Product · Geodesia G-1 · Generally Available · Real-time

Real-time, frontier-grade safety
for any LLM or voice AI.

Trust at the speed of light. No compromise.

Geodesia G-1 is a non-invasive, real-time trust layer that drops in front of any model — your self-hosted vLLM, SGLang, TensorRT-LLM, llama.cpp, Ollama, a cloud OpenAI-compatible endpoint, or a streaming audio / voice pipeline. At its core is our proprietary multimodal physical model. Change one base URL and every prompt, document and answer is screened on six independent axes, scored with a calibrated risk reading in joules, and compliance-logged — all six axes returned in ~30 ms for a 1024-token prompt on a single GPU. The same layer now guards agentic MCP tool-calls and live web search — not just chat — improves with use under human supervision, and offers an optional 8B-class deep-scan for maximum depth. A platform that auto-generates auditable PDFs for the EU AI Act, California SB 942, and 11 other AI frameworks. Days, not quarters, to production.

Watch the platform in action All integrations →
Detection6 axes · ~30 ms / 1024 tok · ΔE in joules
SurfacesChat · voice / audio · RAG docs · web · MCP tools
EnginesvLLM · SGLang · TRT-LLM · llama.cpp · Ollama · OpenAI
DeploymentSingle Docker · air-gap capable
Validated Across

Open models are powerful.
Open models are not safe enough to deploy alone.

Three risks block every regulated AI rollout — and none of them are solved by training another model.

01
🧠

Hallucinations under load

Mid-sized open models confidently fabricate citations, statistics, and clinical advice. In agentic pipelines a single hallucination cascades into irreversible action — and you have no idea which token caused it.

02
🛡️

Safety gap vs frontier models

An open 8B model is not a frontier closed model. The frontier safety stack — refusals, jailbreak resilience, prompt-injection containment — is not in the weights. It has to be added at the runtime layer.

03
⚖️

EU AI Act enforcement, August 2026

Article 27 FRIA. Article 12 audit logging. Article 50 disclosure. Article 14 human oversight. Fines up to 3% of global turnover. Generic LLM observability tools do not produce the documents a regulator asks for.

A trust layer in front of your model.
Not a replacement. No patches.

G-1 is a drop-in OpenAI/Ollama proxy. Your application keeps speaking the OpenAI API; G-1 speaks it back. Your inference engine — vLLM (official, unmodified), SGLang, TensorRT-LLM, llama.cpp, Ollama, or a cloud OpenAI endpoint — keeps running unchanged. Every prompt is screened before generation. Every response is scored on six axes as it streams — in real time, ~30 ms for a 1024-token prompt on a single GPU. Every inference is signed, logged, and made auditable.

YOUR APPLICATION
Customer copilot· Clinical assistant· Loan officer agent· Multi-agent pipeline
OpenAI-compatible API
GEODESIA G-1 · TRUST LAYER
🛡️
Safety Gate · prompt · answer · jailbreak
OOD AUROC 0.900 / 0.922 / 0.989
🧬
Constitutional AI
European-values policy router
🧠
Grounding + RAG-firewall · context · injection · closed-book
OOD AUROC 0.881 · injection 0.995 · closed-book 0.769
🔍
Causal XAI
Integrated Gradients · MuPAX
⛓️
Compliance Runtime
audit chain · oversight · kill-switch
📑
Auto-Reports
EU AI Act · FRIA · MiFID II · GDPR
OpenAI / Ollama protocol · drop-in proxy
YOUR INFERENCE STACK · UNCHANGED
vLLM (official) SGLang TensorRT-LLM llama.cpp Ollama OpenAI API + any logprobs-aware engine
🔧
No weight modification
Your IP stays your IP.
🔌
No engine patches
Official vLLM, SGLang, TRT-LLM, llama.cpp, Ollama.
📦
Single Docker
Air-gap capable.
Days, not quarters
Change one URL · production in days.
🇪🇺
Sovereign by design
No telemetry. No outbound calls.

Six axes.
One real-time screen.
Risk readable in joules.

