The Policy Nobody Reads
Somewhere in your organization, there is a data classification policy. It was written carefully. Reviewed by legal. Approved by the CISO. Published to the intranet.
And the data engineer deploying a new pipeline this morning has never read it.
This is not a people problem. It is a delivery problem. Governance programs produce excellent requirements and then deliver them in a format that nobody consumes at the point of decision. The policy exists. The engineer exists. The connection between them does not.
Until now.
Your Governance Program Has an API
Dictiva now exposes your governance data through a full REST API and Model Context Protocol (MCP) server. Every statement, every glossary term, every policy bundle your organization has authored is available as structured, queryable, machine-readable data.
This is not a read-only export. It is a live interface to your governance program. When your team searches for "data classification" through the API, they get back the exact statements that govern classification in your organization — not a generic best practice, not a link to a PDF, but the specific obligations your governance team authored, with the enforcement level, actor scope, and approval chain attached.
What the API Returns
When an agent or integration queries a governance statement, the response includes fields that make the statement actionable:
{
"displayId": "DG-001",
"title": "Data classification at creation",
"body": "All data assets must be classified according to the organization's data classification scheme at the point of creation or ingestion.",
"modality": "must",
"appliesTo": "both",
"enforcementMode": "machine_readable",
"domain": "Data Governance",
"agentGuidance": {
"allowedActions": ["read_policy", "check_compliance", "log_decision"],
"prohibitedActions": ["modify_policy", "auto_remediate_without_approval"],
"requiredContext": ["tenant_id", "actor_id", "monitoring_scope"],
"evidenceRequirements": ["timestamp", "metric_values", "threshold_comparison"],
"escalationRules": {
"on_ambiguity": "log_and_continue",
"on_violation": "notify_owner"
},
"failureMode": {
"action": "log_warning",
"fallback": "continue"
}
}
}
That agentGuidance block is the difference between "here is a policy" and "here is what to do with it." It tells any system consuming the statement what actions are allowed, what is prohibited, what evidence to collect, and what to do when something goes wrong. This is governance that works at the speed of engineering.
Real-World Scenarios
Abstract features do not build compliance programs. Concrete workflows do. Here is how teams are using the API and MCP server today.
Scenario 1: The Data Engineer Deploying a Pipeline
A data engineer is building an ETL pipeline that ingests customer PII. Before pushing to production, their CI/CD pipeline calls the Dictiva API:
curl -H "Authorization: Bearer dv_live_..." \
"https://app.dictiva.com/api/agent/statements?domain=Data%20Governance&applies_to=agent"
The pipeline receives every data governance statement that applies to automated systems. It can check whether the pipeline design meets classification requirements, whether encryption standards are satisfied, and whether the retention period is compliant — before a single record is processed.
The engineer did not need to find the policy. The policy found the pipeline.
Scenario 2: The Security Analyst Preparing for an Audit
An auditor asks: "Show me all controls related to access management and their current enforcement status."
The analyst connects Claude Code to Dictiva's MCP server and asks it to search for access management statements, compile them into a bundle, and cross-reference the glossary for official definitions. The MCP server calls three tools in sequence:
search_statementswithdomain=Securityandq=access managementexport_ontologyto pull the full glossary graph of security terminologyget_assembly_bundleto compile the Access Control Policy into a signed, versioned bundle
The result is a machine-readable policy document with a SHA-256 content hash, every statement's enforcement mode, and the official definition of every term used. The auditor gets a verifiable artifact. The analyst spent two minutes instead of two days.
Scenario 3: The Product Manager Defining a Feature
A product manager is designing a feature that handles user consent. They need to know what the organization's privacy governance says about consent management before writing the spec.
Using the MCP prompt compliance-check, they describe the planned feature:
"We want to implement implied consent for marketing emails based on account creation."
The agent searches applicable privacy statements, finds three that govern consent mechanisms, and flags that implied consent for marketing does not meet the organization's "explicit opt-in" requirement (statement PV-003, enforcement mode: machine_enforceable). The PM adjusts the spec before a single line of code is written.
Compliance was not an afterthought. It was the starting point.
Scenario 4: The New Hire Who Needs Context
A new team member joins and needs to understand what "data stewardship" means in this organization — not the Wikipedia definition, but the official one that carries weight in audits.
