Governance Framework

Agent Governance

DRD provides a complete governance framework: register agents, define policies, enforce violations, and manage approval workflows.

Agent Registration

Every AI agent interacting with DRD must be registered. Registration creates an immutable identity record with a Decentralized Identifier (DID), enabling traceability across the entire agent lifecycle.

const agent = await drd.agents.create({
  name: "customer-support-bot",
  type: "assistant",          // automation | assistant | autonomous | pipeline
  description: "Handles tier-1 customer support tickets",
  capabilities: [
    "tickets.read",
    "tickets.respond",
    "knowledge-base.search",
  ],
  metadata: {
    model: "gpt-5.2",
    version: "3.0.1",
    team: "customer-experience",
  },
  tags: ["production", "customer-facing"],
});

console.log(agent.did);    // did:drd:agt_01HQ3XBN4RTYP...
console.log(agent.apiKey); // drd_agt_sk_... (shown once)

Automation

Scheduled or event-driven bots

Assistant

User-facing conversational agents

Autonomous

Self-directed decision-making agents

Pipeline

Multi-step data processing agents

Policy System

Policies define what agents can and cannot do. They are evaluated in real-time (<50ms) when an agent calls guard().

Policy Rules

Allow

Explicitly permit an action

Deny

Explicitly block an action

Require Approval

Pause and wait for operator sign-off

Rate Limit

Restrict frequency of actions

Conditional

Allow/deny based on context (amount, recipient, time of day)

Policy Evaluation Order

Explicit deny rules

Highest priority

Explicit allow rules

Second priority

Conditional rules

Evaluated against context

Default policy

Configurable: allow or deny

Create a Policy

create-policy.ts

const policy = await drd.policies.create({
  name: "Content Publishing Policy",
  description: "Controls how agents publish content to production",
  enabled: true,
  target: {
    agentTypes: ["automation", "autonomous"],
    actions: ["content.publish", "content.update"],
  },
  rules: [
    {
      type: "deny",
      name: "Block PII publication",
      condition: "resource.attributes.containsPersonalData == true",
      message: "Publishing content with personal data is prohibited",
    },
    {
      type: "rate_limit",
      name: "Publish rate limit",
      limit: { maxRequests: 100, windowSeconds: 3600 },
      message: "Publishing rate exceeded (100/hour)",
    },
    {
      type: "require_approval",
      name: "Large content approval",
      condition: "resource.attributes.wordCount > 5000",
      approvers: ["role:content-lead", "role:compliance"],
      timeout: "4h",
    },
    {
      type: "conditional",
      name: "Trust score gate",
      condition: "agent.trustScore >= 70",
      onTrue: "allow",
      onFalse: "deny",
      message: "Agent trust score too low for this action",
    },
  ],
});

Three-Tier Enforcement

When a policy violation is detected, DRD applies enforcement based on severity.

Tier 1

Auto

Instant, automatic enforcement. Not appealable. Used for clear-cut violations like exceeding rate limits or accessing blocked resources.

•Rate limit exceeded: temporary throttle (auto-lifts)
•Known malicious pattern: block and quarantine
•Expired credentials: suspend until re-authenticated

Tier 2

Reversible

Enforcement applied immediately but can be appealed within a deadline. Used for moderate violations where context may matter.

•Capability suspension (specific actions blocked)
•Trust score reduction (recoverable over time)
•Quarantine mode (read-only access)

Tier 3

Operator Approval

Requires operator sign-off before enforcement takes effect. Used for high-stakes decisions like revoking agent access or financial actions.

•Full agent suspension (all capabilities revoked)
•DID revocation (permanent identity removal)
•Cross-workspace ban (federation-wide enforcement)

Approval Workflow

When a policy rule requires approval, DRD creates an approval request and notifies the designated approvers via webhook, email, or Slack. The action is held until approved or until the timeout expires.

approval-workflow.ts

// Agent waits for approval
const result = await drd.guard('large_transfer', { amount: 50000 });
if (result.requiresApproval) {
  const decision = await drd.waitForApproval(result.approvalId);
  // decision.decision: 'approved' | 'denied' | 'expired'
}

list-approvals.ts

const approvals = await drd.approvals.list({
  status: "pending",
  limit: 10,
});

// Each approval contains full context
for (const approval of approvals.data) {
  console.log({
    id: approval.id,
    agentId: approval.agentId,
    action: approval.action,
    policyId: approval.policyId,
    ruleName: approval.ruleName,
    requestedAt: approval.requestedAt,
    expiresAt: approval.expiresAt,
    context: approval.context,
  });
}

resolve-approval.ts

// Approve an action
await drd.approvals.resolve({
  approvalId: "apr_01HQ3XDN8KZWM...",
  decision: "approved",
  reason: "Content reviewed and cleared for publication",
  approvedBy: "user_01HQ3X8K7WNPV...",
});

// Deny an action
await drd.approvals.resolve({
  approvalId: "apr_01HQ3XDN8KZWM...",
  decision: "denied",
  reason: "Content contains unverified claims",
  deniedBy: "user_01HQ3X8K7WNPV...",
});

Approval Timeouts

If an approval request is not resolved within the configured timeout (default: 24 hours), the action is automatically denied. Configure per-rule timeouts in the policy definition.

approval-webhook.ts

await drd.webhooks.create({
  url: "https://your-app.com/webhooks/drd-approvals",
  events: [
    "approval.requested",
    "approval.approved",
    "approval.denied",
    "approval.expired",
  ],
  secret: "whsec_your_signing_secret",
});

Next Steps

Trust Badges

Earn certification through compliance

Learn more →

Webhooks

Get notified of governance events

Learn more →

API Reference

Policy and enforcement endpoints

Learn more →

Policy Engine

Rule-based evaluation for governance decisions

Learn more →

Governance Framework

Agent Governance

DRD provides a complete governance framework: register agents, define policies, enforce violations, and manage approval workflows.