Every turn is screened on six independent axes — context hallucination (RAG faithfulness), context-injection (RAG-firewall), closed-book hallucination, prompt safety, answer safety, jailbreak. Five share a single forward pass of our proprietary multimodal model — each axis reads a dedicated region of the model's vector subspace; the sixth, closed-book, is a separate linear expert over the generation's logprobs. All six return in ~30 ms for a 1024-token prompt on a single GPU. Each axis returns a probability and a calibrated energy reading ΔE in joules (ECE 0.012–0.047): the energy a token would need to leave the safe well and fall into that failure mode. Auditable. Monotone. Physically interpretable.

Live Safety Gate · Pre-Generation
📥
Incoming Prompt
User or agent request
🛡️
Safety Gate
prompt · answer · jailbreak — streaming
OOD 0.900 / 0.922 / 0.989
Safe → pass to model
score < threshold
PASS
🚫
Unsafe → block & log
audit record created, model never called
BLOCK
0.900
Prompt safety OOD · XSTest
0.989
Jailbreak OOD · jailbreak_cls
Grounding & RAG-firewall
🤖
Model draft + RAG context
raw output from frozen base LLM + retrieved chunks
🧠
Grounding + RAG-firewall
context · injection · closed-book · ΔE in joules
OOD 0.881 · injection 0.995
Grounded → deliver
grounding score attached to response
PASS
0.881
Context halluc. OOD · HaluEval
0.995
Context-injection OOD · Gandalf
Compliance Runtime · Async
🔏
Watermark
HMAC · 6 languages
⛓️
Audit Chain
SHA-256 · tamper-proof
📊
FRIA
EU AI Act Art. 27
👁️
Oversight Queue
3-level escalation
🔴
Kill-Switch
72h SB 942 timer
🗂️
Retention
90 days – 10 years
Compliance API · REST
# Real-time compliance health GET /compliance/dashboard # Export EU AI Act audit bundle GET /compliance/audit-bundle?law=EU_AI_ACT # Verify watermark on a response GET /watermark/verify/live # Trigger human oversight (Level 3) POST /notifications/oversight/level3

Six new fronts.
One trust layer.

G-1 no longer guards only the chat turn. The same real-time engine now protects agentic tool-calls, live web search, and per-model truthfulness — and it gets harder to fool the more it is used.

🧩

Agent & MCP Security

G-1 now inspects the full lifecycle of Model Context Protocol (MCP) agents — tool discovery, tool-calls, results and resources — and returns allow / warn / block verdicts in real time. It stops tool poisoning & "rug-pull" (silent mutation of a tool's description), indirect prompt-injection via tool results, and data exfiltration (taint → sink → new-domain). Policy is configurable per-application → per-axis → per-tool.

🔬

Deep-Scan · 8B-class

An optional 8B-class safety judge (open Apache-2.0 base, GLAD geometry on top) that reads internal states and emits calibrated scores on five axes, with selectable scope (prompt / answer / both). For when you want maximum depth at a little more latency. OOD AUROC 0.97–0.99 (jailbreak 0.985 · closed-book 0.987 · context 0.978 · answer-safety 0.975 · prompt-safety 0.970).

🎯

SLEDGE · per-model calibration

Closed-book truthfulness recalibrated for every LLM you serve. Two modes from the console — Fast (quick conformal-threshold recalibration) and Deep (full) — restore a conformal false-positive-rate guarantee when you swap models, with hot-reload and no restart.

♻️

Self-improving, under supervision

Users can flag a wrong detector call in plain language; flags feed a curator review queue and an example bank. A weekly retraining with an automatic acceptance gate (it ships only if it doesn't regress) closes a continuous-immunity loop. Backed by systematic adversarial hardening.

🌐

Web Search Firewall

Live web search where every fetched page is screened by the GLAD firewall before it can ground an answer: injection / DAN pages are blocked 🔴, safe pages are read 🟢 — visible in real time. Zero false positives on the test set (benign pages read, injection pages blocked). Async RAG PDF upload with progress.

🆘

Crisis / self-harm detection

A dedicated detector for crisis and self-harm ideation — including euphemistic phrasings and very short queries — a high-ethical-value safety axis. AUROC 0.899 on short queries (recall 0.77), generalising to novel / curated cases.

Stop a spoken jailbreak
mid-sentence.

