Mainabe's first product. A Governance-as-a-Service platform that produces continuous, regulator-ready compliance evidence for organisations in financial services, oil and gas, healthcare, and government — without moving your data out of your environment.
MICEG™ is delivered as a GaaS — Governance as a Service — platform. Customers subscribe to MICEG on an annual subscription basis and access it as a completely independent system. Your data never loads onto our platform. Governance and control are produced where your data already lives.
MICEG is a service, not a data destination. Customers consume governance, evidence, and supervisory readiness on a continuous basis — with no ingestion of customer data into the Mainabe platform at any point.
The platform observes your data movements; the data itself never travels. Signals flow up, evidence flows down, and your underlying data values are not accessed by MICEG at any point.
Each is a structural decision, not a feature. Together they define what MICEG is and what MICEG is not.
MICEG integrates with your data systems through an SDK that reads metadata, schema, and movement events — not data values. The product cannot, by architectural design, exfiltrate the underlying values of your records. The observer pattern is not a configuration setting; it is the platform's structural definition.
MICEG integrates with your data systems on AWS, Azure, GCP, or on-premise. Where your data lives is your decision. The SDK is built once and deployed across the environments you already use. No re-platforming. No data migration. No parallel architecture.
The platform itself runs on Canadian cloud infrastructure. Mainabe's services and every artefact MICEG produces about your environment are physically resident in Canada. The cross-border data sovereignty question every Canadian procurement office asks is answered before they ask it.
Every validation MICEG runs writes an immutable, timestamped, signed evidence record. Evidence is not assembled retrospectively; it accumulates as a by-product of normal operations. When a regulator, auditor, or board asks for proof, the answer is generated from the accumulated record — not reconstructed from logs.
No theory. No roadmap promises. Eight concrete outcomes from the moment MICEG™ begins operating against your environment. Each panel below expands to show the underlying capability with a diagram and an inline definition of the concept.
A data contract is a formal agreement that defines how a specific data entity should behave — its schema (the fields it contains), validation rules (what makes a record valid), how personal information is classified and handled, retention periods, and the service expectations that apply. It is the boundary between what your governance policy says and what your data actually does. Without it, "we have a privacy policy" and "we are following the privacy policy" are two different sentences and only one of them is true. With it, every data movement can be checked against the agreement that governs it.
Every data movement is checked against the contract that governs it. Schema mismatch, missing required field, PII flowing where it should not, retention violation — caught at the moment the violation happens, recorded in the evidence ledger, with the contract version and the policy reference attached. The quarter-end audit finding that used to surface six weeks of accumulated violations becomes a real-time signal nobody has to dig for.
Most institutions today: a contract violation is a finding in next quarter's audit report. With MICEG: a contract violation is an alert in the operations channel within seconds of the data movement, with the contract version, the regulation reference, and the responsible team already attached.
A Coverage Map is a complete, evidence-backed picture of every table, pipeline, and data flow Mainabe has observed in your environment — separated visibly into "governed by a contract", "ungoverned" (data is moving but no contract exists), and "out of scope" (explicitly acknowledged by a compliance officer with a documented reason). Most data catalogues today are manually maintained — someone has to walk through the organisation and register every table, and the catalogue is always behind reality. The Coverage Map builds itself from observation. The gap between governed and ungoverned is the governance deficit, dated and attributable.
A manually-maintained data catalogue costs eighteen months to two years to commission and is stale the day after it is signed off. The Coverage Map builds itself from what Mainabe observes as your platform validates real data movements — and updates continuously. A CDO can hand a regulator a coverage report showing the entire observed estate, dated, with governed and ungoverned plainly separated. That is a qualitatively different kind of assurance from "we believe we have a catalogue".
Most institutions today: "We think we have a data catalogue. It was last updated in 2024." With MICEG: a live, evidence-backed view of every table — governed in gold, ungoverned in rust — with the date each ungoverned table was first observed.
Regulatory evidence is the documented artefacts a regulator, auditor, or supervisor expects to see when they ask "show me that you are following the controls you described in your policy". Traditionally this means a compliance team produces evidence packs by hand — gathering screenshots, exporting logs, assembling control attestations, reconstructing lineage records — for weeks, every quarter or before every audit. The work is necessary but does not scale, and the evidence is always retrospective. MICEG produces these artefacts continuously, as a by-product of normal data operations, with the regulation reference and the contract version attached.
Evidence packs, control attestations, lineage records, validation outcomes — produced continuously as a by-product of normal operations and stored as immutable evidence. When an auditor or regulator asks for evidence of a specific control on a specific date, the answer is generated from the accumulated record in minutes. The six-week pre-audit scramble that consumed two full-time compliance officers for a month becomes a query against an indexed evidence store.
Most institutions today: six weeks of manual evidence reconstruction every audit cycle, with the compliance team and the data team in conflict over who owns the burden. With MICEG: evidence generation is automatic and ongoing, and an audit query returns an answer in the same conversation.
A governance maturity score is a single number — derived from observed governance behaviour across multiple dimensions of your data estate — that tells you where your organisation sits on a recognised maturity ladder, where it was twelve months ago, and where it will be twelve months from now if current trends continue. It is the metric a CFO and a CCO can both act on, because it converts governance posture from an opinion ("we think our programme is mature") into a position on a scale ("we are at level 3, trajectory to level 4 in twelve months"). The number is updated continuously, based on what is actually happening in the data layer — not what a consultant said happened in an interview.
