Shadow Mode

See what Decionis would have blocked — before you flip a single switch.

Same install everywhere we ship: GitHub Action, LangChain (Python & JS), Azure API Management, Slack, Shopify. The gate observes, records a signed Decision Dossier, and never changes caller behaviour — until you decide to enforce. One-line change to flip, reversible without uninstalling.

Pick a surface Score my current posture Generate a sample dossier

Pick the surface that touches your most-asked workflow

You don't have to wire every surface — start with the one whose audit you'd be asked about first. Tabs below swap the install snippet to that surface verbatim.

Install GitHub Action in shadow

Drops into any workflow YAML in one line. Verdicts surface on the PR + the run summary.

yaml

# .github/workflows/deploy.yml
- uses: decionis/govern@v1
  with:
    api-key: ${{ secrets.DECIONIS_API_KEY }}
    org-id:  ${{ secrets.DECIONIS_ORG_ID }}
    workflow-key: github_deploy_approval
    mode: shadow          # ← every verdict recorded; step never fails
    comment-pr: 'true'    # ← post verdict + verify URL on the PR

Open docs →View marketplace listing →

Watch the would-have-blocked numbers

Every gated call produces a signed Decision Dossier. Nothing changes for callers.

Each PR carries a Decionis comment with the verdict, dossier id, and verify URL. The same dossier is in your Decionis audit log (filter by workflow_key=github_deploy_approval).

Per-dossier
Every call → one verifiable proof artifact at /verify/decision-dossiers/<id>.
Per-week
Verdict distribution and a Decionis Score on /decionis-score — exportable as an executive PDF or AI-Act packet.
Per-decision
Forwardable Decision Dossier links — Slack / Teams / LinkedIn unfurl with the verdict OG card.

Flip GitHub Action to enforce

One-line change. Reversible without uninstalling.

yaml

# .github/workflows/deploy.yml
- uses: decionis/govern@v1
  with:
    api-key: ${{ secrets.DECIONIS_API_KEY }}
    org-id:  ${{ secrets.DECIONIS_ORG_ID }}
    workflow-key: github_deploy_approval
-   mode: shadow
+   mode: enforce         # ← step fails on a block verdict
    comment-pr: 'true'

Same dossier id, same verify URL, same audit log — the only difference is that blocked verdicts now actually hold the action. If a real workflow regresses, swap back to shadow: the rollback is the same one-line edit, in reverse.

Once you've been in shadow a few days

The numbers you collected become the case for enforcement.

Every dossier ID you record in shadow opens to a public verification page and unfurls with the OG verdict card in Slack / Teams / LinkedIn. Use them in the rollout review packet — the same signed artifact is the proof your CFO, your security reviewer, and your customer's auditor all want.

Score your readiness

Five-input assessment → executive PDF / AI Act packet.

Run the assessment →

Internal-approvals deep dive

The Slack-thread-to-signed-dossier story walked end-to-end.

Read the use case →

Shadow reports doc

The API shape behind the would-have-blocked numbers.

Open the docs →

Loading…

Shadow Mode

See what Decionis would have blocked — before you flip a single switch.

Pick a surface Score my current posture Generate a sample dossier

Pick the surface that touches your most-asked workflow

You don't have to wire every surface — start with the one whose audit you'd be asked about first. Tabs below swap the install snippet to that surface verbatim.

Install GitHub Action in shadow

Drops into any workflow YAML in one line. Verdicts surface on the PR + the run summary.

yaml

# .github/workflows/deploy.yml
- uses: decionis/govern@v1
  with:
    api-key: ${{ secrets.DECIONIS_API_KEY }}
    org-id:  ${{ secrets.DECIONIS_ORG_ID }}
    workflow-key: github_deploy_approval
    mode: shadow          # ← every verdict recorded; step never fails
    comment-pr: 'true'    # ← post verdict + verify URL on the PR

Open docs →View marketplace listing →

Watch the would-have-blocked numbers

Every gated call produces a signed Decision Dossier. Nothing changes for callers.

Each PR carries a Decionis comment with the verdict, dossier id, and verify URL. The same dossier is in your Decionis audit log (filter by workflow_key=github_deploy_approval).

Per-dossier
Every call → one verifiable proof artifact at /verify/decision-dossiers/<id>.
Per-week
Verdict distribution and a Decionis Score on /decionis-score — exportable as an executive PDF or AI-Act packet.
Per-decision
Forwardable Decision Dossier links — Slack / Teams / LinkedIn unfurl with the verdict OG card.

Flip GitHub Action to enforce

One-line change. Reversible without uninstalling.

yaml

# .github/workflows/deploy.yml
- uses: decionis/govern@v1
  with:
    api-key: ${{ secrets.DECIONIS_API_KEY }}
    org-id:  ${{ secrets.DECIONIS_ORG_ID }}
    workflow-key: github_deploy_approval
-   mode: shadow
+   mode: enforce         # ← step fails on a block verdict
    comment-pr: 'true'

Once you've been in shadow a few days

The numbers you collected become the case for enforcement.

Score your readiness

Five-input assessment → executive PDF / AI Act packet.

Run the assessment →

Internal-approvals deep dive

The Slack-thread-to-signed-dossier story walked end-to-end.

Read the use case →

Shadow reports doc

The API shape behind the would-have-blocked numbers.

Open the docs →