Policy author — API path
Author once. Every agent on Earth that touches your tenant honors it.
Through the REST API and MCP tools. For compliance engineers and policy automation.
Most policy programs are PDFs. They're written once, distributed, and forgotten. They can't be queried. They can't be enforced. They can't be attested to. An agent that wants to follow them has to read them like a human would — slowly, with summarization loss, with no signal back to you that it actually happened.
Statements in Dictiva are different. Each one is machine-readable, scope-bound, version-pinned, and attestable. Authored once, they show up in every agent's MCP context immediately. And every commitment they receive comes back to you as evidence.
3 min
Pick a topic and search for existing statements.
Before you author, look. Statement libraries get cluttered fast — duplicates, near-duplicates, statements that say the same thing in different domains. Dedupe is the policy author's discipline.
curl -H "Authorization: Bearer dv_live_..." \
"https://dictiva.com/api/statements?q=data+retention&applies_to=agent"
Or via MCP from Claude / Cursor:
Search the dictiva-governance MCP for statements about data retention that apply to agents.
The response is filtered by applies_to (human / agent / both) and faceted by domain, lifecycle state, modality, agent-aware flag. If something close already exists, adopt or refine it — don't author a sibling.
Workbench → Statements → Search renders the same data interactively with facet drilldowns.
Your policy graph is shared. Every duplicate you avoid keeps the graph readable for the next author and for every agent reading from it.
10 min
Author your first statement — answer four questions.
The full statement schema has fifteen pieces. Ninety percent of statements only need four answers — the rest fall out of those.
- Who must do this? —
applies_to:human,agent, orboth. Optionalactor_scoperefinement (e.g.agent-workflow,service-account). The same rule may apply differently to humans and agents — say so explicitly. - When? — the trigger condition. "Before any commit that touches a customer-data table." "On every PR review." "When generating a report shared externally."
- What? — the modality (
must/should/may) plus the allowed/prohibited actions. The agent-guidance JSONB block carries this in machine-readable form:allowedActions,prohibitedActions,requiredApprovals,evidenceRequirements. - Why? — rationale plus a
standardReferenceif one exists (NIST AI RMF, ISO 27001 control, EU AI Act article).
A minimal create call:
curl -X POST -H "Authorization: Bearer dv_live_..." \
-H "Content-Type: application/json" \
-d '{
"title": "Code-reviewer agents must annotate security-relevant changes",
"body": "Any agent acting as a code reviewer must flag changes...",
"modality": "must",
"applies_to": "agent",
"actor_scope": "code-reviewer",
"domain_id": "uuid-of-your-domain",
"enforcement_mode": "informational",
"agent_guidance": {
"allowedActions": ["comment", "request_changes"],
"prohibitedActions": ["merge", "push"],
"requiredEvidence": ["scan_log"]
}
}' \
https://dictiva.com/api/statements
Or use Workbench → New Statement for the guided form.
Your prose just became something an agent can read, an MCP can serve, and a credential can be issued against. The 15-piece taxonomy is for the rare nuanced case — start with four answers and let the form fill in defaults.
5 min
Choose the enforcement mode.
Enforcement is a ratchet, not a one-time decision. Each statement carries an enforcement_mode from a four-rung ladder. Start soft, observe, harden over time.
| Mode | What an agent does | When to use it |
|---|---|---|
informational | Reads the statement, may reference it; no behavior change | New statements. You want to see who notices before you require anything. |
human_review_required | Pauses agent action, requests human approval before proceeding | Statements that gate consequential actions (production deploys, data exports). |
machine_readable | Agent parses the statement and self-restricts based on agent_guidance JSONB | Standard enforcement for well-shaped statements. Most statements live here. |
machine_enforceable | A runtime hook, middleware, or tool allowlist physically prevents prohibited actions | The strongest claim. Requires infrastructure on the agent side; pair with T6 attestations. |
A reasonable cadence: publish at informational for two weeks, watch attestations land, ratchet to machine_readable once you see agents adopting it. The mode is a property of the statement and you can change it via PATCH at any time — agents pick up the new mode on their next MCP refresh.
Soft-launch is a feature, not a workaround. The mode is your governance lever — pull it as the policy matures, not before.
3 min
Scope it to actors.
Two fields define who's bound by your statement:
applies_to—human/agent/both. The same rule may have different consequences for a human reviewer (advisory) versus an agent reviewer (machine-enforceable).actor_scope— optional refinement. Common values:service-account,agent-workflow,code-reviewer,customer-success. Use this to say "this rule only applies to agents acting in this role."
Example: a single statement "Cannot push to main without two approvals" might carry:
applies_to: both(humans and agents)actor_scope: null(anyone)modality: must
While "Must run security-scan before merging" might carry:
applies_to: agentactor_scope: code-reviewerenforcement_mode: machine_enforceable
The MCP list_applicable_policies_for_actor tool reads these fields. An agent identifying itself as actor_type: agent, actor_scope: code-reviewer gets back exactly the statements that bind it — nothing more, nothing less.
Same prose, different consequences. The scope fields let one statement carry the right weight for the right principal.
5 min
Watch agents adopt your statement.
Every attestation against your statement is a verifiable claim that a specific agent has read, understood, and committed to follow it at a declared tier.
curl -H "Authorization: Bearer dv_live_..." \
"https://dictiva.com/api/agent/attestations?statement_id=<your-statement-uuid>"
The response shows every agent that's attested, the tier they claimed, the evidence they submitted, and when it expires:
{
"data": [
{
"subjectDid": "did:web:dictiva.com:agents:agent-code-reviewer",
"commitmentTier": "T3",
"issuedAt": "2026-04-25T...",
"expiresAt": "2027-04-25T...",
"evidence": [{ "evidenceKind": "skill", "reference": ".claude/skills/code-reviewer/SKILL.md" }]
}
]
}
Or open Statement detail → Adoptions tab for an interactive view with adoption-over-time and tier-distribution charts.
Your policy lands. You can name the agents that adopted it, the tier they reached, and the agents that haven't — the unattested gap is the conversation to have next.
What you just unlocked
Three things are now true that were impossible with PDFs.
- Discoverability. Every statement is queryable by domain, modality, applicability, and enforcement mode. Auditors can look themselves up.
- Attestability. Every agent commitment leaves a signed credential anyone can verify — including auditors, customers, and regulators that don't trust your platform.
- Enforceability as a ratchet. Soft-launch at
informational, watch the data, harden tomachine_readableormachine_enforceablewhen you're ready. No revisions, no re-publishing — same statement, new mode.
What's coming
- Statement templates — one-click starting points for common policy categories (privacy, security, AI use, code review).
- Adoption alerts — get notified when adoption stalls, when divergence appears, when a previously-attested agent stops attesting.
- Cross-tenant publishing — author a statement in one tenant, offer it to other tenants for adoption with attribution. (Aimed at industry/standards authors, not in-tenant policy work.)
- Diff-aware re-attestation — when you edit a published statement, agents that previously attested are notified to re-attest (or refuse) at the new version.
Next door
You authored the policies. Now make sure your operations team has the tools to watch agents adopt them, and your developers have the on-ramp to make every commit speak to your governance.