EU AI Act
Regulation (EU) 2024/1689. Risk-tiered (prohibited / high / limited / minimal) with horizontal obligations on transparency, oversight, data governance, technical documentation, post-market monitoring.
Best when: selling in the EU.
Canonical pillar · AI governance
AI governance — explained.
The short version: AI governance is the discipline of bounding what an AI system may do, recording what it did, and proving the system stayed inside its bounds when audited. That sentence sounds simple. The hard part begins when the AI system is an agent — it doesn't just produce text, it takes actions in the world.
Published 2026-05-19 · last reviewed 2026-05-19 · next review due 2026-08-17
1 · Why "AI governance" became a real category
Until 2024, "AI governance" was a research-corner phrase. Three things changed it:
- Agents arrived. Models that produce text became agents that take actions. An agent that books, transfers, fills, deploys, deletes, or signs creates effects that cannot be unwound. Output review came too late.
- Regulation arrived. The EU AI Act (2024), ISO/IEC 42001 (2023), updated SR 11-7 guidance from US bank supervisors, and DORA all landed inside a 24-month window. Buyers stopped asking "should we govern AI?" and started asking "show me your governance".
- Procurement caught up. Vendor risk teams at tier-1 banks, insurers, and healthcare buyers added 40-60 questions on AI controls to standard questionnaires. AI without governance is an unsigned RFI.
2 · What AI governance actually covers
The discipline has five demands, and every credible framework reduces to some combination of them:
| Demand | What it means for AI agents |
|---|---|
| Declare authority | Each agent has a named, scoped permission to act, granted by a named human principal, with a recorded purpose and an expiry. No agent has ambient authority. |
| Record evidence | Every privileged action emits a signed evidence pack — purpose, admissibility decision, actor, scope, action, outcome. Constructed at decision-time, not reconstructed. |
| Attest controls | Each control in scope has a named owner, a freshness window (≤90 days under KYE Protocol™), and a signed attestation each cycle. |
| Prove replay | A third party can re-derive the same decision the original system reached, using only public signatures and the public spec — without the originator's secrets. |
| Keep humans on irreversibles | Irreversible operations (payment release, deletion, schema migration, secret rotation) require dual-channel sign-off from two independent humans. Authority never fully delegates here. |
3 · The frameworks, mapped to the five demands
Read this if you're trying to figure out which framework to follow. The honest answer: usually two or three, depending on jurisdiction and sector. The frameworks overlap more than they conflict.
ISO/IEC 42001
The first AI management-system standard. Clauses 4-10 cover context, leadership, planning, support, operation, performance, improvement. Modelled on ISO 27001.
Best when: you want a certifiable, audit-friendly proof.
SR 11-7
US Federal Reserve / OCC / FDIC model risk guidance (2011). Becoming the de-facto AI-agent governance standard for US banks because actions extend "model risk" to "action risk".
Best when: regulated US banking.
DORA
Digital Operational Resilience Act. EU financial-services regulation on ICT risk, incident reporting, third-party oversight, and threat-led penetration testing.
Best when: EU financial services with AI agents touching critical systems.
PCI DSS
Payment Card Industry Data Security Standard v4. Twelve requirement domains covering protect, detect, govern. Mandatory for any AI touching cardholder data.
Best when: AI in the payment loop.
Who else is in this space?
Compliance suites, AI-risk newcomers, model-eval platforms, agent-governance specialists — a competitive map and how to choose.
Best when: evaluating vendors.
Enterprise AI governance
The procurement bar tier-1 banks, insurers, and regulated buyers actually run AI vendors against. Per-clause regulator mappings, SCCT L3 conformance, machine-readable Trust Centre, banking-grade primitives.
Best when: selling AI agents into regulated procurement.
4 · The honest do's and don'ts
If you read one thing on this page, read this. The pre-procurement checklist that separates governance theatre from governance.
- Do declare authority before the agent runs. Don't add governance after the fact.
- Do emit evidence at decision-time. Don't reconstruct from logs.
- Do keep humans on the irreversibles. Don't auto-approve "low-risk" payments.
- Do run in shadow mode against a known-good baseline before enforcement. Don't enforce on day one.
- Do attest controls every ≤90 days. Don't treat the audit as the attestation.
- Don't trust "we have a policy" — ask to see the runtime enforcement.
- Don't conflate model evaluation with action evaluation. They are different problems.
- Don't let your vendor define "AI governance" for you. The category is regulator-defined now.
5 · How KYE Protocol™ fits
KYE Protocol™ is the open governance protocol + runtime that bounds AI agents at the point of action and emits Replay-Proof™ evidence packs every step. We don't compete with the frameworks — we satisfy them. The five demands above are the five engines underneath: Authority, Purpose Permission™, Evidence + Replay, Resilience Loop™, and GovernedUI™.
Start anywhere:
- Apply for an Audit Pilot™ — a 4-8 week scoped pilot on your workflow.
- Apply for a PoC — a smaller, time-boxed proof.
- Read the whitepaper — the full technical spec.
- Browse KYE Learn™ — more articles, glossary, and the players map.