The Governance OS

Govern everything your organization actually runs.

Compliance tools give you checklists. Governance.dev gives you an operating system: a living knowledge graph of your people, systems, models, and APIs, with governance lenses and a compliance layer that never stops watching.

< 30 minto first mapped controls 15 entity typesone organization graph Frameworks as dataversioned, not hardcoded
org://acme-corp/knowledge-graph LIVE
people llm-model vendor api-svc database laptop saas-app repo compliance layer · scanning
Entities Governance lenses Compliance layer
Observe

See what exists

Connectors and discovery scans build your entity registry automatically: people, infrastructure, AI models, APIs, vendors, and data stores.

Infer

Understand what it means

The Infer engine resolves entities, scores confidence, and detects missing context, so the graph reflects reality, not just imports.

Ask

Fill only the real gaps

Targeted questions go to the right owners for what discovery can't see. A confirmed "none" is a signal, not silence.

Govern

Prove it, continuously

Controls map to your actual graph. Readiness is computed per tenant, from applicable controls only, and decays as evidence goes stale.

A Continuous Learn loop routes every drift, incident, and change back through the cycle by severity
Solutions

Three governance domains. One graph underneath.

AI governance, API governance, and GRC aren't separate products bolted together. They are lenses over the same organization knowledge graph, so evidence collected once serves every framework.

AI Governance

Know every model before your auditor does

Discovery scans surface every AI system in use, sanctioned or shadow, and map each one to the obligations that apply to it.

  • AI inventory scanning across code, SaaS, and vendor stacks
  • Shadow AI detection with owner attribution
  • EU AI Act, NIST AI RMF, ISO 42001 shipped as versioned content packs
  • Model risk lenses for data use, autonomy, and impact tiering
API Governance

Every endpoint, accounted for

APIs are entities with edges: to the data they expose, the services that call them, and the people who own them. Govern them like it.

  • API inventory from gateways, specs, and traffic discovery
  • Access and authentication checks mapped to controls
  • Data-flow lenses tracing sensitive data across services
  • Drift detection when contracts change without review
GRC

Compliance that computes itself

A full controls, policies, tests, evidence, and gap-analysis spine, with frameworks as data instead of hardcoded checklists.

  • SOC 2, ISO 27001, and more as versioned framework packs
  • Graph-driven applicability, no controls you don't need
  • Evidence freshness decay so scores never lie
  • Gap analysis tied to the entities that cause each gap
Architecture

Entities. Lenses. One compliance layer across all of it.

Everything your organization governs is an entity: a person, a laptop, a model, an API. Governance lenses shape which checks apply to each one. The compliance layer runs horizontally across everything, holding it all to risk, audit, and regulatory standards.

  • Entities · the 15-type registry with typed edges and full provenance on every fact
  • Lenses · people, process, and software dimensions that decide what "governed" means per entity
  • Compliance layer · frameworks applied as data, computed against the live graph
ENTITIES peoplemodels apisvendors devicesrepos datastoressaas GOVERNANCE LENSES people lens process lens software lens COMPLIANCE LAYER SOC 2 ISO 27001 EU AI ACT NIST AI RMF + yours
Readiness

A score that decays is a score you can trust.

Most platforms show a readiness number that only moves when someone clicks a checkbox. Ours is computed from your live graph: which controls actually apply to your entities, which evidence backs them, and how fresh that evidence is.

Evidence ages, so the score does too. When an access review goes stale or a model ships without a risk assessment, readiness drops before the audit finds it, and the workspace shows exactly which consequence is on the line.

Applicable controls only
The denominator is your graph, not a generic checklist. No credit, and no penalty, for controls that don't apply.
Confirmed none ≠ silence
An owner confirming "we have none" is evidence. An unanswered question is a gap. The graph knows the difference.
Audit readiness · SOC 2 last 90 days
87/100
▼ 3 pts · 12 evidence items aging past freshness window
evidence went stale
access-control
94
ai-model-risk
71
api-security
88
vendor-mgmt
82
Get started

First mapped controls in under 30 minutes.

Connect your stack, or start with the guided no-connector path. Either way, the graph starts learning your organization today.