Governance API

Manage policies, drift events, and risk scores programmatically.

Policies

List Policies


GET /api/v1/governance/policies

Returns all policies in the user’s workspace.

Query Parameters:

Parameter	Type	Description
`mode`	string	Filter by mode (`enforced`, `dry-run`)
`tag`	string	Filter by tag
`limit`	integer	Page size (default: 20)

Response:


{
  "status": "success",
  "data": [
    {
      "id": "pol-abc123",
      "name": "tokenize-financial-pii",
      "description": "Automatically tokenize credit card and bank account numbers",
      "mode": "enforced",
      "tags": ["pci-dss", "financial"],
      "conditions_count": 2,
      "actions_count": 2,
      "last_triggered": "2024-03-15T10:15:00Z",
      "findings_matched": 342,
      "created_at": "2024-02-01T09:00:00Z"
    }
  ]
}

Create Policy


POST /api/v1/governance/policies
Content-Type: application/yaml

Request Body (YAML):


apiVersion: slim.io/v1
kind: Policy
metadata:
  name: alert-health-data
  description: "Alert on any PHI findings above medium confidence"
  tags:
    - hipaa
spec:
  mode: dry-run
  scope:
    connectors: []
  conditions:
    - category: PHI
      min_confidence: 0.75  # tune for your environment, see Settings > Detection
  actions:
    - type: alert
      config:
        channels:
          - slack://hipaa-alerts
        severity: high

Response: 201 Created


{
  "status": "success",
  "data": {
    "id": "pol-def456",
    "name": "alert-health-data",
    "mode": "dry-run",
    "created_at": "2024-03-15T14:30:00Z"
  }
}

Update Policy


PUT /api/v1/governance/policies/:id
Content-Type: application/yaml

Submit the full updated YAML definition. The policy is validated before the update is applied.

Delete Policy


DELETE /api/v1/governance/policies/:id

Permanently delete a policy. This stops all future evaluations but does not undo actions already taken by the policy.

Drift Events

List Drift Events


GET /api/v1/governance/drift-events

Query Parameters:

Parameter	Type	Description
`since`	ISO 8601	Events after this timestamp
`severity`	string	Filter by severity (`critical`, `high`, `medium`, `low`)
`type`	string	Filter by drift type (`data_drift`, `config_drift`, `exposure_drift`)
`connector`	string	Filter by connector ID
`limit`	integer	Page size (default: 20)

Response:


{
  "status": "success",
  "data": [
    {
      "event_id": "drift-001",
      "type": "data_drift",
      "severity": "high",
      "timestamp": "2024-03-15T14:30:00Z",
      "connector_id": "conn-abc123",
      "resource": "s3://prod-data/exports/users.csv",
      "description": "New Credit Card findings detected",
      "previous_state": { "findings_count": 0, "risk_score": 12 },
      "current_state": { "findings_count": 15, "risk_score": 78 },
      "policies_triggered": ["tokenize-financial-pii"],
      "remediation_status": "completed"
    }
  ]
}

Acknowledge Drift Event


POST /api/v1/governance/drift-events/:id/acknowledge

Mark a drift event as acknowledged. Acknowledged events remain in the timeline but are excluded from active alert counts.


{
  "note": "Reviewed by security team. Data was test data uploaded accidentally."
}

Reconciliation

Trigger Reconciliation


POST /api/v1/governance/reconcile

Force a full policy re-evaluation against all findings. Useful after policy changes or classifier updates.


{
  "scope": {
    "connectors": ["conn-abc123"],
    "policies": ["pol-abc123"]
  },
  "mode": "dry-run"
}

Reconciliation with mode: "enforced" will execute remediation actions on all matching findings, even those that were previously processed. Use dry-run first to preview the impact.

Risk Scores

Get Risk Scores


GET /api/v1/governance/risk-scores

Query Parameters:

Parameter	Type	Description
`level`	string	Aggregation level (`finding`, `file`, `connector`, `workspace`)
`connector`	string	Filter by connector ID
`min_score`	integer	Minimum risk score to include

Response:


{
  "status": "success",
  "data": [
    {
      "entity_id": "conn-abc123",
      "entity_type": "connector",
      "risk_score": 62,
      "severity": "high",
      "factors": {
        "sensitivity": 0.85,
        "volume": 0.55,
        "exposure": 0.42,
        "policy_coverage": 0.10
      },
      "computed_at": "2024-03-15T10:15:00Z"
    }
  ]
}

Audit Log

Get Audit Log


GET /api/v1/governance/audit-log

Returns a chronological log of all policy evaluations and actions.

Query Parameters:

Parameter	Type	Description
`since`	ISO 8601	Entries after this timestamp
`policy`	string	Filter by policy ID
`action_type`	string	Filter by action type (`alert`, `tokenize`, `mask`, `quarantine`)
`limit`	integer	Page size (default: 50)