Speech is now guarded like text. A streaming transcription layer sits in front of the detector: it transcribes the microphone incrementally and re-scores the growing transcript on prompt-safety and jailbreak — the same input-validation path as typed chat. A spoken attack is caught while it is still being said, blocked before the utterance finishes, not after.

This is the category almost no one occupies: the incumbents' audio defence is "coming soon", and no hallucination detector touches voice. Voice agents in banking, health and customer care are exactly EU AI Act Annex III — and mid-stream halting is the only mechanism that stops a hallucination as it is pronounced.

See the voice guard
How it works
🎙️
Incremental transcription
streaming ASR over a sliding window
✔️
LocalAgreement-2
a word commits only when two decodings agree — flicker-free, monotone
🛡️
Re-score on every commit
prompt-safety · jailbreak — same path as typed chat
Mid-stream halt
block before the sentence ends

A tiny ASR model (~75 MB) is baked into the proxy image — real-time on CPU, air-gapped, no runtime download; switch to a larger model in the UI for lower word-error rate. Off by default, so typed chat stays byte-identical. This is the semantic branch — it catches spoken content threats, not acoustic deepfakes / voice spoofing.

One hallucination.
An entire pipeline
corrupted.

In a standard LLM deployment, a hallucinated response reaches one user. In an agentic AI system — where models orchestrate tools, databases, and other models — that same error becomes the next agent's trusted input.

By the time the error reaches a real-world action — a clinical recommendation, a financial execution, a legal document — it has been re-confirmed multiple times and is irreversible.

Without Geodesia G-1
🤖
Agent A — generates hallucinated claim
Hallucination undetected
🔗
Agent B — treats error as trusted fact
Error amplified and re-used
⚙️
Real-world action triggered
Irreversible. Potentially harmful. No audit trail.
✓ With G-1: every agent output scored & logged before becoming next input
0.995
Context-injection · OOD AUROC
Gandalf · RAG-firewall, never seen
0.989
Jailbreak · OOD AUROC
jailbreak_cls held-out · leave-one-dataset-out
0.881
Context hallucination · OOD AUROC
HaluEval held-out · leave-one-dataset-out
6
Detection axes
~30 ms / 1024 tok · ΔE in joules

A 2B-parameter open model.
Frontier-class results.

Geodesia G-1 mounted on Gemma 4 E2B — a model two orders of magnitude smaller than the closed frontier — matches and beats most frontier models on truthfulness and safety. Tested on HaluEval for hallucination resistance and on our adversarial-safety test set (validation in progress).

Anti-Hallucination

HaluEval · higher = better
ChatGPT 5.5 thinking Best
92.0
G-1 + Gemma 4 E2B Ours
91.8
Claude Opus 4.7
89.5
Gemini 3.1 Pro
87.5
DeepSeek V4
82.9
Grok 4.3
80.1
Mistral 3 Large
65.5

Safety Test set · validation in progress

Adversarial robustness · higher = better
Gemini 3.1 Pro Best
97.4
G-1 + Gemma 4 E2B Ours
96.1
ChatGPT 5.5 thinking
96.0
Claude Opus 4.7
95.4
DeepSeek V4
88.7
Grok 4.3
85.6
Mistral 3 Large
70.8

How we compute these numbers — and how we compare.

Every AUROC reported by Geodesia G-1 is computed under a leave-one-dataset-out protocol — the gold standard of validation. For each detection axis, an entire dataset is held out of the training corpus — not a held-out subset of the same distribution, but the whole dataset, never seen during training — and used only as the test set. The reported number is the area under the ROC on that unseen dataset. We do this because in-distribution held-out numbers, which most LLM-safety vendors publish, systematically reward memorisation of the training distribution. Out-of-distribution numbers are harder to game and more credible in production. Five of the six axes come out of a single multimodal forward pass; closed-book is a separate logprob expert. G-1 ships in two tiers: the real-time Fast detector (left column) and an optional 8B-class Deep-scan (right column) for maximum depth at a little more latency.

