Early access · on application
AI agents now propose actions all day: send this, pay that, publish, delete, commit. The hard question was never whether the agent can act — it’s who decided it should, and what record exists of that decision afterwards.
The Village Governance API answers both. Your system submits a
proposed action; you get back a verdict —
allow, gate (a human must decide), or
deny — and a signed receipt you can verify
yourself, offline, without asking us. Behind each verdict sits a
tamper-evident, customer-owned record of the whole
deliberation, exportable as a self-verifying dossier.
It is an interface, deliberately narrow. What you send and what you get back is the entire surface. How a verdict is reached never crosses the wire.
Most audit trails record that something was approved. Boards, regulators and counsel want to see how — what AI was used, what it produced, how a person actually engaged with it, and what they decided.
The API captures that as a structured kōrero — the deliberation itself:
AI output and human reasoning are kept structurally separate, and the API never fills in the reasons for you. A record that says “a director read the AI’s summary and challenged two figures, and here is what they wrote at the time” is a different class of evidence from a tick in a box. That separation is the point.
Every receipt is Ed25519-signed with your tenant’s own key, published in your tenant’s DID document. Verification takes a receipt, that public document, and about forty lines of code — no call to us, no account with us, no trust in our word. The client SDK ships the verifier; the algorithm is documented so you can re-implement it in any language.
Export the full record and the dossier carries the receipts, the proof chain and the deliberation together. A third party can check all of it years later, whether or not we still exist.
By default the record is tamper-evident: a signed, append-only proof chain in which any alteration is detectable and provable. We hold that a record whose tampering can be demonstrated is stronger evidence than one that simply claims to be unchangeable — the case is made in full in Tamper-Evident Governance on this site. Tenants whose obligations require it can instead switch on write-once mode, which refuses all amendment after the fact.
Signing is configurable the same way: a single tenant key, or per-director signing, where each participant’s engagement carries an individually attributable signature.
The record is tamper-evident and signed. We do not market it as tamper-proof or court-defensible — whether it satisfies a legal duty is a matter for your counsel and, where it comes to it, a court. What we give you is the strongest contemporaneous, self-verifiable record of how a decision was made. Where a customer enables the write-once toggle, the record can no longer be amended at all; that hardens the record, but not the claim — even then it is evidence of how a decision was made, not proof that any legal duty is met.
The API is built, tested and security-reviewed internally. We are opening it in stages, and we would rather stage it carefully than expose it early:
The Governance API is an add-on to a Village subscription — every tenant is a Village, and the records live there, so there is no standalone API plan. Indicative pricing — a Village subscription plus a metered governance add-on, in your currency — is published at pricing page. All figures are indicative until general availability; assurance-level engagements are priced by conversation.
The Village Governance API is a product of My Digital Sovereignty Ltd (NZ), built on the governance architecture documented on this site. Questions: governance-api@mysovereignty.digital.