Governance Overview

Practical, enforceable governance that connects compliance requirements directly to architectural artefacts through the Intent Graph, with automated reporting, drift detection, and audit trails.

March 5, 2026

Architecture governance in most organisations exists as a set of good intentions: spreadsheets tracking compliance, manual reviews that happen too late, and documentation that drifts from reality within weeks. The gap between what governance should look like and what actually happens is where risk hides.

NeoArc Studio takes a different approach. Governance is not a separate layer bolted on top of your documentation. It is woven directly into the architectural model through the Intent Graph, a structural knowledge graph that connects every entity, schema, endpoint, diagram, and decision record in your workspace. When a governance rule says "every data entity must have a risk assessment", the system can tell you exactly which entities comply and which do not, in real time, without anyone filing a report.

The Governance Capability Map

NeoArc's governance system spans six areas, each reinforcing the others. Together they form a closed loop: define rules, measure compliance, track changes, detect drift, manage lifecycle, and produce auditable evidence.

Governance Rules Engine

Built-in rules for SOC2, ISO 27001, and general governance. Create custom rules that link content blocks to architectural nodes. Per-block compliance indicators update in real time.

Automated Reporting

Automated reports analyse your workspace continuously: API coverage, schema health, governance compliance, deprecation impact, broken lineage, and more. Every issue links directly to the source file.

Architecture Decision Records

First-class ADR support with four industry formats (Nygard, Structurizr, MADR, Y-Statement), full lifecycle tracking, options analysis, and cross-linking to diagrams and other decisions.

Baselines and Drift Detection

File-based baselines with SHA-256 tamper detection. Drift dashboards measure how far the architecture has moved from an approved state. Structural hashing detects when governed entities change.

Audit Trail and Non-Repudiation

Every change is tracked through git with semantic diff analysis. Resource history shows who changed what, when, and whether the change was structural or cosmetic. Full command transparency.

Impact Analysis and Migration

Before any destructive action, impact analysis shows downstream effects across schemas, endpoints, and documentation. Two migration paths generate task board cards automatically.

Governance Through the Intent Graph

The Intent Graph is the structural backbone that makes governance enforceable rather than aspirational. Every artefact in your workspace, whether it is a model entity, REST endpoint, schema, or content page, exists as a node in the graph. Relationships between them (lineage, governance, inheritance, references) exist as typed edges.

When you write a risk block on a content page and link it to a set of model entities, a governs edge is created in the Intent Graph. The governance engine can then verify that every entity of a given type has the required governance documentation, and report on any gaps.

Governance Capability	How the Intent Graph Powers It
Compliance rules	Governs edges from entity blocks to architectural nodes are counted against enabled rules
Coverage analysis	Inverse traversal finds architectural nodes (model entities, schemas, REST endpoints, GraphQL operations, gRPC services, AsyncAPI channels, Webhook events, MCP tools) missing required governance documentation
Lineage validation	Maps-to edges trace schema fields across all API types (REST, GraphQL, gRPC, AsyncAPI, Webhooks, MCP) to database columns; broken edges are flagged automatically
Deprecation tracking	Replaced-by and evolved-from edges connect deprecated entities to their replacements
Impact analysis	BFS traversal from a changed entity follows edges to find all affected schemas, endpoints, and diagrams
Drift detection	Structural hashes on nodes detect when a governed entity has changed since its last review

Lifecycle-Aware Governance

Every model entity in NeoArc has a lifecycle status: planned, active, or deprecated. Governance is aware of these states throughout the system.

Planned Entities

Entities that exist in the model but are not yet active. Reports identify planned entities without derivation sources, so that every new entity has a documented origin.

Active Entities

The current production architecture. Governance rules, compliance checks, and coverage analysis focus primarily on active entities to measure real-world readiness.

Deprecated Entities

Entities being phased out. Safe-to-delete analysis checks for remaining active references. The Repoint Wizard automates bulk migration of references to replacement entities.

Governance Content Blocks

NeoArc includes dedicated content block types that participate in the governance framework: entity blocks with governs edges and traceability blocks for audit matrices and quality gates. These are not just documentation - they are structured, typed blocks that can be linked to architectural nodes and measured against governance rules.

Category	Block Types	Governance Role
Risk and Security	Risk, Risk Register, Security Control, Security Threat Model, Failure Scenario	Link risks and controls to the entities, schemas, and endpoints they protect
Compliance	Compliance Requirement, Governance Checklist, Data Lifecycle	Define regulatory requirements and verify coverage across architectural nodes
Decisions	ADR, Assumption, Constraint, Principle, NFR	Record and justify architectural decisions with full lifecycle tracking
Operations	Incident Response Plan, Operational Runbook, Deployment Checklist	Connect operational procedures to the API endpoints and entities they cover
Traceability	Data Dictionary, Data Flow Spec, Requirement Traceability	Map data definitions and requirements to model entities and schemas

Enterprise-Ready by Design

NeoArc's governance system is built for the constraints of real enterprise environments.

Air-Gapped Environments

Everything runs locally. Baselines are file-based (no git tag permissions needed), reports run against workspace data, and PDF exports include verification hashes for offline audit.

Monorepo and Multi-Team

Workspace scoping limits governance metrics to only measure the relevant subdirectory. Multiple architecture teams can work in the same repository with independent governance baselines.

Auditable PDF Output

Governance reports export as PDF documents with SHA-256 content hashes, git commit context, watermarks, and optional password protection. Raw JSON is attached for independent verification.

Tamper-Evident Baselines

Each baseline includes a SHA-256 integrity hash. If anyone modifies a baseline file after creation, the system detects the tampering and identifies the responsible commit.

Explore the Governance Capabilities

Each governance capability is covered in detail in its own section. Start with the area most relevant to your needs, or work through them in order for a complete understanding of what the system provides.