Built for IT-governed AI tooling

Approve innovation. Without losing control.

Forigi is the runtime under the AI-built tools your teams will ship anyway. Microsoft SSO, governed data, full audit, and a kill switch on every app — per-tenant policy you control end-to-end.

No credit card. Pilot spots limited.

The reality

Shadow AI is already in your tenant. The question is whether you can see it.

of organizations are blind to their AI data flows.

State of Shadow AI Report, 2025

of CISOs have already discovered unsanctioned GenAI tools in their environment.

2026 CISO AI Risk Report (235 CISOs)

40–0%

of AI-generated code contains security vulnerabilities.

Multiple studies, 2025–2026

$0K

extra cost per breach when shadow AI is involved.

IBM Cost of a Data Breach Report, 2025

When Escape.tech scanned 5,600 production vibe-coded apps, they found 2,000 critical vulnerabilities, 400 exposed secrets, and 175 instances of exposed PII. Forigi’s constrained-SDK runtime forecloses the largest categories by design — apps can’t hold credentials, can’t make cross-origin requests, and read data only as the signed-in viewer.

What you control

Every read, write, and external call — under your policy.

IT decides which data sources are exposed, which apps can use which sources, per-app rate limits, audit retention, and a kill switch on every app.

Governed data

IT publishes data sources from SharePoint and OneDrive. Apps consume them as the viewer, not a service account.

Full audit trail

Every read, write, and external call is logged. Answer "what data went where, by whom" in seconds.

Kill switch

Any app can be paused or deleted instantly by an admin. Tenant policy controls every data source the runtime exposes.

Microsoft Verified Publisher

Forigi is operated by Knotbook Software Inc., a Microsoft AI Cloud Partner Program member with verified-publisher status on the Microsoft Entra app registration.

Per-tenant policy

Data-source allowlist, per-app source binding, rate limits, and audit retention — all configured per tenant.

Encryption + retention

Encrypted at rest. Audit log retention configured to match your compliance baseline.

How identity flows

Viewers see what they have permission to see — nowhere else.

Viewer

Signed into your tenant

Microsoft Entra SSO

Identity check

Forigi runtime

Serves the app

Governed data SDK

Constrained reads only

SharePoint & OneDrive

Read as the viewer

Apps are static HTML and JavaScript only. They cannot make cross-origin requests, hold credentials, or run server code. All data access flows through a constrained SDK that the platform controls. Identity is propagated to source systems, so viewers see only what they already have permission to see in SharePoint and OneDrive.

Your IT console

Every app, every data flow, one screen.

The IT side of Forigi: a tenant-scoped console that lists every app your team has shipped, streams the audit feed in real time, and puts a kill switch on every row.

Apps in your tenant5

Shipment tracker

ops@·SharePoint·2m ago

Live

QBR generator

cs@·SharePoint·11m ago

Live

Renewal dashboard

ae-leads@·OneDrive·27m ago

Live

Vendor budget review

finance@·SharePoint·3h ago

Paused

Onboarding tracker

people@·SharePoint·4h ago

Live

Tenant policy

IdentityMicrosoft Entra ID

SourcesSharePoint, OneDrive

WritesOff

Audit retention90 days

Audit feedstreaming

alex@

viewed Shipment tracker

just now

priya@

queried OneDrive: Renewals_FY26.xlsx

marcus@

viewed QBR generator

14s

alex@

queried SharePoint: Shipments site

22s

admin@

paused Vendor budget review (kill switch)

31s

Pilot scope

What’s in the private beta today.

Identity

Microsoft SSO via Entra ID. Every app sits behind your tenant boundary; viewers must be signed into your tenant.

Data sources

SharePoint · OneDrive — all reads run as the viewer, so existing M365 permissions decide what each person sees. More Microsoft sources are on the roadmap.

Microsoft Verified PublisherMicrosoft Entra IDSharePointOneDrivePer-tenant policySOC 2 in progressEncrypted at restAudit log retention

How it works

What ends up on your IT dashboard.

Builder describes the tool to Claude Code

They type what they need; Forigi connects via MCP, so Claude Code already knows which SharePoint and OneDrive sources your tenant has authorised.

Forigi handles the boring parts

It generates the app, infers and provisions the database, wires the data sources, sets access controls, and gives the builder a URL on your internal domain. Microsoft SSO, governance, audit — all automatic.

You see everything. You can stop anything.

IT has a single dashboard showing every app and every data flow — with a kill switch on every one.

Questions

The things IT always asks.

How does Forigi keep our data safe?

What can IT control?

Everything. Which data sources are exposed, which apps can use which sources, per-app rate limits, audit retention, and a kill switch on every app. The pilot runtime is read-only by design — apps consume data, they don't write back to source systems.

Does this require any backend code?

No. Builders write static HTML and JavaScript. Forigi reads the code, infers what database tables the app needs, provisions them, and exposes a structured CRUD interface. Builders never touch a backend.

Where do apps run?

On Forigi's hosted runtime, accessible at internal URLs gated by your Microsoft SSO. Apps live behind your identity boundary — viewers must be signed into your tenant.

What integrations are supported?

In the private beta: Microsoft SSO via Entra ID, plus SharePoint and OneDrive as governed data sources. More Microsoft sources are on the roadmap.

Pricing?

Pilot customers in the private beta have free access during the program. We'll share pricing closer to general availability.

Who's behind this?

Forigi is built by a small team that's seen this problem from both sides — as builders frustrated by IT bottlenecks, and as people who understand why those bottlenecks exist.

Reserve an expedited pilot review.

A founder will reach out within 5 business days to walk through governance fit and pilot scoping.