What is enterprise AI governance?

Enterprise AI governance is the discipline of bounding what AI agents may do inside a regulated organisation, recording what they did, and proving the system stayed inside its bounds when a regulator or board audits it. For enterprises specifically: per-action authority binding (not just model evaluation), Replay-Proof™ evidence packs, dual-channel sign-off on irreversibles, per-clause regulator mappings, and a published conformance standard the vendor can be tested against.

What does a tier-1 bank procurement team require?

SOC 2 Type II + ISO 27001 audit reports, per-clause mappings to SR 11-7 / DORA / EU AI Act / ISO 42001, signed DPA with sub-processor list + change-notice window, WORM audit chain, HSM-backed signing for production, four-eyes approval on irreversibles, data residency controls, customer data export procedure, named 24/7 incident contact, and a published Trust Centre with machine-readable status JSON.

Why does an open standard matter for enterprise AI governance?

Vendor-defined governance is a sales surface, not a control. Procurement teams need to test a vendor against a published bar. The Software Constitution Standard v1.0 (Apache 2.0, at softwareconstitution.com) is the only published conformance standard for AI-governance projects; KYE Protocol™ is the reference implementation. Enterprises that demand 'SCCT L3 conformance' in their RFPs get an objective testable signal — not a vendor pitch.

Which regulations does enterprise AI governance map to?

EU AI Act (Art. 12 record-keeping, Art. 13 transparency, Art. 14 human oversight, Art. 15 accuracy/robustness), ISO/IEC 42001 (Clauses 4-10 + Annex A), SR 11-7 (US Fed model risk management, extended to action risk for agents), DORA (Art. 17 ICT incident, Art. 19 regulator reporting, Art. 28 third-party register), PCI DSS (if payment data touched), and GDPR (Art. 22 automated decisions, Art. 30 ROPA, Art. 32 security).

How long does enterprise AI governance procurement take?

Tier-1 banks typically run a 3-6 month vendor risk process. KYE Protocol™ ships the artefacts that compress this: published per-clause mappings, machine-readable Trust Centre JSON (kyeprotocol.com/trust.json), Software Constitution Conformance Test (SCCT) verdict, sub-processor list with DORA risk classification, DPA template with EU SCCs + UK IDTA annexes pre-populated. SOC 2 + ISO 27001 external audits add 3-6 months on top.

Canonical pillar · enterprise AI governance

Enterprise AI governance — explained.

Procurement teams at tier-1 banks, insurers, healthcare, and regulated buyers don't want AI governance theatre. They want testable controls. Per-action authority binding. Replay-Proof™ evidence. Published per-clause regulator mappings. A conformance standard the vendor can be tested against — not pitched at. This page is the definitive answer to what enterprise AI governance is, what tier-1 procurement requires, and how the open Software Constitution Standard v1.0 makes it auditable.

Published 2026-05-19 · last reviewed 2026-05-19 · next review due 2026-08-17

1 · What changed in 2024-2026

Generic AI governance was a researcher word. Enterprise AI governance is a procurement requirement. Three forces fused it into one category:

Regulation arrived in waves. EU AI Act (2024), ISO/IEC 42001 (2023), DORA (2025), revised SR 11-7 supervisory guidance — all landed inside 24 months. Tier-1 buyers' vendor risk questionnaires added 40-60 new questions on AI controls.
Agents replaced models. Once your AI takes actions (payments, KYC decisions, deployments, customer-facing notices), output-review is too late. The unauthorised-action problem replaced the model-quality problem.
Procurement caught up. CISO offices stopped asking "do you have AI governance?" and started asking "show me your control mapping per clause of the EU AI Act, your SOC 2 Type II report, your sub-processor list with DORA risk classification, and your published conformance status."

2 · What enterprise AI governance demands (the procurement bar)

Demand	What it means in a tier-1 procurement review
Per-action authority binding	Each agent acts under a named, scoped permission from a named principal — not ambient API keys. Audit-chain shows who authorised what.
Replay-Proof™ evidence	A third party can re-derive a decision from public signatures + the public spec, without the vendor's secrets. "We logged it" is not enough; the regulator needs to reproduce it.
Per-clause regulator mappings	Vendor publishes EU AI Act Art. 12/13/14/15, ISO 42001 clause 4-10, SR 11-7 §III-VI, DORA Art. 17/19/28 mappings to their runtime controls. Not "we comply" — "here's the table".
Open conformance standard	Vendor-defined "AI governance" is sales theatre. Procurement wants SCCT L3 conformance — a published Apache-2.0 standard that the vendor can be tested against by anyone.
SOC 2 Type II + ISO 27001 audit reports	External attestation, not self-attestation. Big-Four or equivalent. Current within the lookback period.
Banking-grade primitives	WORM audit chain, HSM-backed signing, four-eyes dual-channel sign-off on irreversibles, data residency routing, kill-switches per agent.
Trust Centre (machine-readable)	Public URL serving the vendor's current attestation state as JSON — procurement scripts can ingest it. KYE™'s lives at `kyeprotocol.com/trust.json`.

