability. Those packs are what power the new governance posture and compliance narrative surfaces.
The same profile now also influences admission. Approved protocol lanes, privacy ownership, residency posture, and retention policy can escalate or constrain actions before OSuite emits the final certificate.
Operator workflow
Create or update the workspace profile in Settings → Workspace before routing production traffic.
Use the declared posture to align approvals, compliance exports, and evidence retention expectations across the team.
Review the governance profile whenever the workspace changes region, customer segment, or regulatory obligations.
Enterprise posture
Teams that care about privacy, residency, and internal ownership need those declarations available at export time, not hidden in onboarding notes. OSuite uses the workspace profile as the bridge between action-level evidence and enterprise governance review.
Set the workspace posture first, then connect runtimes and inspect how approval, replay, and compliance exports inherit that shared context.