Your people already publish what AI builds. The only question is whether you govern it.
AI now writes the reports, dashboards, and briefings your teams share every day. Without a governed target, that output lands in chat windows, screenshots, and unmanaged servers — outside SSO, outside audit, outside your control. publishwith.ai is the governed publishing layer: single sign-on, per-artifact access control, a full audit trail, EU data residency, and revocable sharing, applied the moment your AI hits publish.
SSO / OIDC · per-artifact ACL · audit log with CSV export · hosted in Germany. Free during early access.
Right now, AI output leaves your teams two bad options.
Neither is governed. Both create risk you inherit. This is the false choice publishwith.ai removes.
Slow, and it defeats the reason they reached for AI. So most people don't. They take the shortcut instead.
A static host, a personal cloud account, a link pasted into Slack. Fast, but no SSO, no access control, no audit, no revocation. This is shadow AI distribution, and you own the consequences.
publishwith.ai gives the agent a controlled publishing target. The artifact is authenticated, access-controlled, versioned, and audited from version one, with none of the manual work.
The controls your security review asks for.
Governance is not a setting you switch on later. It is the publish path itself.
Single sign-on (OIDC)
Plug into Azure AD, Okta, Google Workspace, Keycloak, and other identity providers. Per-tenant configuration.
Per-artifact ACL
Grant owner, editor, or viewer access by individual user or group. Access is enforced on every request, including share links.
Audit log with CSV export
Who published what, when, with which version, and who accessed it. Filter by artifact, user, event, or time. Export as CSV.
Access-aware search
Full-text search across published content returns only what each user is permitted to see. Results are filtered by per-artifact ACL, so search never becomes a data-leak path.
Revocable share links
External sharing is opt-in, uses high-entropy random tokens, optionally time-limited, and revocable at any time. No standing bearer credentials.
Tenant isolation
Each tenant is isolated end to end: data, auth configuration, and user management. No cross-tenant data path.
EU data residency
Workspaces, databases, share links, and audit logs are hosted in Germany on EU infrastructure. Data does not leave the EU.
Encryption at rest
Published artifact files are encrypted with AES-256-GCM and per-artifact keys. Databases rely on encrypted disk and volume controls in production.
Account lifecycle
Inactive free accounts are deleted after 30 days. Paid workspaces stay active while the subscription is current. You remain the data controller.
Evidence you can hand to an auditor.
Every publish and every access is recorded, attributed, and exportable.
Who published what
Each artifact version is attributed to an identity and timestamped. Five versions retained per artifact.
Who accessed it
Authenticated views and share-link access are logged. Owners review access events without exposing viewer PII.
Retained by tier
Audit log retention is 7 days on Free, 30 days on Team, and 1 year on Enterprise. Auto-pruned.
Engineered for trust, not just configured for it.
How the platform is built. These are not the headline. They are the reasons the headline holds up under review.
Declarative by default, sandboxed when not
Static and data-backed artifacts are defined by manifests and named SQL queries, never executable code. Live Python reports run only inside a hardened CPython-WASM sandbox with no ambient authority — off until a tenant admin opts in. See the report sandbox below.
Per-artifact database isolation
Each artifact gets its own isolated SQLite database. A fault in one artifact cannot reach another tenant's data. Blast radius is a single artifact.
Guarded SQL
Destructive operations require an explicit confirmation token. An agent cannot drop a table on a stray instruction.
Minimal MCP surface
A single, schema-constrained MCP tool with action dispatch. One audited entry point instead of a sprawling API to secure.
Hashed, revocable links
Public share links use high-entropy random tokens, stored only as SHA-256 hashes. A leaked database exposes no usable link, and any link is revocable at any time.
Defense-in-depth rendering
Published HTML is served under a strict Content-Security-Policy as the primary protection against injected content.
Live reports run sandboxed, not trusted.
On Team and Enterprise, an AI agent can publish a live report: Python that queries the artifact's own database and pulls approved external APIs, then renders fresh output on demand or on a schedule. Because that is code, it is governed like code. It is off until a tenant admin opts in, and it never runs with ambient authority.
Isolated per run
Each run is a fresh CPython instance inside a wazero WASM sandbox with its own zeroed memory. No state carries between runs, artifacts, or tenants. The WASM boundary is the security perimeter.
No raw network, no raw filesystem
The script has no sockets and no writable disk beyond a per-run scratch dir that is discarded after. Every HTTP call is mediated by the host against an allowlist; there is no shell-out and no arbitrary egress.
Credentials the script never sees
External APIs are reached only through named connections a tenant admin defines. The host injects the credential behind an SSRF guard; the script names the connection but never receives the secret, which is redacted from every response and error.
Secrets encrypted at rest
Connection credentials are stored AES-256-GCM encrypted, bound to the tenant, and never returned through any API. There is no MCP or REST action to read or manage them — only the admin UI.
SSRF-guarded, HTTPS-only egress
Allowlisted hosts only. Requests that resolve to private, loopback, or link-local addresses are blocked, redirects are pinned to the original origin, and a credentialed connection may carry its secret only over standard-port HTTPS.
Read-only database by default
Reports read the artifact's own SQLite. Writes require an admin-only flag, and destructive SQL (DROP, or DELETE/UPDATE without a specific WHERE) is refused outright — a report cannot drop your data.
Layered authorization
Team+ tier, tenant opt-in, editor role, per-artifact publish permission, and a per-group grant for every connection. A scheduled report re-checks all of it on every run and disables itself the moment a grant is revoked.
Bounded and observed
Each run is capped on wall-clock time, memory, output size, database calls, and external-call budget. Runs are audit-logged with their author and timings, and a tenant admin reviews recent runs and errors.
What we claim, and what we don't.
A governance vendor that overstates its controls is a liability. Here is the precise scope.
Artifact files are encrypted with AES-256-GCM and per-artifact keys. Databases and backups rely on encrypted disk and volume controls in production, not application-level encryption. We say so plainly.
We give you the audit trail and export that GDPR and emerging AI oversight expect. We do not claim a certified compliance mapping. The evidence is yours to use inside your framework.
Leak-detection records viewer IP and User-Agent to flag exfiltration. That personal data is deleted automatically after 30 days. The platform is in early access and free during early access, with advance notice before billing begins.
Bring AI publishing inside your perimeter.
Give your teams the speed of AI output with the controls your organization already runs on.