GuardSpine

Governed change for
AI-era work

Existing systems govern models or tools. GuardSpine governs work itself. Every change to code, documents, and spreadsheets becomes attributable, reviewable, and defensible through cryptographic evidence bundles.

Install Open-Source Tools Read the Docs Open-Core Model

The Gap

GitHub governs code but not documents or decisions. DMS tools store files without audit-grade diffs. GRC tools collect evidence after the fact. AI observability platforms log model runs but not accountability. AI governance platforms track models, not everyday work artifacts.

GuardSpine fills this gap as the system of record for governed change in an AI-assisted office.

Four Guard Lanes

All guard lanes emit the same evidence format, converging on the Beads Spine work graph.

CODE

CodeGuard

Risk-classified code changes with multi-model AI review, human approval escalation, and audit-grade evidence bundles.

DOC

PDFGuard

Document version diffs with AI commenting (never editing). Full provenance on every revision.

SHEET

SheetGuard

Spreadsheet change tracking including cells, formulas, and macros with automatic risk flagging.

IMG

ImageGuard

Before/after screenshot tracking with pixel diffs and visual evidence bundles.

AI Cannot Edit Artifacts

A critical design decision: AI may read, analyze, comment, and suggest, but AI may never directly modify code, documents, or spreadsheets. All AI output is stored as sidecar annotations with full provenance.

This separation of duties simplifies compliance approvals, prevents silent or untraceable changes, and makes audit narratives clean and defensible.

Risk Tiers (L0-L4)

Tier	Level	Governance
L0	Informational	Auto-approved, logged for audit trail
L1	Low Risk	Async review, single approver
L2	Medium Risk	Synchronous review before action
L3	High Risk	Multi-party approval required
L4	Critical	Human-in-the-loop only, no AI autonomy

Architecture

Guard Lanes

CLI tools for CodeGuard, PDFGuard, SheetGuard, ImageGuard. Each emits standardized audit events and evidence bundles.

Backend API

FastAPI with 149 routes covering artifacts, approvals, bundles, webhooks, governance, search, alerts, and auth.

Integrations

Connect to your existing tools:

• GitHub - Push events, PR reviews, code scanning

• Jira - Issue linking, status sync

• Slack - Interactive approve/reject, bot commands

• Microsoft 365 - SharePoint/OneDrive document tracking

• DLP/CASB - Purview labels, Netskope incidents, auto risk bumps

Beads Spine

Each governed change attaches to a bead (unit of work). Dependencies model real-world control flow. Guard lanes emit append-only audit events tied to beads. Evidence bundles are reproducible from the event log.

Who This Is For

• Security and GRC teams who need provable process
• Engineering orgs under compliance constraints
• Legal and compliance teams managing policy and contract changes
• Finance and ops teams whose spreadsheets affect money and risk
• Organizations preparing for an AI-native audit future

Get Started Documentation Schedule a Demo

Governed change forAI-era work