Detection axis · evaluation set Fast (OOD) Deep-scan (OOD) Held-out dataset & notes
Context-injection · RAG-firewall 0.995 Gandalf — external injection set, never seen. The defensible core; separation holds out-of-distribution.
Jailbreak 0.989 0.985 jailbreak_cls held-out. Detects attack structure, not keywords. Up to 0.996 after adversarial hardening.
Answer-safety 0.922 0.975 nemotron_answer (NemoGuard) held-out. False alarms bounded by split-conformal thresholds.
Prompt-safety 0.900 0.970 XSTest over-refusal. Dual-concept boolean logic. Up to 0.99 on an adversarial held-out set after hardening.
Hallucination-on-context 0.881 0.978 HaluEval (flowaicom) held-out + cross-check on libreeval / aggrefact / faithbench. HaluEval ~0.94; adversarial ~0.6.
Closed-book hallucination (advisory) 0.769 0.987 TruthfulQA + cbsg / DefAn. Single-pass, logprob-only (in-dist 0.884). SLEDGE recalibrates it per served model. See the comparison below.

Closed-book truthfulness — against the state of the art

Closed-book has no context to check against, so a text-only baseline is a coin-flip (~0.5): the signal lives not in the text but in the confidence with which the base model generated the tokens. Our closed-book expert is therefore a separate one — a single linear head over 8 logprob features (mean surprise, varentropy, decision margin…). On TruthfulQA our 0.769 OOD sits just below the unsupervised SOTA — which only reaches its number by reading the model's internal latent states — and decisively beats the resampling methods. The decisive advantage is extreme speed at SOTA-parity: one forward pass, not N.

Method (paper) AUROC · TruthfulQA Notes
G-1 closed-book — in-distribution 0.884 Balanced QA.
HaloScope (Du et al., NeurIPS 2024 spotlight) 0.786 SOTA unsupervised — but uses SVD on the model's internal latent states. Requires access to model internals.
G-1 closed-book — OOD 0.769 Single-pass. Logprob-only. No access to latents.
Semantic Entropy (Farquhar et al., Nature 2024) ~0.62 Requires N resamplings — extremely slow.
SelfCheckGPT (Manakul et al., 2023) ~0.55 On Qwen2.5-7B. Requires N resamplings — extremely slow.

Real-time latency — all six axes, end to end

Measured wall-clock time for G-1 to return all six axes on a full prompt, on commodity GPUs (mean ± std). Note how the A6000 stays nearly flat as the prompt doubles, while a consumer RTX 3080 still screens a 1024-token prompt in well under 40 ms.

Prompt length RTX A6000 RTX 3080
1024 tokens 28.5 ± 1.4 ms 34.8 ± 3.3 ms
2048 tokens 31.5 ± 1.8 ms 62.9 ± 0.7 ms

From most solid to most fragile. Context-injection (0.995) and jailbreak (0.989) show clean separation that holds out-of-distribution — the defensible core. Answer-safety (0.922) and prompt-safety (0.900) are solid on real traffic, with false positives bounded by split-conformal thresholds: a finite-sample bound on the false-alarm rate. Hallucination-on-context (0.881) is robust on normal grounding and weaker on the most adversarial sources. On closed-book we are explicit: blatant fabrications we block before the user; on confident half-truths we raise an advisory, not a blind block.

Adversarial hardening. A systematic red-team programme — an adversarial probe library plus anti-regression recipes — lifted prompt-safety from 0.49 → 0.99 on an adversarial held-out set and jailbreak to 0.996, while removing false positives on benign creative content: the creative guard went from 0.217 → 0.000 false-positive rate, keeping recall 1.0 on genuinely harmful content. SLEDGE then recalibrates the closed-book axis per served model (Fast or Deep), restoring a conformal false-positive-rate guarantee on model swaps with hot-reload.

References for the evaluation sets and baselines. HaluEval (Li et al., 2023, EMNLP); XSTest (Röttger et al., 2024, NAACL); NemoGuard / Nemotron (NVIDIA, 2024); Gandalf (Lakera, prompt-injection set); jailbreak_cls; aggrefact · faithbench · libreeval (faithfulness cross-checks); TruthfulQA (Lin et al., 2022, ACL); cbsg / DefAn; HaloScope (Du et al., NeurIPS 2024); Semantic Entropy (Farquhar et al., Nature 2024); SelfCheckGPT (Manakul et al., 2023).