A single maturity score with multi-dimensional drill-down. Trend, trajectory, and quantified regulatory exposure on one screen. The Board paper that used to require a consultancy engagement to produce becomes a live page in the portal, updated every time the platform validates a data movement.
Most institutions today: a maturity assessment is a 90-day consultancy engagement producing a 60-page report that is stale on the day it is delivered. With MICEG: the score updates continuously from observed behaviour, and the drill-down shows which dimensions are improving, which are declining, and what is driving each.
Regulatory exposure is the estimated financial penalty an organisation could face if its current governance gaps were enforced by a regulator today. It converts an abstract risk ("we have some ungoverned data") into a dollar figure a board can plan around. MICEG calculates a range — low to high — based on the ungoverned tables observed in your estate, the regulations that apply to your sector, and verified public penalty figures from recent enforcement actions. The figure is not a prediction; it is a quantified statement of risk derived from your real environment.
A CFO planning the year cannot act on "we have some governance gaps". The CFO can act on "our regulatory exposure range is CAD two to ten million, and here is which gaps drive it". MICEG converts the ungoverned tables and uncovered regulations in your estate into a quantified penalty range — sourced from verified public enforcement actions in your sector. The figure is updated continuously; the gaps that drive it are linked to the contracts and policies that would close them.
Most institutions today: regulatory risk lives in a heat map with red and amber dots whose calibration nobody can defend. With MICEG: a dollar range based on verified penalty figures and the actual gaps observed in your estate.
Governed erasure is the structured process of executing regulator-required data erasures — GDPR right-to-be-forgotten, PIPEDA retention limits, sector-specific erasure mandates — on schedule and with auditable evidence that the erasure actually completed. Most organisations can describe their erasure policy. Few can prove that a specific data subject's records were erased from every system where their data had been observed, on the date required, with no surviving copies. MICEG executes erasures against the Coverage Map — so the scope is verifiably complete, not just the systems someone remembered to include — and produces a cryptographic record of erasure for every affected entity.
A GDPR right-to-erasure request arriving on a Friday afternoon used to start a four-week scramble to find every system that held the subject's data, confirm the erasure ran in each, and document the chain. With MICEG, the erasure contract executes against the Coverage Map — so the scope covers every table where the entity type has been observed — and produces an evidence pack the privacy office can hand to the regulator without further work. Retention limits trigger the same flow on schedule, with proof.
Most institutions today: an erasure request triggers a manual hunt across systems, with anxiety about completeness and no easy way to prove the erasure ran. With MICEG: erasure scope is computed from the Coverage Map, the execution is governed, and the evidence pack writes itself.
The executive dashboard is the board-level view of the platform — a single screen showing governance posture, regulatory coverage, evidence generation, contract violations, and the trajectory of each. It is designed for the conversation a CEO has with the board, the conversation a CCO has with a regulator, and the conversation a CFO has with the audit committee. The metrics are derived from real platform behaviour — what data moved, what was validated, what evidence was produced — not from a separate reporting layer. When an executive sees a number on the dashboard, the underlying evidence is one click away.
A CEO who has to brief a regulator should not need to call a consultancy to produce a credible board paper. The MICEG executive dashboard is the live, drill-down view that turns the data layer into a single screen a board reads in five minutes — and a regulator accepts as a starting point for any conversation. Every number on it is sourced from the evidence ledger; every claim is one click from its underlying artefact.
Most institutions today: a quarterly board pack assembled by a compliance team from five different systems, three of which contradict each other. With MICEG: a live page in the portal, sourced from one ledger, that the CCO can show in any meeting at any time.
AI data readiness is the state of an organisation's data estate being identified, classified, governed, and coherent enough that downstream AI systems can rely on it. Without it, AI models trained or queried against ungoverned data inherit silent inconsistencies — and produce hallucinations, contradictions, and outputs that are unsafe to use in a regulated environment. MICEG addresses this by making every observed table identified, governed, and consistent. The result is the foundation an AI initiative needs to succeed in a sector where the regulator will eventually ask "how do you know your AI is being asked sensible questions about sensible data?".
Every AI initiative in a regulated organisation is one ungoverned dataset away from producing an output the regulator will not accept. MICEG closes that gap by making the data foundation itself identified, classified, and governed before AI ever queries it. The schema is known. The sensitivity is tagged. The lineage is recorded. The contract is in place. What the AI sees is a coherent estate it can reason over, not a silo it has to guess about.
Most institutions today: AI initiatives stall in legal review because nobody can demonstrate the data the model uses is governed. With MICEG: the data foundation is provably governed before AI is queried, and the evidence is one click from the model.
A typical engagement runs in three phases. MICEG begins producing evidence in the first weeks; the breadth of coverage expands as data contracts are defined against the flows you want to govern.
The structural answers to the questions procurement, security, and compliance offices will ask before a regulated organisation signs.
A demo against your sector, your regulators, and a representative slice of your data movements — without ever accessing your underlying data values.