Owns objectives and policy
“Keep accounts-receivable days under 30.” “Never auto-spend above €500.” Objectives and approval policies live here, versioned and explicit.
The governance suite
A well-run company separates three powers: the people who do the work, the board that sets direction, and the auditor who checks the books. Business OS gives an AI-operated business the same constitution: three separate minds around one gate that none of them can bypass.
The architecture of oversight
The Governance and Auditor apps are separate products that install next to Business OS and connect from above, through the same API and MCP surfaces as everyone else. There is no privileged backdoor. Whatever sits on top, the gate answers to you.
The boardroom. Owns objectives and policy, reviews strategy on a slow cadence, proposes direction.
The independent examiner. Reads every receipt, verifies conformance, co-signs the decisions that matter.
The operations arm. Heartbeats, reflexes, briefs and receipts: the deterministic engine of record that does the actual work, and logs every step of it.
All three are drivers and observers upstream of the same single gate. A high-stakes proposal from any of them still parks for a human.
The Governance app sibling product · in development
Most boards govern from a slide deck someone prepared last week. The Governance app governs from the live operational record: every KPI, every outcome, every dollar of cost and return, straight from the receipts.
“Keep accounts-receivable days under 30.” “Never auto-spend above €500.” Objectives and approval policies live here, versioned and explicit.
A deliberate, periodic reasoning pass over trends, risks and progress against targets. Strategy on a board cadence, not a chat cadence.
It proposes direction and config changes through the normal approval path. The day-to-day stays with the deterministic core, where it's cheap and legible.
It measures and narrates against the objectives humans set. It does not invent its own goals. That line is structural, not a promise.
“AR days 38 against a target of 30, driven by two late enterprise invoices.” Every claim traceable to a receipt in the log.
A board-level proposal is still a proposal. It parks at the gate like everything else, and a human resolves it.
The Auditor app sibling product · in development
Traditional audits sample a fraction of transactions, months after the fact. The Auditor app reads the decision stream as it happens, because Business OS produces evidence continuously: append-only, provenance-stamped, exportable.
The full decision stream: what fired, what was proposed, who approved, what it cost. Not a sample. All of it.
For high-stakes actions your policy can require a countersignature. The co-sign is a native gate primitive, so it cannot be skipped or worked around.
A separate install, run by a separate party if you wish: your accountant, an external assurance firm, or a regulator's tool. It observes the OS; it doesn't live inside it.
Do the actions match the policy? Did anything act outside its authority? Deviations surface as findings with the trace attached.
Every decision record carries where its inputs came from: verified internal state or raw external input. The auditor sees which claims rest on what.
For accountants and assurance firms, this is a new service line: continuous assurance over clients who run on Business OS.
How the three work together
Watch a live decision circulate. Every line runs through the gate in the middle; there is no path around it.
objectives in, receipts out, one gate in the middle
The board review lands on an objective: keep accounts-receivable days under 30. It becomes typed, versioned config, confirmed by the owner.
Heartbeats watch invoice ages. Reflexes send reminders on schedule, at $0.00. A stubborn late payer becomes a brief with a grounded rationale.
Writing off a €2,400 invoice crosses your threshold. Policy for write-offs requires two signatures, and never the proposer's.
It verifies the full trace: the aging history, the reminder attempts, the rationale. It co-signs; the owner approves. Two independent signatures on the record.
The weekly summary reports AR days moving from 38 to 31 against the target of 30, with every number traceable to a receipt. The board adjusts, and the cycle repeats.
The Governance and Auditor apps are in development as separate products, but everything they stand on ships in the open core now: the versioned API and MCP surfaces, co-sign and segregation-of-duties policies, decision provenance on every receipt, and the rule that no proposer ever approves. You can even fill the slot yourself today, with your own AI assistant or your own tooling.
The richer your operational record, the more the Governance and Auditor apps can do the day they arrive. Start now with the open core; the suite lands on top.