Reading guide. AUROC ranges 0.5 (random) to 1.0 (perfect). Closed-book hallucination is shipped as advisory: it raises a high-confidence flag for human review on confidently-incorrect answers, not a hard block — the signal is in the base model's token confidence, not the text, and we are honest about that. Latency is real-time: G-1 returns all six axes in 28.5 ms on an RTX A6000 and 34.8 ms on a consumer RTX 3080 for a 1024-token prompt (see the latency table above); the Compliance Runtime is fully async and never blocks the response.

One ~300M model.
Six axes. 30 ms. One GPU.

To cover safety and hallucination and injection, everyone else stacks multiple large guards in series. Agents multiply LLM calls 10–100× per task and voice generates continuous streams — so the guardrail's cost and latency, per step, become the buying criterion. G-1 is the only guard cheap and fast enough to run on every agent step and every voice chunk. Others can only afford the final check.

Stack to cover safety + hallucination + injection Total params Latency GPUs
LlamaGuard 8B + Lynx 8B + injection classifier ~16B+ 300–600 ms (serial) multiple
Galileo Luna-2 3–8B <200 ms vendor cloud
Geodesia G-1 · all six axes ~300M ~30 ms 1 · yours
Every step, every chunk
Cheap enough for an agent loop and a voice stream.
⚖️
Evidence-grade verdicts
Token-level reason-codes that hold up in an audit.
🎙️
Voice-native
Halts a spoken threat mid-sentence.
🔒
On your GPU
On-prem, air-gap capable, zero egress.

"In the agentic and voice era, the guardrail is called 100× more often than yesterday's model. We're the only ones with the economics to be there on every call — and the only ones whose verdict holds up in court."

Four alternatives.
One clear answer.

Capability Geodesia G-1 Cloud AI API Raw Open LLM In-House Build
Frontier-grade safety on open models~
Data stays on-premise
Real-time hallucination scoring~
Real-time voice / audio safety (multimodal)~
European Constitutional AI
Auto-generated EU AI Act reports~
Air-gap capable
Cryptographic audit chain~
Agentic pipeline forensics~~
Agent / MCP tool-call security
Time to productionDaysImmediateWeeks12–24 months

Enterprise evaluation
questions answered.

