From Observation to Action: PromptKing's Control Plane
Most AI governance tools stop at observation. They show you what happened. They alert you that a threshold was breached. Then they wait for someone to do something about it.
PromptKing's control plane closes that loop.
The gap between observation and enforcement
The EU AI Act's August 2, 2026 deadline requires more than an inventory. It requires evidence that governance is operational — that when a high-risk AI agent breaches a policy threshold, something happens. Not a dashboard notification that expires at the end of the week. An auditable, timestamped record that a human reviewed the violation and an action was taken.
That is the difference between a compliance artifact and a compliance system.
How the Policy Engine works
PromptKing's Policy Engine evaluates every session, seat, and agent event against ten policy rules across four categories: utilisation, governance, continuity, and spend. When a rule triggers, the engine writes a policy outcome record — the trigger value, the threshold, the severity, and the action required — and routes it to the appropriate response path.
For notification-class violations, the response is immediate: a webhook fires to your configured Slack or Teams channel with the policy details and a link to the enforcement log. No human approval required. The log records it.
For destructive actions — agent quarantine, seat deprovisioning, session termination — the engine routes to an approval queue. A human reviews the violation, confirms the action, and only then does PromptKing call the vendor management API. The confirmation, the timestamp, and the API response are all written to the enforcement log before the next request is processed.
The Copilot Studio Quarantine API
The first live vendor write-back is Microsoft's Copilot Studio Quarantine API. When a Copilot Studio agent triggers a governance or spend policy and an admin approves the action, PromptKing calls Microsoft's published quarantine endpoint — isolating the agent via Microsoft's own management infrastructure while generating an immutable enforcement log record.
The agent remains visible to its users and makers in Copilot Studio. It cannot be interacted with until unquarantined. The action flows through Microsoft's governance model, not around it.
This is the distinction that matters: PromptKing executes enforcement through vendor management APIs. It does not sit in the traffic path. It does not intercept prompts or responses. The trust statement remains unchanged — metadata only, zero prompt visibility — and the enforcement capability is real.
The audit trail EU AI Act requires
Every policy evaluation, every approval decision, and every vendor API call is written to the enforcement log. The log is append-only — records are never modified or deleted. Retention is 180 days minimum, exceeding the EU AI Act Article 12 requirement.
When an auditor asks for evidence that your Copilot Studio HR agent's governance score breach was detected, reviewed, and actioned — the enforcement log is the answer. Policy ID, trigger value, severity, approval timestamp, API response. Timestamped to the second.
See your organization's AI spend data
PromptKing connects to your AI vendors and surfaces exactly this analysis — for your seats, your vendors, your budget.