Governance
Governance is how you put guardrails around what agents (and the people operating them) are allowed to do, and how you prove after the fact what happened. These are Team/Enterprise plan features (and available in Enterprise self-hosted and Cloud).
Governance features are part of Splyntra Enterprise and the Team/Enterprise cloud plans.
They are layered onto the open core through build-time registration and expose endpoints
under /v1/{ledger,policies,delegation,authorize}. The Community edition ships without
them.
Audit ledger
Every governance-relevant action — a policy change, a delegation grant, an approval, a credential issue — is recorded in an append-only audit ledger. Entries are immutable and ordered, giving you a tamper-evident history for compliance and incident review.
- Who did what, to which resource, and when.
- The decision and the policy that produced it.
- Exportable for audits and SIEM ingestion.
Policies
Splyntra evaluates access decisions against policies expressed in three complementary models:
- RBAC (role-based) — grant capabilities to roles, assign roles to principals.
- ABAC (attribute-based) — decisions based on attributes of the subject, resource, and environment (e.g. project, environment, data sensitivity).
- ReBAC (relationship-based) — decisions based on relationships (e.g. "owner of the project that owns this agent").
Authorization requests hit the /v1/authorize endpoint, which returns an allow/deny
decision plus the matched policy — and that decision is written to the ledger.
{
"subject": "agent:support-bot",
"action": "tool.send_email",
"resource": "project:support-agent",
"decision": "deny",
"policy": "no-outbound-email-in-prod"
}
Delegation
Delegation lets a principal grant a scoped subset of its permissions to another — for example, a human operator delegating "read traces for project X" to an on-call agent for a bounded time window. Delegations are scoped, optionally time-boxed, and fully recorded in the ledger.
Spend controls & approvals
Governance ties into cost analytics to enforce spending limits, not just observe them:
- Caps — block or throttle runs when a project or environment exceeds its budget.
- Approvals — route a run (or a high-cost action) for human approval before it proceeds.
- Audit — every approval decision is written to the ledger.
Combine a hard budget cap with an approval workflow so routine work runs freely but unusually expensive actions pause for a human — without stopping the whole project.
Next steps
- Agent identity — the principals policies act on.
- Cloud — which plans include governance.