The policy gate has been a vendor moat. We're making it shared infrastructure.

Every funded vendor in close + reconciliation + AP — BlackLine, FloQast, Numeric, Vic.ai, Ramp, Brex, AppZen, Tabs, Tesorio, Trullion — shipped "agentic" products in 2025–2026. Every one of them sits on top of the same controls infrastructure: segregation of duties enforcement, materiality routing, sensitive-account flagging, tamper-evident audit logs, per-agent identity, HITL approval envelopes.

That infrastructure has the least product differentiation and the most compliance scrutiny of anything in the stack. And yet it's treated as proprietary.

The cost of that arrangement is paid by the buyer. Your auditor has to take the vendor's word for what enforces SoD. Your CISO has to take the vendor's word for the threat model. Your AI architect can't reason about the chokepoint because the chokepoint is a black box. And when an incident happens — vendor bank-change confirmed by an agent, an above-materiality match auto-confirmed at 2am, intercompany clearing posted to the wrong entity — the buyer is stuck filing a support ticket and hoping the vendor's RCA is good enough for the audit committee.

Compliance is the part with the least product differentiation and the most regulatory scrutiny. It is the worst possible thing to keep as a moat.

What "open" actually means here

We're not arguing that all finance software should be open-source. Some of it shouldn't be. The argument is specifically about the policy chokepoint — the piece that sits between the LLM and the general ledger and decides what gets allowed, blocked, or routed to a human.

That piece, specifically, should be open so that:

• Your auditor can read the same source-of-truth your engineering team reads. No vendor-mediated translation layer.
• Your CISO can verify that segregation of duties is enforced server-side, not at the prompt layer where an LLM session can accidentally hold both proposer and confirmer identities.
• Your AI architect can write integration tests against the policy gate without paying for a sandbox environment that another vendor will deprecate next quarter.
• The verbatim policy clause text that fires on every blocked event is something you wrote in YAML, that lives in your git repo, and that your external auditor can quote verbatim in the PBC bundle.

What we keep proprietary on purpose

closegate is a reference architecture, not a product. The Apache-2.0 license means anyone can use, modify, redistribute, or sublicense the code in commercial settings. We don't sell seats. There's no enterprise edition behind a paywall. The deal is: you self-host on your own infrastructure, your data never leaves your perimeter, and the controls layer is something you can defend in any audit context.

What we do sell, eventually, is white-glove implementation partnerships for finance teams that want a faster path to v1.0 with their specific jurisdictional + vendor adapter shape. That's a services engagement, not a license fee. The framework remains free, forever.

Why now

Gartner's May 2026 shot at CFOs — "stop mistaking AI deployment for value creation" — landed because the data already supported it. 67% of US CFOs name agentic AI as their #1 finance-tech priority. 60% are increasing AI investment by 10%+. And yet realized business value is lagging adoption, because internal audit and SOX leads keep blocking the production cutover.

The bottleneck isn't model quality, latency, or prompt engineering. It's that the policy chokepoint — the part the audit committee can actually read and defend — has been treated as a vendor moat instead of as shared infrastructure.

Realized value is lagging adoption because the audit committee can't read the chokepoint. We can fix that part. The rest follows.

What this is not

• Not a generic agent-guardrail library. NeMo Guardrails, Guardrails AI, and Lakera target prompt-level validation and output schemas. closegate targets finance-domain controls (SoD, materiality, sensitive accounts, audit-log clause attribution) that map to specific compliance frameworks. Different problem.
• Not a BlackLine / FloQast replacement. Those vendors run full close-cycle SaaS. closegate is the controls layer underneath. You could run closegate alongside BlackLine — closegate enforces the gate, BlackLine handles the workflow UI. Or you can run closegate alone with a small operational layer on top.
• Not an MCP "anything wrapper." The MCP server ships with 19 specific finance tools that have been tier-routed by reversibility per the NIST AI RMF Agentic Profile. We don't expose arbitrary RPC. Adding a tool requires a tier assertion in code.

Who's building this

closegate is a project by Neul Labs, a small applied-research outfit working on AI infrastructure for regulated industries. Solo-maintained today; a formal maintainer organization forms at v1.0. The roadmap is public, the issues are public, and the design partner conversations shape the v1.0 surface.

If you're a controller, CFO, AI architect, or finance-stack CTO who's been stuck on the SOX-side of an AI agent pilot, we should talk. Two design-partner slots open this quarter; the conversation alone is worth it.