---
title: "Enterprise plan"
canonical: "https://helm.docs.mindburn.org/helm-ai-enterprise/enterprise"
source: "helm-ai-enterprise/docs/COMMERCIAL_OVERVIEW.md"
edit: "https://github.com/Mindburn-Labs/helm-ai-enterprise/edit/main/docs/COMMERCIAL_OVERVIEW.md"
section: "helm-ai-enterprise"
access: "public"
sensitivity: "public"
last_reviewed: "2026-05-05"
checksum_sha256: "sha256:918c5324e7f1b7a2433790dfd49418b40d47bd844b3e87948b7f5096c3caa5f4"
build_timestamp: "2026-05-24T13:40:27.882Z"
---
# HELM AI Enterprise Overview

HELM AI Enterprise is the organizational control plane around the HELM AI Kernel execution kernel. It is for teams that need shared administration, identity, approval workflows, retention, evidence export, and evaluator-ready security posture around governed AI execution.

## Audience

This page is for enterprise evaluators, platform leaders, security architects, procurement reviewers, and operators deciding whether HELM can become the execution boundary for autonomous work.

## Outcome

After reading this page, an evaluator should understand:

- what stays in the OSS kernel and what the commercial control plane adds;
- how Individual and Enterprise differ;
- where Console, Console proof, SSO/RBAC, tenancy, SIEM, retention, deployment, and upgrades fit;
- which evidence an enterprise reviewer can ask for before a pilot;
- which pages contain exact APIs and trust details.

## Control Plane Map

```mermaid
flowchart TD
    subgraph Ingestion["1. Ingestion & Context Plane"]
        Kernel["HELM AI Kernel kernel"]
        Individual["Individual workspaces"]
        Console["Console operations UI"]
        SSO["SSO / RBAC / SCIM"]
        SIEM["SIEM export"]
        Retention["Retention and archival"]
        Enterprise["Enterprise admin"]
    end

    subgraph Ledger["4. Tamper-Evident Ledger Plane"]
        Receipts["Receipts and evidence"]
        Proof["Console proof routes"]
    end

    %% Operational Flow Edges
    Kernel --> Receipts
    Individual --> Kernel
    Console --> Individual
    SSO --> Individual
    SIEM --> Receipts
    Proof --> Receipts
    Retention --> Receipts
    Enterprise --> SSO
    Enterprise --> Retention

    %% Premium Styling Rules
    style Receipts fill:#2f855a,stroke:#276749,stroke-width:2px,color:#fff
    style Proof fill:#2f855a,stroke:#276749,stroke-width:2px,color:#fff
```


## Source Truth

This commercial overview is a routing page. Exact operational details live in:

- `docs/public/product/agent-skills-governance.md`
- `docs/public/product/console-api.md`
- `docs/public/product/procurement.md`
- `docs/public/product/rfp-answers.md`
- `docs/public/product/regional-compat.md`
- `docs/public/security-and-trust/security-model.md`
- `docs/public/security-and-trust/threat-model.md`
- `docs/11_API_REFERENCE.md`

Do not use this page as a substitute for endpoint, policy, or deployment references.

## Product Tiers

| Tier | Primary User | What It Adds |
| --- | --- | --- |
| OSS Kernel | Developers and framework authors | Local execution boundary, policy evaluation, receipts, verification, SDKs, MCP, OpenAI-compatible proxy. |
| Individual | Product teams and internal platforms | Workspaces, role models, approvals, API key management, shared policy bundles, audit trails, team administration. |
| Enterprise | Regulated or large organizations | Control plane governance, SSO/RBAC/SCIM path, tenancy controls, SIEM export, retention policies, certification evidence, deployment and upgrade support. |

Commercial value comes from shared organizational control around the kernel, not from artificial OSS gaps.

## Enterprise Capabilities

### Control Plane

The control plane coordinates workspaces, policy bundle attachment, approval flows, key issuance, audit trails, and evidence export. It does not replace the kernel. The kernel remains the decision boundary.

### Console

Console is the operational surface for inspecting decisions, receipts, approvals, policy versions, and workspace state. Evaluators should look for whether operators can answer "why was this action allowed?" without reading application logs.

### Console Proof

The Console proof should expose security model, TCB, threat model, evidence pack semantics, SBOM/SLSA/Cosign material where available, OWASP mappings, and compliance pack references.

### SSO, RBAC, and Tenancy

Enterprise deployments should align identity with the customer directory and map roles to concrete actions: administer workspace, issue keys, approve escalations, export evidence, and change policy. Tenancy should isolate workspaces, policy state, receipts, and exports.

### SIEM, Retention, and Archival

Receipts and audit events are useful only when they leave the product cleanly. Enterprise posture requires export to security tooling, explicit retention policy, and archival behavior that survives vendor or model-provider changes.

### Deployment and Upgrades

Enterprise reviewers should ask:

1. Which components run in our network?
2. Which components are hosted?
3. How are policy bundles promoted?
4. How are signing keys and evidence exports rotated?
5. How are upgrades rolled back?
6. What is the minimum evidence package for an audit?

## Evaluator Checklist

| Question | Where to Verify |
| --- | --- |
| Can a developer integrate in under 10 minutes? | [Start guide](/start) |
| Can an auditor verify a receipt offline? | [Verify](/reference/verify) |
| What is in the trusted computing base? | [TCB Policy](/security/tcb-policy) |
| What threats are modeled? | [Threat Model](/security/threat-model) |
| Which APIs exist for operators? | [API Reference](/reference) and [Console API](/product/console-api) |
| How do procurement teams evaluate the product? | [Procurement FAQ](/product/procurement) and [RFP Answers](/product/rfp-answers) |

## Troubleshooting

| Symptom | Likely Cause | Fix |
| --- | --- | --- |
| Enterprise review stalls on "what is hosted?" | Deployment model not stated for the pilot | Write the chosen deployment model into the evaluation packet. |
| Security team cannot trace a decision | Receipts are not exported or linked to policy versions | Require receipt export and bundle hashes in pilot acceptance. |
| SSO/RBAC discussion stays abstract | Roles are not tied to actions | Map each role to workspace, approval, key, policy, and export permissions. |
| Compliance asks for a claim that is not in docs | Claim has no source-truth page | Add a source-backed doc or remove the claim. |

## Next Pages

- [Individual Governance](/teams)
- [Security Model](/trust)
- [Threat Model](/security/threat-model)
- [Regional Compatibility](/product/regional-compat)