3 · Why the open standard matters

The thing most enterprise AI governance vendors won't show you is the testable bar. They show you a dashboard, a control mapping, a marketing page. Procurement teams ask: "how do I verify any of this?"

The Software Constitution Standard v1.0 — Apache 2.0, published at softwareconstitution.com — answers that question with a CLI: npx scct your-vendor-repo returns L0 / L1 / L2 / L3 conformance. No vendor pitch; objective signal. Banks can require SCCT L3 in their RFP language and have an external test for it.

KYE Protocol™ is the reference implementation. The Constitution Gateway™ at constitution.kyeprotocol.com serves the live conformance state as JSON.

4 · Regulatory framework matrix

EU AI Act

Risk tiers, Art. 12-15 obligations for high-risk systems, GPAI rules. Phased application 2025-2027.

SR 11-7

US Fed / OCC / FDIC model risk guidance. Extended to AI-agent action risk for tier-1 US banks.

ISO/IEC 42001

AI management system standard. Clauses 4-10 + Annex A. Certifiable. Procurement teams in 2026 ask for it.

DORA

EU operational resilience. Art. 17 ICT incident management, Art. 28 third-party register.

PCI DSS

If AI touches cardholder data. Twelve requirement domains.

Players landscape

How KYE™ compares to Credo AI, Trustible, Holistic AI, OneTrust, ServiceNow.

5 · 12-step pre-procurement checklist

Vendor publishes per-clause regulator mappings (EU AI Act, ISO 42001, SR 11-7, DORA, GDPR Art. 22+30+32).
Vendor publishes a machine-readable Trust Centre at a stable URL.
Vendor passes an open conformance standard (e.g. SCCT L3) — not a self-graded scorecard.
Vendor publishes a sub-processor list with DORA risk classification + 30-day change-notice + opt-out window.
Vendor ships a signed DPA template with EU SCCs Module Two + UK IDTA annexes pre-populated.
Vendor demonstrates Replay-Proof™ evidence — re-derive a decision from public signatures alone.
Vendor uses WORM-anchored audit chains (DB triggers + object-store immutability or equivalent).
Vendor enforces four-eyes dual-channel sign-off on irreversible actions (payments, deletions, schema migrations, secret rotations).
Vendor uses HSM-backed signing for production keys (BYOK supported).
Vendor provides data residency controls (EU-only routing if EU tenant).
Vendor publishes incident response runbook with named 24/7 contact + 30-min Sev-0 SLA.
Vendor offers a customer data export procedure in machine-readable format (GDPR Art. 28(3)(g)).

Full 12 do's and don'ts deep-dive →

6 · How KYE Protocol™ delivers it

KYE Protocol™ is the open governance protocol + edge runtime + reference implementation. Every demand above maps to a shipped engine:

Per-action authority binding — Authority Engine + Purpose Permission™ Engine
Replay-Proof™ evidence — Evidence Engine + Replay Engine + Decision Map™
Per-clause regulator mappings — 5 framework deep-dives with clause-by-clause control tables
Open conformance standard — Software Constitution Standard v1.0 (Apache 2.0); KYE™ is L3-conformant
Banking-grade primitives — WORM triggers (D1) + object-store immutability; BYOK with HSM signing; GovernedUI™ four-eyes; data-residency router
Trust Centre (machine-readable) — kyeprotocol.com/trust.json
Constitution Gateway™ — live state at constitution.kyeprotocol.com

Apply for an Audit Pilot™ → Open the Trust Centre →

FAQ

Is enterprise AI governance just AI governance for big companies?

No. It's a different category. Generic AI governance focuses on model evaluation (does the model give correct answers). Enterprise AI governance focuses on agent action authority (was the agent allowed to take that action, on whose behalf, under what policy, can we reproduce the decision in court). Banks don't have a model-quality problem — they have an unauthorised-action problem.

Why an open standard rather than a vendor framework?

Vendor-defined governance is a sales surface. Procurement teams need to test a vendor against a published bar. Software Constitution Standard v1.0 is the only published conformance test for AI-governance projects. Enterprises that demand "SCCT L3 conformance" in their RFPs get an objective testable signal.

How long does enterprise procurement take?

Tier-1 banks run 3-6 month vendor risk processes. KYE™ ships the artefacts that compress this: published per-clause mappings, machine-readable Trust Centre JSON, SCCT verdict, sub-processor list, DPA template with EU SCCs + UK IDTA annexes pre-populated. SOC 2 + ISO 27001 external audits add 3-6 months on top.

Which regulations does this cover?

EU AI Act, ISO/IEC 42001, SR 11-7, DORA, PCI DSS, GDPR Art. 22+30+32, NIS2 (where applicable). See the framework matrix above.