No. Geodesia G-1 is non-invasive. It wraps your existing model via vLLM as an external safety and compliance layer. The base model's weights are never modified.
Yes. G-1 is compatible with any transformer-based language model, including fine-tuned variants. A one-time adapter configuration step is required per deployment. Validated across Qwen 3, Gemma 4, Llama 3.x, Phi-4 Mini, Mistral, and DeepSeek families.
The frontier safety stack — refusals, jailbreak resilience, prompt-injection containment, hallucination scoring, constitutional alignment — is added at the runtime layer rather than baked into model weights. At its core is our proprietary multimodal physical model: it evaluates every prompt before generation (prompt-safety + jailbreak — OOD AUROC 0.900 / 0.989), screens the retrieved RAG context for hidden hostile instructions (context-injection / RAG-firewall — 0.995 on Gandalf), and scores every response as it streams (answer-safety + context hallucination — OOD AUROC 0.922 / 0.881), with the Constitutional Intelligence router enforcing policies at every step. All six axes return in ~30 ms for a 1024-token prompt on a single GPU.
Yes. Once the adapter training is complete and the container is deployed, G-1 requires zero internet connectivity at inference time. There is no license server dependency, no telemetry endpoint, and no cloud dependency.
No. Geodesia.ai does not access client model weights, training data, prompts, inference responses, or audit logs — by architectural design, not by policy. Training runs on client-controlled infrastructure. The Docker container does not call home.
A proprietary, multimodal physical model. It takes both the streaming text and the model's token logprobs as input, on different axes. Five of the six axes (jailbreak, prompt-safety, answer-safety, context-injection, context-hallucination) come out of a single forward pass, each reading a dedicated region of the model's vector subspace with its own head. The sixth, closed-book, is a separate expert: a linear head over 8 logprob features (mean surprise, varentropy, decision margin…), because there the signal is in the base model's token confidence, not the text. We tested non-linear closed-book regressors — they add latency and perform worse, so the linear head stays.
Yes. G-1 is real-time and multimodal by design — built for audio and non-audio applications alike. It screens streaming voice / audio pipelines turn-by-turn the same way it screens text, returning all six axes in ~30 ms for a 1024-token prompt on a single GPU, fast enough to brake a voice agent mid-utterance when a risk barrier is crossed.
G-1 is built for real-time use. Five of the six axes share a single multimodal forward pass and the sixth (closed-book) is a lightweight linear head over logprobs, so all six axes are returned in 28.5 ± 1.4 ms on an RTX A6000 and 34.8 ± 3.3 ms on a consumer RTX 3080 for a 1024-token prompt — and the A6000 stays nearly flat at 2048 tokens (31.5 ms). Fast enough for streaming voice and text. The Compliance Runtime runs fully async and never blocks the response.
Both. The same trust layer inspects the full lifecycle of Model Context Protocol (MCP) agents — tool discovery, tool-calls, results and resources — and returns allow / warn / block verdicts in real time. It deploys three complementary ways: a queryable Guard Server (MCP analysis primitives for other hosts), an inline interceptor that sanitises traffic between a host and downstream MCP servers, and a tool-aware chat gateway that validates tools / tool_calls / results in your existing chat path (a byte-identical no-op when there are no tools). It covers tool poisoning & "rug-pull", indirect prompt-injection via results, and data exfiltration (taint → sink → new-domain), with policy set per-application → per-axis → per-tool.
The Fast detector is the real-time companion model that returns all six axes in tens of milliseconds — the default. Deep-scan is an optional 8B-class safety judge, built on an Apache-2.0 open base with GLAD-Manifold geometry on top, that reads internal states for maximum depth (OOD AUROC 0.97–0.99 across five axes, scope selectable: prompt / answer / both). Use Fast everywhere; switch on Deep-scan when you want the strongest possible verdict and can spend a little more latency.
Yes. A dedicated detector flags crisis and self-harm ideation — including euphemistic phrasings and very short queries — with AUROC 0.899 on short queries (recall 0.77) and good generalisation to novel cases. It is part of the prompt-safety surface and can route to your escalation / oversight workflow.
Yes. With the Web Search Firewall, every fetched page is screened by the GLAD firewall before it can ground an answer — injection / DAN pages are blocked, safe pages are read, visible in real time. On our test set this runs at zero false positives (benign pages read, injection pages blocked). RAG PDF upload is asynchronous with a progress bar.
Yes — under human supervision. Users can flag a wrong detector call in plain language; flags feed a curator review queue and an optional example bank. A weekly retraining with an automatic acceptance gate (it ships only if it does not regress) closes a continuous-immunity loop. Combined with a systematic adversarial-hardening programme, the trust layer gets harder to fool the more it is used.
On any single axis you can always find a specialist that matches us — that's table stakes. We compete on the intersection nobody else occupies: all six axes — safety and grounded + closed-book hallucination and injection — in a single ~300M forward pass at ~30 ms, on-prem, versus a serial stack of 8B-class guards (LlamaGuard + Lynx + an injection classifier, ~16B+, 300–600 ms) or a managed cloud (Galileo Luna-2). At agent and voice volumes, that cost-per-verdict is the buying criterion. Add token-level, per-axis causal explanations that become regulator-ready evidence, and a streaming voice guard that halts a threat mid-sentence — two things no competitor ships — and the picture is clear. On closed-book we are candid: 0.769 single-pass is just under HaloScope's 0.786, but we are the only closed-book detector deployable in production (no model internals, no resampling).
Yes. Send "constitutional_ai": false (or simply include your own system message) and G-1 uses your prompt instead of the Constitutional-AI prompt — and that same prompt also grounds the hallucination check, so faithfulness is measured against your instructions.

Audit G-1 in your perimeter.

Reserved for CISOs, Heads of AI, DPOs, and legal teams evaluating regulated LLM deployment. Live demo. Sandbox access. Reference architecture review.

No network connection required during PoV SOC2 / ISO 27001 readiness posture Cryptographically signed evaluations