The glossary API returns the term with its machine key, aliases, term type, and relationships to other concepts:
{
"term": "Data Steward",
"definition": "An individual accountable for the quality, integrity, and appropriate use of data within a specific domain.",
"machineKey": "data-steward",
"termType": "role",
"aliases": ["domain data owner", "data custodian"],
"relationships": [
{ "targetTerm": "Data Owner", "relationshipType": "reports_to" },
{ "targetTerm": "Data Quality", "relationshipType": "accountable_for" }
]
}
This is not a glossary page. It is a structured ontology that any tool — Slack bot, onboarding portal, internal wiki — can consume and present in context.
Signed Policy Bundles
When compliance matters, provenance matters. The get_assembly_bundle tool compiles a policy or standard into a self-contained bundle that includes:
- Every statement in the assembly, in display order, with full agent guidance
- Every glossary term referenced by those statements
- A signed manifest with statement count, term count, and a SHA-256 content hash
The content hash lets any downstream system verify that the bundle it received is the same one Dictiva compiled. If a statement is added, removed, or modified, the hash changes. This creates an auditable chain from governance authorship to operational consumption.
Bundles support both JSON and JSON-LD formats. JSON-LD adds @context and @type annotations for systems that consume linked data.
The MCP Server: Governance in Your Editor
The Model Context Protocol is an open standard for connecting AI assistants to external data sources. Dictiva's MCP server runs as a local process alongside your AI assistant (Claude Code, Cursor, or any MCP-compatible client) and exposes six governance tools:
| Tool | What It Does |
|---|---|
search_statements | Search by domain, enforcement mode, actor type, or free text |
get_assembly_bundle | Compile a policy into a signed, machine-readable bundle |
search_glossary | Query terms with ontology metadata and relationships |
list_applicable_policies_for_actor | Find every policy that applies to a specific role |
export_ontology | Export the full glossary as an ontology graph |
get_statement_guidance | Get detailed agent guidance for a specific statement |
Beyond tools, the server provides a governance-summary resource for a quick snapshot of your program's coverage, and two prompts — compliance-check and policy-summary — that scaffold common governance workflows.
Setup takes two minutes. Create an API key in Settings, add a .mcp.json file to your project, and your AI assistant can search your policies, compile bundles, and check compliance inline with your work.
Who This Is For
The API and MCP server are available on Business and Enterprise plans. This is not a feature for casual use — it is infrastructure for organizations that treat governance as a first-class engineering concern.
- Business ($799/mo): Full API read/write access, MCP governance tools, 100 requests/minute, up to 15 users
- Enterprise (custom): Unlimited everything, 500 requests/minute, SSO, custom branding, dedicated support
If you are on a Community or Professional plan and want to explore API and MCP access, you can upgrade your plan on the pricing page. The upgrade is instant — no migration, no data loss, and you get immediate access to the full feature set.
Getting Started
REST API
- Go to Settings > API Keys and create a key with
statement:read,glossary:read, andassembly:readscopes - Make your first call:
curl -H "Authorization: Bearer dv_live_..." \
"https://app.dictiva.com/api/v1/statements"
- Explore the full API at app.dictiva.com/api/docs
MCP Server
- Create an API key (same as above)
- Add to your project's
.mcp.json:
{
"mcpServers": {
"dictiva-governance": {
"command": "npx",
"args": ["tsx", "webapp/scripts/mcp-governance-server.ts"],
"env": {
"DICTIVA_API_KEY": "dv_live_...",
"DICTIVA_BASE_URL": "https://app.dictiva.com"
}
}
}
}
- Restart your AI assistant. Your governance data is now available as tools.
For detailed setup instructions, see the MCP Governance Server Guide. For API authentication and rate limits, see the API Keys & Integrations Guide.
Compliance Is No Longer an Afterthought
For decades, governance has operated on a publish-and-pray model. Write the policy. Put it somewhere. Hope people find it when they need it. Measure compliance annually and fix the gaps.
That model was already struggling before AI agents entered the picture. Now, with automated systems making decisions at a scale and speed that no policy review committee can match, the gap between governance intent and operational reality is widening every day.
The answer is not more policies. It is better delivery.
When your governance program has an API, compliance becomes a build-time concern, not a post-mortem finding. When your glossary is a queryable ontology, teams use the right terminology because the right terminology is the easiest to access. When your policies are signed, versioned bundles, auditors get artifacts instead of assertions.
This is what statement-first governance was built for. Individual, trackable, machine-readable requirements that reach the people and systems that need them — at the moment they need them.
Your policies are ready to talk. The question is whether your tools are listening.
Ready to connect your governance program to the tools your team uses every day? View pricing and upgrade your plan, or reach out to our team if you have questions about API access, MCP integration, or Enterprise features.