Governance professional — Dashboard path
Your developers' agents are working. Now you can see what they're committing to.
Four pages of the workbench. No code. Read coverage, drafts, gaps, and expirations from the UI.
You don't need a new tool to know whether your governance program is working. You need a way to see what your agents are actually committing to, at what maturity, and where coverage is missing. Dictiva surfaces all of it in four pages of the workbench — each one a single click from the nav, each one a different operational question.
This is the dashboard path. Reading the rhythm of these four pages is your full operating cycle. When you want to schedule queries or pipe alerts to your SIEM, the API path covers the same ground in curl.
3 min
Open the Attestations workbench.
Sign in to your tenant and open Attestations from the main nav. The page shows two things at the top: a roster of every agent registered in your tenant (with operator of record and lifecycle state), and a feed of recent attestations across the tenant.
Scan the agent list. Every entry has a stable DID — a verifiable identifier you can point at in audit conversations and that downstream verifiers can resolve without trusting Dictiva. The lifecycle column tells you which agents are active, which are paused, and which are retired but still appear in historical attestations.
The recent-attestations feed below is your real-time signal. Each row links to the full credential — tier, evidence, expiration, the statement it commits to.
You can name every agent acting in your tenant's name. Each has an operator, a public DID, and a place in the audit trail. This is the inventory question answered in one page.
4 min
See coverage gaps at a glance.
Click into Attestations → Gaps. The Gaps page shows the inverse of coverage — agent/statement pairs where coverage is missing or below the target tier you've set on the statement.
Each row tells you: which agent, which statement, what tier was expected, what was found (if anything). Click any row to see the statement detail and decide whether the gap matters — sometimes the right answer is "this statement no longer applies to this agent" and the fix is to scope the statement, not chase the agent.
The same data backs the coverage matrix you'll see in dashboards or hand to auditors. Run through it once a week and you have your starting point for every governance review.
Your agent governance program just became measurable. No regex over commit messages. No spreadsheet to keep up to date.
2 min
Understand the tier ladder.
Every attestation declares a tier on the Commitment Maturity Ladder. The tier is your credibility signal — T1 says "the agent claims it"; higher tiers add cryptographically-linked evidence.
- T1ReadAgent identity + signed timestamp.Reachable today from the CLI.
- T2AlignedSemantic similarity report against the statement.Tooling not yet shipped.
- T3ReferencedMemory file, AGENTS.md, or system prompt fragment.
- T4ProceduralADR, skill, or PR commit.
- T5BoundedNon-empty scope: tenants / entity types / actions / refusal rules.
- T6EnforcedHook, middleware, tool allowlist, or preflight.
What's reachable today: T1 (Read) is plausible from any developer's CLI workflow. T3 and T4 are reachable when a skill, memory file, or ADR demonstrably codifies the commitment. T2 (Aligned) requires a semantic_similarity_report artifact that hasn't shipped yet — flag this as a known gap when you brief your team.
T5 and T6 require scope expressions and runtime enforcement (hooks, middleware, tool allowlists). They typically come from infrastructure work, not solo authoring.
The Attestations page lets you filter by tier from the top-right filter bar — open it, pick T1 or T2+, and the feed below narrows accordingly.
Your monitoring shouldn't treat T1 the same as T6. The tier IS the meaningful signal — read it, ratchet up over time.
6 min
Finalize drafts and watch expirations.
Two more pages close the operating cycle.
Attestations → Drafts. When a developer commits with an Attests: trailer, the credential lands here awaiting your review. Each draft shows the source (github_webhook / mcp_skill_registration / agents_md_parser), the proposed tier, the evidence the developer attached, and a one-click finalize.
Read the evidence. If it supports the claimed tier, hit Finalize — the draft becomes a live signed credential, immediately verifiable. If it doesn't, hit Reject with a note for the developer.
Attestations → Expiring. PCA credentials carry an expiration; a forgotten renewal becomes a coverage gap. The Expiring page shows a 30 / 60 / 90-day calendar of credentials that need re-issuance. Filter by agent, by statement, by tier. Hand the list to the developer for renewal — or set a recurring weekly check.
A reasonable cadence: drafts inbox daily, gaps + expiring weekly, full review monthly.
Governance becomes detection, not paperwork. Two pages a day, two pages a week — that's the full operating cycle.
What you just unlocked
You can answer three questions live, in a meeting, without preparation.
- Who? — Every agent acting in your tenant, with operator of record and DID.
- What? — Every commitment they've made, at what tier, against which statement.
- Where are we exposed? — Every gap in the coverage matrix, every commitment expiring this month, every draft awaiting finalization.
What's coming
- Webhook subscriptions for PCA events — push delivery to your SIEM, your ticketing system, or your alerting bus. No more polling.
- Statement-level alerts — define an alert rule per statement (e.g. "T1-only commits past 30 days"), get paged when it fires.
semantic_similarity_reporttooling — unblocks T2 attestations from agent CLI workflows.- Cross-tenant audit views for parent organizations governing multiple tenants.
Want to script your monitoring? Switch to the API path for the same four steps with curl.
Next door
You can see what's working. The next question is what should be working — that means going upstream to the policies your agents are reading.