Agent Registration

const agent = await drd.agents.create({
  name: "customer-support-bot",
  type: "assistant",          // automation | assistant | autonomous | pipeline
  description: "Handles tier-1 customer support tickets",
  capabilities: [
    "tickets.read",
    "tickets.respond",
    "knowledge-base.search",
  ],
  metadata: {
    model: "gpt-5.2",
    version: "3.0.1",
    team: "customer-experience",
  },
  tags: ["production", "customer-facing"],
});

console.log(agent.did);    // did:drd:agt_01HQ3XBN4RTYP...
console.log(agent.apiKey); // drd_agt_sk_... (shown once)

Automation

Scheduled or event-driven bots

Assistant

User-facing conversational agents

Autonomous

Self-directed decision-making agents

Pipeline

Multi-step data processing agents

Policy System

Policies define what agents can and cannot do. They are evaluated in real-time (<50ms) when an agent calls guard().

Policy Rules

Allow

Explicitly permit an action

Deny

Explicitly block an action

Require Approval

Pause and wait for operator sign-off

Rate Limit

Restrict frequency of actions

Conditional

Allow/deny based on context (amount, recipient, time of day)

Policy Evaluation Order

Explicit deny rules

Highest priority

Explicit allow rules

Second priority

Conditional rules

Evaluated against context

Default policy

Configurable: allow or deny

Create a Policy

create-policy.ts

const policy = await drd.policies.create({
  name: "Content Publishing Policy",
  description: "Controls how agents publish content to production",
  enabled: true,
  target: {
    agentTypes: ["automation", "autonomous"],
    actions: ["content.publish", "content.update"],
  },
  rules: [
    {
      type: "deny",
      name: "Block PII publication",
      condition: "resource.attributes.containsPersonalData == true",
      message: "Publishing content with personal data is prohibited",
    },
    {
      type: "rate_limit",
      name: "Publish rate limit",
      limit: { maxRequests: 100, windowSeconds: 3600 },
      message: "Publishing rate exceeded (100/hour)",
    },
    {
      type: "require_approval",
      name: "Large content approval",
      condition: "resource.attributes.wordCount > 5000",
      approvers: ["role:content-lead", "role:compliance"],
      timeout: "4h",
    },
    {
      type: "conditional",
      name: "Trust score gate",
      condition: "agent.trustScore >= 70",
      onTrue: "allow",
      onFalse: "deny",
      message: "Agent trust score too low for this action",
    },
  ],
});

Three-Tier Enforcement

When a policy violation is detected, DRD applies enforcement based on severity.

Tier 1

Auto

Instant, automatic enforcement. Not appealable. Used for clear-cut violations like exceeding rate limits or accessing blocked resources.

•Rate limit exceeded: temporary throttle (auto-lifts)
•Known malicious pattern: block and quarantine
•Expired credentials: suspend until re-authenticated

Tier 2

Reversible

Enforcement applied immediately but can be appealed within a deadline. Used for moderate violations where context may matter.

•Capability suspension (specific actions blocked)
•Trust score reduction (recoverable over time)
•Quarantine mode (read-only access)

Tier 3

Operator Approval

Requires operator sign-off before enforcement takes effect. Used for high-stakes decisions like revoking agent access or financial actions.

•Full agent suspension (all capabilities revoked)
•DID revocation (permanent identity removal)
•Cross-workspace ban (federation-wide enforcement)

Approval Workflow

approval-workflow.ts

// Agent waits for approval
const result = await drd.guard('large_transfer', { amount: 50000 });
if (result.requiresApproval) {
  const decision = await drd.waitForApproval(result.approvalId);
  // decision.decision: 'approved' | 'denied' | 'expired'
}

list-approvals.ts

const approvals = await drd.approvals.list({
  status: "pending",
  limit: 10,
});

// Each approval contains full context
for (const approval of approvals.data) {
  console.log({
    id: approval.id,
    agentId: approval.agentId,
    action: approval.action,
    policyId: approval.policyId,
    ruleName: approval.ruleName,
    requestedAt: approval.requestedAt,
    expiresAt: approval.expiresAt,
    context: approval.context,
  });
}

resolve-approval.ts

// Approve an action
await drd.approvals.resolve({
  approvalId: "apr_01HQ3XDN8KZWM...",
  decision: "approved",
  reason: "Content reviewed and cleared for publication",
  approvedBy: "user_01HQ3X8K7WNPV...",
});

// Deny an action
await drd.approvals.resolve({
  approvalId: "apr_01HQ3XDN8KZWM...",
  decision: "denied",
  reason: "Content contains unverified claims",
  deniedBy: "user_01HQ3X8K7WNPV...",
});

Approval Timeouts

If an approval request is not resolved within the configured timeout (default: 24 hours), the action is automatically denied. Configure per-rule timeouts in the policy definition.

approval-webhook.ts

await drd.webhooks.create({
  url: "https://your-app.com/webhooks/drd-approvals",
  events: [
    "approval.requested",
    "approval.approved",
    "approval.denied",
    "approval.expired",
  ],
  secret: "whsec_your_signing_secret",
});

Next Steps

Trust Badges

Earn certification through compliance

Learn more →

Webhooks

Get notified of governance events

Learn more →

API Reference

Policy and enforcement endpoints

Learn more →

Policy Engine

Rule-based evaluation for governance decisions

Learn more →