Pull a report
GET /admin/accounts/<account_id>/compliance with an ISO-8601 start and end:
Reading the report
| Field | What it tells you |
|---|---|
enabled_packs.account_policy | The account-wide floor in force — its policy_ref, whether it’s enabled, its default_deny posture, and its version. |
enabled_packs.published_bundles | Every policy bundle published under the account (name, version, content hash). |
denials_by_control | Policy-gate blocks attributed to a specific framework control ID, highest first. This is the per-control evidence. |
denials_by_framework | The same denials rolled up by framework prefix (OWASP, NIST, MITRE, EU, …). |
denials_by_gate | The same denials grouped by the enforcement gate that produced them (see below). |
catalog | Available packs and how many controls each actually enforces — coverage context to render next to live denials. |
What a denial count means
A denial count is a real enforcement event — a moment when a policy gate blocked an action your agent attempted inside the sandbox, not an advisory finding. Because the agent runs inside the declaw microVM, these gates are the only path its actions can take. Each blocked action is attributed to the framework control IDs carried in the firing Rego rule’s metadata, so a single denial can count toward several controls at once (e.g. one blocked command satisfying bothOWASP-LLM06 and NIST-SI-4).
Use denials_by_framework as your top-line evidence per framework, and denials_by_control to show exactly which controls have live enforcement signal over the period.
The four enforcement gates
denials_by_gate reports each denial’s audit category and event:
| Gate | category / event | What it governs |
|---|---|---|
| Command | command / command_denied | A command the agent (or a sub-agent) tried to run was blocked. |
| Network | network / egress_blocked | An outbound connection was blocked. |
| Content | security / content_policy_blocked | The request body on LLM egress (model, injection findings) was blocked. |
| Lifecycle | lifecycle / sandbox_create_denied | A sandbox-create was blocked at provisioning (tier, template, features). |
Only these four denial events are counted toward compliance evidence. Completed (allowed) actions and non-policy audit events are excluded — the report is strictly the record of what policy blocked in the window.
Interpreting it as evidence
The report is designed to be attached directly to a compliance package per framework:- Coverage comes from
catalog(enforced_controlsper pack) plusenabled_packs(what’s actually switched on for the account). - Effectiveness comes from
denials_by_control/denials_by_framework(controls that fired, and how often) over your stated window.
Related
- Governance Packs — the curated, framework-aligned bundles whose control metadata produces this evidence.