Account data, balances, and PII can't go to a hosted model. The whole stack has to run inside the bank.
Account numbers, balances, transaction histories, and customer PII are exactly the data a bank cannot send to a dozen hosted AI vendors — every outbound call to a model, auth, or voice API is data egress that dies at the security review. Self-hosting is the only acceptable shape, but stitching it from a model server, an identity project, a secrets manager, an audit pipeline, and a payments integration leaves the bank owning brittle seams between layers no examiner trusts. Visca is the entire stack — models in-perimeter, identity, scoped access, and a tamper-evident record — as one ecosystem, self-hosted inside the bank's own walls.
Why the data can't leave
Fraud and reconciliation agents are wired to core banking, payment rails, and ledgers through long-lived service accounts with broad scope. A prompt injection or a compromised runtime becomes a movement-of-funds incident.
When an auditor asks 'which automated process issued this refund, under whose authority, and what did it see' — the answer is stitched together from framework traces, vendor logs, and a screenshot. That gap blocks production sign-off.
Hosted agent platforms move prompts, transaction context, and outputs through infrastructure no bank CISO will approve, so self-hosting is the only option. But assembling it from a half-dozen open-source projects and vendors — each its own identity, audit trail, and upgrade cycle — leaves brittle seams the bank owns forever, and most teams don't want to build or operate either path.
One ecosystem, not a stitched stack
Every reach into a ledger, a payment processor, or a card network is a Capability Grant — scoped to verb, amount, counterparty, and duration. The agent never holds a standing credential to the core.
Every action keyed by Sigil and Capability Grant, cryptographically chained and tamper-evident. 'Who issued this refund, under whose authority, with what consent trail' is one query, exportable to your SIEM and GRC tools.
Each agent, and each run, carries a cryptographic identity bound to the human or system that authorized it. Revocation propagates across the estate in seconds.
Per-actor budgets and circuit breakers cap exposure. A runaway process is a bounded process, not an unbounded one.
What you get
Relevant frameworks
Visca Cloud has not yet completed formal certification against these frameworks; the stack is architected to meet them and audits are in progress. See the compliance roadmap.
In practice
A support agent detects a duplicate charge and requests a Capability Grant scoped to refund:create, capped at $50, for this one customer, valid for thirty minutes. Warrant checks policy, optionally requires human consent, and vends an ephemeral credential. Chronicle records the detection, the grant, the consent, and the refund as one chained event. When compliance reviews the quarter, every refund the estate issued is one SQL query away.
PHI can't be shipped to a model API. The scribe, the audit, and the model all have to live in your tenancy.
Operational telemetry stays on-site, and software agents and robots run on one self-hosted ecosystem.
Classified and sensitive data never leaves the boundary — so the entire stack has to run inside it, air-gapped.
Pricing, sourcing, and customer data each stay inside their own walls — across a stack neither company could stitch alone.
Process recipes and plant telemetry stay on the floor — on one self-hosted ecosystem, not a stack stitched per vendor.
The whole stack. Self-hosted. One ecosystem.
Models, identity, tools, voice, payments, runtime, and audit — as one integrated ecosystem, self-hosted, sovereign, air-gapped. Nothing stitched from vendors. Nothing leaves your perimeter. Open at the core. No license rug-pulls, ever.