Overture — the investment management runtime.

In production. The platform on which the compiler has been most fully exercised.

Overture executes investment-policy obligations under the same governance gate Living Policy Architecture writes for every runtime. Twelve agents in three sub-supervisors decompose the work. A nine-state governance gate routes every change through the tenant’s own authority chain. A hash-chained audit log makes every action independently verifiable.

Twelve agents in three sub-supervisors.

Intelligence ingests and normalizes. Analysis decomposes risk, return, and exposure across the portfolio. Governance gates every action under the tenant’s authority chain. Names are public; system prompts, tool registrations, and orchestration topology are not.

Overture — twelve agents in three sub-supervisors

orchestrator
Intelligence
  • data_integrity
  • harmonizer
Analysis
  • risk_attribution
  • credit_pe_analyst
  • predictive_risk
  • deal_sourcing
  • stress_testing
  • report_builder
Governance
  • compliance_officer
  • audit_trail
  • execution_guardrail
  • model_governance

Tenant isolation at the database.

Overture’s data layer enforces tenant isolation at the database with Postgres row-level security. Audit entries are hash-chained on write. Semantic retrieval uses 1024-dimension Voyage embeddings, HNSW-indexed, cosine-distance.

Tenant isolation is at the database layer. Not the application layer.

These choices are deliberate. Tenant isolation at the application layer is a single forgotten WHERE clause away from a cross-tenant disclosure. Tenant isolation at the database is enforced regardless of what the application code does. Encrypted-at-rest, hash-chained-on-write, and signed-on-change are not features that need to be remembered; they are properties of the runtime.

Every change advances through nine states.

A change proposal in Overture begins as a draft and either advances to live behavior or terminates as rejected or withdrawn. Each state has an entry condition, an exit trigger, and an audit event. Eleven standard change classes share the same nine-state shape; each class carries its own materiality threshold and cooling-off default.

  1. draft

    Entry: the change proposal is created.

    Exit: when the proposer submits for routing.

    Audit: a creation event is recorded.

  2. routing

    Entry: when a proposal is submitted from draft.

    Exit: when the gate identifies the authority chain required for this change class.

    Audit: a routing event is recorded with the chain identified.

  3. shadow

    Entry: when routing completes successfully.

    Exit: when the shadow run finishes and the delta is recorded.

    Audit: a shadow event is recorded with the delta summary.

  4. signing

    Entry: when shadow is complete and the proposal is presented to approvers.

    Exit: when the required signatures are collected, or when an approver rejects, or when the proposer withdraws.

    Audit: signature events are recorded as each signature is added; a transition event is recorded on exit.

  5. cooling_off

    Entry: when all required signatures are collected.

    Exit: when the configured cooling-off window expires without a signature withdrawal, or when a signature is withdrawn.

    Audit: a cooling-off-start event; a cooling-off-end or signature-withdrawn event.

  6. activating

    Entry: when cooling_off ends without withdrawal.

    Exit: when the configuration swap completes.

    Audit: an activation-start and activation-complete event.

  7. live

    Entry: when activating completes successfully.

    Exit: only by a new change proposal — rollback follows the same gate.

    Audit: a live event is recorded; the configuration becomes the new baseline.

  8. rejected terminal

    Recorded as a terminal event with the rejecting approver and reason.

  9. withdrawn terminal

    Recorded as a terminal event with the withdrawing party and reason.

Eleven standard change classes. Each one has its own materiality threshold and cooling-off default.

An interactive walk-through of a sample change — fabricated, neutral — mounts here in the next release. Actual gate behavior varies by change class and tenant configuration.

Same policy. Different regime. Same business day.

A single investment-policy document can be compiled against any of the regimes Overture supports. The source text does not change; what changes is what the runtime enforces. The illustrative comparison below is generated from a synthetic Northbridge IPS against four regulatory regimes.

obligation SECESMACSAFCA
concentration limit ≤ 5% per issuer5 / 10 / 40 (UCITS)≤ 10% (NI 81-102)5 / 10 / 40 (UCITS)
eligible counterparties qualified institutionalprofessional clientaccredited investorprofessional client
reporting cadence quarterly N-CSR / N-PORTannual KIID / semi-annualmonthly NAV / quarterlyannual / semi-annual
Illustrative — same synthetic policy, four regimes. Actual compilation rules vary by IPS and tenant configuration.

Why the speed matters.

Jurisdictional reconfiguration is the work that most often gets deferred — re-papering a fund family for a new regulatory regime is a months-long, multi-vendor exercise. Living Policy compresses it to one signed change, executed the same business day the cutover signs.

Reconfiguration speed — legacy versus Living Policy

  1. Legacy reconfiguration 6 — 9 months
  2. Living Policy reconfiguration same business day
Industry-typical timelines vs. Living Policy. Illustrative.

Three-tier voice router.

Overture accepts spoken instructions through a three-tier router — utterance capture, intent classification, and gate-aware command synthesis. Every command issued through the voice surface is materialized as a change proposal through the same nine-state gate. The voice surface does not bypass governance; it is a channel into it.

Five rows from a hash-chained log.

Every action in Overture writes an entry to a hash-chained audit log. Each entry references the hash of the entry before it. Tampering with any row deterministically breaks the chain at that row. A verify_chain() read recomputes the chain end-to-end; tampering is detected immediately.

#prev_hashpayloadtsentry_hash
0010x0000…0000change_proposal_created2026-05-21T09:14:02Z0x4b9c…a217
0020x4b9c…a217routing_resolved2026-05-21T09:14:03Z0x8d12…ff64
0030x8d12…ff64shadow_run_complete2026-05-21T09:18:47Z0xc1a4…720b
0040xc1a4…720bsignature_added2026-05-21T10:02:11Z0x77e9…3d8a
0050x77e9…3d8aactivation_complete2026-05-21T14:46:30Z0xa603…1c52

Fabricated five-row snapshot. verify_chain() semantics shown; real chain state is tenant-private.