Risk tiering, policy as code, runtime guardrails, red team evals, and the audit evidence behind every decision.