Trust Center
How ORA's AI agents work, what they can and cannot do, and how human oversight is maintained.
Last updated: July 6, 2026
This AI Transparency Statement is published in compliance with the U.S. Federal Trade Commission’s AI policy framework (March 2026) and in preparation for EU AI Act transparency obligations effective August 2, 2026. It explains how ORA’s AI operates, what decisions it makes autonomously versus with human approval, its known limitations, and the governance mechanisms that keep it auditable.
ORA is a governed AI operator: AI software that executes multi-step tasks, makes decisions, and interacts with tools and files on your behalf — behind a fail-closed security broker. The broker sits between the AI and your machine and enforces hard floors: destructive actions are blocked by default, risky actions require your explicit approval, and every action is recorded on a tamper-evident audit chain. ORA is local-first and model-agnostic: it routes inference to the models you configure — local models on your own hardware, or cloud endpoints you explicitly enable.
ORA is not a model. It is an operations and governance layer. The underlying language models are supplied by whichever providers you configure. ORA governs how those models are used, what actions they can take, and under what conditions human approval is required.
Under FTC guidance (March 2026), we disclose the following about ORA-generated content:
When ORA agents produce outputs you intend to share externally (emails, reports, social content), you are responsible for appropriate disclosure as required by applicable law in your jurisdiction.
ORA runs as a single governed operator working through audited tools — a governed shell, file access, research, drafting, and business operations (leads, jobs, invoicing). Every tool call passes through the security broker.
ORA’s governance is anchored by a constitution — a rules file the operator always follows. Some rules are locked (for example, bulk data exfiltration is blocked) and ORA will refuse to save a constitution that drops them. On top of the constitution, an authority scale from A0 to A5 sets how much ORA may do without asking:
Every proposed action is evaluated for impact, reversibility, and evidence before it is either executed or routed to your approval queue in plain English.
By default, ORA agents may execute the following without human approval:
Regardless of governance configuration, the following actions are never executed without explicit human approval:
ORA logs every action, tool call, governance decision, and human approval or override. Records include: timestamp, action type, decision outcome, human intervention if any, and result — hash-chained and signed so any rewrite is detectable. The audit trail lives on your own machine, under your control, and is append-only: it only ever grows. You can read it at any time from the ORA workspace.
You can stop ORA at any time:
ORA is not designed or validated for use as a sole automated decision-making system in high-risk applications including: medical diagnosis or treatment decisions, credit or employment decisions affecting individuals, law enforcement targeting, critical infrastructure control, or any application where agent error could cause death or serious physical harm. Use in these contexts without appropriate human oversight and validation is prohibited by our Acceptable Use Policy.
ORA’s design is aligned with the NIST AI Risk Management Framework (RMF), which provides safe harbor in Colorado (SB 24-205) and affirmative defense in Texas (TRAIGA). Our alignment includes:
A full NIST AI RMF alignment report is available at Risk Assessment.
Under the EU AI Act (effective August 2, 2026), ORA is assessed as a Limited Risk AI system (not Annex III high-risk). This classification is based on ORA’s role as an orchestration platform used by businesses for their own workflows, not as a system making decisions that directly affect individuals’ rights or opportunities.
As a limited risk AI system, ORA is required to maintain transparency with users (this document) and ensure humans are informed they are interacting with AI. We do not claim EU AI Act high-risk classification compliance at this time, and users who deploy ORA for high-risk applications within EU jurisdiction bear responsibility for applicable compliance.
Questions about ORA’s AI systems, governance, or this transparency statement: [email protected]