Management API

The Management API provides programmatic access to all compliance management features.

Base URL: https://api.glacis.io/api/v1

Organizations

Get Organization

GET /orgs/{orgId}

Request

curl https://api.glacis.io/api/v1/orgs/org_xyz \
  -H "Authorization: Bearer glc_live_..."

Response

{
  "id": "org_xyz",
  "name": "Acme Corp",
  "createdAt": "2024-01-01T00:00:00Z",
  "settings": {
    "defaultFramework": "iso42001",
    "attestationWebhook": "https://acme.com/webhooks/glacis"
  },
  "stats": {
    "aiSystems": 5,
    "controls": 184,
    "complianceScore": 67
  }
}

Controls

List All Controls

Returns the complete ISO 42001 control library.

GET /controls

Query Parameters:

Parameter	Type	Description
domain	string	Filter by domain (e.g., “A.4”)
search	string	Full-text search

Request

curl "https://api.glacis.io/api/v1/controls?domain=A.4" \
  -H "Authorization: Bearer glc_live_..."

Response

{
  "controls": [
    {
      "id": "ctrl_a41",
      "code": "A.4.1",
      "name": "AI System Identification",
      "domain": "A.4",
      "description": "The organization shall identify AI systems...",
      "guidance": "Maintain a registry of all AI systems...",
      "autoEvidence": false
    },
    {
      "id": "ctrl_a44",
      "code": "A.4.4",
      "name": "AI System Inventory",
      "domain": "A.4",
      "description": "The organization shall maintain an inventory...",
      "guidance": "Document each AI system with...",
      "autoEvidence": true
    }
  ],
  "total": 184
}

Get Organization’s Control Status

Returns controls with organization-specific status and evidence.

GET /orgs/{orgId}/controls

Query Parameters:

Parameter	Type	Description
status	string	Filter by status: not_started, in_progress, implemented
applicable	boolean	Filter by applicability

Request

curl "https://api.glacis.io/api/v1/orgs/org_xyz/controls?status=in_progress" \
  -H "Authorization: Bearer glc_live_..."

Response

{
  "controls": [
    {
      "id": "ctrl_a626",
      "code": "A.6.2.6",
      "name": "AI System Monitoring",
      "domain": "A.6",
      "applicable": true,
      "status": "in_progress",
      "owner": "user_abc",
      "evidenceCount": 1247,
      "lastEvidence": "2024-01-15T14:30:00Z",
      "notes": "Implementing via GLACIS sidecars"
    }
  ],
  "summary": {
    "total": 184,
    "applicable": 156,
    "implemented": 89,
    "inProgress": 34,
    "notStarted": 33
  }
}

Update Control Applicability

PUT /orgs/{orgId}/controls/{controlId}/applicability

Request

curl -X PUT "https://api.glacis.io/api/v1/orgs/org_xyz/controls/ctrl_a101/applicability" \
  -H "Authorization: Bearer glc_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "applicable": false,
    "justification": "Organization does not use third-party AI vendors",
    "reviewer": "user_abc"
  }'

Response

{
  "controlId": "ctrl_a101",
  "applicable": false,
  "justification": "Organization does not use third-party AI vendors",
  "reviewer": "user_abc",
  "updatedAt": "2024-01-15T14:30:00Z"
}

Evidence

List Evidence for Control

GET /orgs/{orgId}/controls/{controlId}/evidence

Query Parameters:

Parameter	Type	Description
type	string	Filter by type: attestation, document, link
limit	number	Max results (default: 50)
offset	number	Pagination offset

Request

curl "https://api.glacis.io/api/v1/orgs/org_xyz/controls/ctrl_a626/evidence?type=attestation&limit=10" \
  -H "Authorization: Bearer glc_live_..."

Response

{
  "evidence": [
    {
      "id": "ev_abc123",
      "type": "attestation",
      "attestationId": "att_xyz789",
      "level": "L2",
      "epochId": "epoch_2024011514",
      "policyScores": {
        "toxicity": 0.05,
        "pii": false
      },
      "createdAt": "2024-01-15T14:30:00Z",
      "autoMapped": true
    },
    {
      "id": "ev_def456",
      "type": "document",
      "title": "AI Monitoring Policy v2",
      "description": "Internal policy document",
      "fileUrl": "https://storage.glacis.io/...",
      "createdAt": "2024-01-10T09:00:00Z",
      "uploadedBy": "user_abc"
    }
  ],
  "total": 1247,
  "hasMore": true
}

Add Evidence

POST /orgs/{orgId}/controls/{controlId}/evidence

Request

curl -X POST "https://api.glacis.io/api/v1/orgs/org_xyz/controls/ctrl_a21/evidence" \
  -H "Authorization: Bearer glc_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "type": "document",
    "title": "AI Governance Policy",
    "description": "Board-approved AI governance policy document",
    "fileUrl": "https://storage.glacis.io/docs/ai-policy.pdf"
  }'

Response

{
  "id": "ev_new123",
  "controlId": "ctrl_a21",
  "type": "document",
  "title": "AI Governance Policy",
  "description": "Board-approved AI governance policy document",
  "fileUrl": "https://storage.glacis.io/docs/ai-policy.pdf",
  "createdAt": "2024-01-15T14:30:00Z",
  "createdBy": "user_abc"
}

Compliance Scoring

Get Current Compliance Score

GET /orgs/{orgId}/compliance

Request

curl "https://api.glacis.io/api/v1/orgs/org_xyz/compliance" \
  -H "Authorization: Bearer glc_live_..."

