Enterprise Deployment

NOME supports Okta, Microsoft Entra ID, Google Workspace, and Ping Identity through the WorkOS enterprise identity seam. SSO is configured through the enterprise setup surface.

After WorkOS authentication, the broker mints or exchanges into the canonical Nome session, ensuring existing bootstrap and client assumptions are preserved.

Automated provisioning and de-provisioning with org-aware lifecycle controls. When an employee leaves, access to NOME and all data in their context is revoked.

SCIM ingestion uses per-connection bearer tokens stored as hashes. Directory-to-role and directory-to-policy-tag routing is reversible from the control plane.

Platform roles and org roles are Nome-owned. Administrators define which departments access expensive reasoning models vs cost-effective tiers.

WorkOS provides the identity and group membership signals. NOME maps those into entitlements, surface access, vertical availability, and admin capabilities.

Cryptographic data boundaries ensure proprietary codebases, financial data, and communications are strictly isolated between tenants.

Tenant resolution is org-first, not vertical-first. Marketplace visibility, access objects, and release channels do not bypass tenant controls.

Customer retention terms, enterprise onboarding, release channels, and connector scopes are governed by your account or enterprise agreement plus platform configuration.

NOME separates audit/compliance trails from product telemetry and evaluation traces. Evidence, approvals, and receipts are separate from analytics.

Every NOME run produces a complete audit trail. Receipts, tool calls, approvals, and artifacts are logged across surfaces and attached to canonical work items.

The durable run event log supports deterministic replay. Evidence passes and run receipts are designed for compliance review and security audits.