Concepts
What is Governance-as-Code?
AI systems make decisions continuously — budget changes, targeting shifts, content approvals, risk classifications. Most organisations audit these decisions after the fact, if at all. Governance-as-Code reverses that sequence: policy is enforced at the moment the decision is proposed, and the result is recorded permanently before execution proceeds.
The Core Idea
In software engineering, Infrastructure-as-Code replaced manual server configuration with versioned, machine-readable declarations. Governance-as-Code does the same for AI policy. Instead of a compliance document that humans read and interpret, governance rules are encoded in a policy constitution — parsed by a runtime engine, applied to every decision, and versioned in source control alongside the system it governs.
The result is that AI policy is no longer aspirational. It is structurally enforced. An agent cannot execute a decision that violates its policy constitution — the runtime blocks it before execution, records the violation, and routes it for human review.
How Krapheno Implements It
Krapheno is a Governance-as-Code platform built around three components:
ThresholdEngine — Policy Evaluation at Runtime
Krapheno's policy constitution is defined in thresholds.md — a versioned file parsed at boot. When an AI agent proposes a decision, ThresholdEngine evaluates it against the active policy and returns one of three verdicts: ALLOW, ESCALATE, or BLOCK. The evaluation happens before the decision executes — not after.
MIC Constraints — Machine-Interpretable Contracts
MIC constraints (MIC-01 through MIC-09) define the boundary conditions under which an external AI system may act autonomously. Each constraint is a named, versioned rule — sample size floors, confidence thresholds, change magnitude limits. When a decision violates a MIC constraint, the violation is recorded with the specific condition that fired, creating an auditable explanation for every non-ALLOW verdict.
SmritiTree — The Cryptographic Decision Ledger
Every governed decision is written to SmritiTree: an append-only, hash-chained ledger enforced at the database layer. Each decision node contains the payload, the verdict, the MIC conditions evaluated, and a SHA-256 hash linking it to the prior node. The chain cannot be altered without invalidating every subsequent hash — making the audit trail tamper-evident by construction, not by policy.
ALLOW / ESCALATE / BLOCK — The Verdict Model
Every decision Krapheno evaluates receives one of three verdicts:
The decision satisfies all active policy constraints. It is inscribed to SmritiTree and execution proceeds. Not all ALLOW verdicts are equal — Governance Utilization measures how close the decision came to policy boundaries, distinguishing confident decisions from marginal ones.
The decision falls outside autonomous authority but is not a hard violation. A human review thread is opened. The decision is inscribed as pending. Execution is suspended until a human approves or rejects.
The decision violates a hard policy constraint. Execution is prevented. The violation is recorded permanently with the specific MIC condition that triggered the block.
Why Cryptographic Proof Matters
Compliance logs can be edited. Audit tables can be truncated. Post-hoc records can be reconstructed to tell a convenient story. SmritiTree's hash chain removes this possibility structurally: each record's hash is derived from its content and the hash of the record before it. Altering any historical record invalidates every hash that follows.
For organisations subject to GDPR, financial audit requirements, or contractual SLA obligations, this means the governance record is not a claim — it is a cryptographically verifiable proof that the policy was applied at the moment stated.
Governance Utilization — Not All ALLOW Verdicts Are Equal
A decision that ALLOWs at 12% policy utilization and one that ALLOWs at 83% utilization are not the same governance signal. Krapheno tracks utilization — how close each decision came to its policy boundary — across every governed decision.
The amber band (60–85% utilization) represents peak performance: the agent is operating confidently within policy without excessive conservatism. This reframes governance from binary compliance into a performance optimization instrument. Organizations can calibrate policy tightness from real decision data, not intuition.
See Governance-as-Code in action
Krapheno is live in production. Every decision on the demo portal is governed by a real hash chain.