Response

{
  "overallScore": 67,
  "calculatedAt": "2024-01-15T14:30:00Z",
  "domains": {
    "A.2": { "score": 85, "implemented": 17, "total": 20 },
    "A.4": { "score": 100, "implemented": 8, "total": 8 },
    "A.5": { "score": 45, "implemented": 9, "total": 20 },
    "A.6": { "score": 72, "implemented": 36, "total": 50 },
    "A.7": { "score": 60, "implemented": 12, "total": 20 },
    "A.8": { "score": 55, "implemented": 11, "total": 20 },
    "A.9": { "score": 70, "implemented": 21, "total": 30 },
    "A.10": { "score": 50, "implemented": 8, "total": 16 }
  },
  "trend": {
    "direction": "up",
    "change": 5,
    "period": "30d"
  }
}

Get Compliance History

GET /orgs/{orgId}/compliance/history

Query Parameters:

Parameter	Type	Description
from	string	Start date (ISO 8601)
to	string	End date (ISO 8601)
interval	string	Aggregation: daily, weekly, monthly

Request

curl "https://api.glacis.io/api/v1/orgs/org_xyz/compliance/history?from=2024-01-01&interval=weekly" \
  -H "Authorization: Bearer glc_live_..."

Response

{
  "history": [
    { "date": "2024-01-01", "score": 34 },
    { "date": "2024-01-08", "score": 45 },
    { "date": "2024-01-15", "score": 67 }
  ]
}

Create Compliance Snapshot

POST /orgs/{orgId}/compliance/snapshot

Creates a point-in-time snapshot for auditing purposes.

Request

curl -X POST "https://api.glacis.io/api/v1/orgs/org_xyz/compliance/snapshot" \
  -H "Authorization: Bearer glc_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "label": "Q1 2024 Audit",
    "notes": "Snapshot for external audit"
  }'

Response

{
  "snapshotId": "snap_abc123",
  "label": "Q1 2024 Audit",
  "score": 67,
  "createdAt": "2024-01-15T14:30:00Z",
  "domains": { /* full domain scores */ },
  "controlStatuses": { /* all control statuses */ }
}

Attestations

List Attestations

GET /orgs/{orgId}/attestations

Query Parameters:

Parameter	Type	Description
level	string	Filter by level: L0, L2
epochId	string	Filter by epoch
from	string	Start timestamp
to	string	End timestamp
limit	number	Max results

Request

curl "https://api.glacis.io/api/v1/orgs/org_xyz/attestations?level=L2&limit=10" \
  -H "Authorization: Bearer glc_live_..."

Response

{
  "attestations": [
    {
      "id": "att_xyz789",
      "level": "L2",
      "epochId": "epoch_2024011514",
      "blindedId": "base64...",
      "requestCommitment": "sha256...",
      "evidenceCommitment": "sha256...",
      "policyScores": {
        "toxicity": { "score": 0.05, "flagged": false },
        "pii": { "detected": false }
      },
      "signature": "base64...",
      "merkleProof": {
        "root": "0x...",
        "index": 1247,
        "siblings": ["0x...", "0x..."]
      },
      "createdAt": "2024-01-15T14:30:00Z"
    }
  ],
  "total": 50847,
  "hasMore": true
}

Get Single Attestation

GET /orgs/{orgId}/attestations/{attestationId}

Ingest Attestation (from sidecar)

POST /orgs/{orgId}/attestations

Note

This endpoint is typically called by sidecars via the receipt service, not directly by applications.

AI Systems

List AI Systems

GET /orgs/{orgId}/ai-systems

Request

curl "https://api.glacis.io/api/v1/orgs/org_xyz/ai-systems" \
  -H "Authorization: Bearer glc_live_..."

Response

{
  "systems": [
    {
      "id": "sys_chatbot",
      "name": "Customer Support Chatbot",
      "description": "GPT-4 powered support assistant",
      "riskTier": "medium",
      "status": "production",
      "dataAccess": ["customer_names", "account_numbers"],
      "monthlyInteractions": 10000,
      "createdAt": "2024-01-01T00:00:00Z"
    }
  ]
}

Create AI System

POST /orgs/{orgId}/ai-systems

Update AI System

PUT /orgs/{orgId}/ai-systems/{systemId}

Delete AI System

DELETE /orgs/{orgId}/ai-systems/{systemId}

Export

Export as OSCAL

GET /orgs/{orgId}/export/oscal

Returns a NIST OSCAL-formatted compliance package.

Export Statement of Applicability

GET /orgs/{orgId}/export/soa

Returns an ISO 42001-formatted Statement of Applicability.

Query Parameters:

Parameter	Type	Description
format	string	Output format: json, csv, markdown

Error Responses

All errors follow a consistent format:

{
  "error": {
    "code": "RESOURCE_NOT_FOUND",
    "message": "Control not found",
    "details": {
      "controlId": "ctrl_invalid"
    }
  }
}

Status	Code	Description
400	BAD_REQUEST	Invalid request parameters
401	UNAUTHORIZED	Invalid or missing authentication
403	FORBIDDEN	Insufficient permissions
404	NOT_FOUND	Resource not found
409	CONFLICT	Resource conflict
429	RATE_LIMITED	Too many requests
500	INTERNAL_ERROR	Server error