KYE AI Solutions Framework Authority Pack™ — frameworks define what should happen; KYE Protocol™ resolves who may make it happen.
The AI Solutions Framework defines roughly ninety safeguards an enterprise should operate as it adopts AI — across AI governance & accountability, risk management, AI safety, data privacy and lineage, compliance monitoring, and audit & evidence, tiered IG1 through IG3. A framework describes the controls. It does not, by itself, stop an AI agent from taking a consequential action without authority. The KYE AI Solutions Framework Authority Pack™ turns the runtime-resolvable safeguards into executable authority flows at the action boundary: it binds every consequential AI action to a named-authority approval, records the due-diligence attestation before the action, holds the action advisory until a named human reviewer signs off at the stage gate, records any control override as a signed exception, and seals it all into a replay-provable evidence pin. KYE Protocol™ governs whether the action may proceed, under what authority, and proves it later — it does not author the policy, run the committee, maintain the inventory, deliver the training, or verify the deploy-time infrastructure posture.
A framework is a list of controls — the missing layer is who is allowed to act, proven later.
Enterprises adopting AI reach for a control framework to organise the work. The AI Solutions Framework is a good one: prioritised, maturity-tiered, comprehensive. But a framework document, an inventory spreadsheet, and a governance-board charter do not stop an AI agent from posting, approving, or executing a consequential action it was never authorised to take. Three facts converge:
- The consequential moment is the action — not the policy. An AI recommendation in a model's output is inert; an action that commits is consequential. Accountability attaches at the moment an AI action proceeds — exactly where a framework document is silent.
- Approvals, attestations, stage gates, and exceptions are runtime decisions. The framework's approval-workflow, attestation, human-oversight, and exception-register safeguards each describe a decision that must happen at the action boundary. KYE Protocol™ resolves them: whether the action may proceed, under whose authority, with the attestation recorded before the action, held advisory pending sign-off, with any override recorded.
- Provenance is now an audit expectation. An auditor reviewing an AI-supported decision expects to reconstruct what happened, on what basis, and under whose authority. KYE Protocol™ produces a signed, replay-derivable provenance pin at the moment the action commits, verifiable offline from published keys.
- This is a governance wedge, not a posture scanner and not a policy author. KYE Protocol™ does not write your governance policy, run your risk committee, or scan your cloud configuration. It governs the action boundary the AI agents feed — the named-authority + attestation + stage-gate + exception layer the AI-adoption ecosystem currently lacks.
Survives an auditor or a regulator spot check — attested, signed-off, and derivable from public keys alone.
- Authority-bound by construction. Every consequential AI action maps to a recorded named-authority approval — the agent, the decision artefact, the intended action, and the named human authority under whose approval it proceeds. An AI authorised for one purpose cannot proceed under another.
- Attested before the action. An AI-supported action that moves toward a consequential effect must carry a recorded due-diligence / risk attestation — a risk-tier determination plus a competence / control-applicability screen. An unscreened, low-confidence, or attestation-deficient action is refused at the action-admissibility gate.
- Stage-gate, human-oversight enforced. A consequential action stays advisory until a named reviewer records sign-off; high-impact actions configured for two-person review require a GovernedUI two-person sign-off. Unreviewed AI-driven consequential actions are refused and routed dual-channel.
- Exceptions recorded, not lost. Any deviation from, or override of, an AI control is recorded as a signed, replay-provable exception — the deviation, its justification, and the approving authority — before the action proceeds.
- Replay-provable provenance. A signed provenance pin binds the model and version, the inputs and pinned source data, the decision map, the attestation, and the authority outcome — audit-grade evidence an auditor or a regulator can verify offline, against published keys alone, held WORM.
Every consequential AI action — authority-bound at the action boundary.
One coherent spine governs three specializations — regulated-enterprise, financial-services-ai, and public-sector-ai — with no parallel packs. Each consequential AI action flows through the same four rules, on the canonical KYE Protocol™ envelopes.
- 1 — Action proposed. An AI agent produces a decision, recommendation, or action that begins to move toward a consequential effect.
- 2 — Attestation + authority check. The Action Admissibility™ Gate verifies a recorded due-diligence / risk attestation and the named-authority under which the action proceeds, under the §25 Edge Governance Safety Floor. No attestation, no authority = no action.
- 3 — Advisory pending stage-gate sign-off. The action is advisory until a named reviewer records sign-off — with two-person sign-off required where configured for high-impact actions. Any control override must be recorded as a signed exception. Unreviewed or unexcepted actions are refused and routed dual-channel.
- 4 — Provenance pin sealed. The runtime emits kye.purpose.request.v1 + kye.purpose.admissibility.v1 + kye.evidence.decision_map.v1 + kye.evidence.pack.v1 in lockstep, binding the model and version, the pinned inputs, the attestation, the named reviewer, and the Authority Finality™ outcome — signed and replay-derivable for an auditor or a regulator spot check.
An AI-adoption programme needs both a deploy-time posture layer and a runtime authority+evidence layer.
The credibility of this Pack is its honesty. The AI Solutions Framework's roughly ninety safeguards do not all resolve at the action boundary — so KYE Protocol™ does not claim them all. The framework splits cleanly into three honest buckets, and we show all three.
| Bucket | Example safeguards | Owner | KYE Protocol™ coverage |
|---|---|---|---|
| Runtime authority & evidence (KYE Protocol™ enforced) | Approval workflow, accountability, attestation before action, human-oversight stage gate, exception register, audit/evidence provenance | KYE Protocol™ at the action boundary | enforced — real engine + real audit event, gate-proven |
| Organisational | AI governance board, AI system inventory, acceptable-use policy authorship, workforce training, risk committee | Governance office / CISO | out of scope — KYE Protocol™ enforces the board’s decisions, it does not run the board |
| Infrastructure posture / CSPM | Model/inference logging enabled, data-store encryption, IAM least-privilege, network egress posture | Cloud platform / DevSecOps | out of scope — ceded to an external posture/CSPM layer KYE Protocol™ complements |
The complement, named honestly. ISO/IEC 42001 and every serious AI-adoption framework need both a deploy-time posture layer (is the bucket encrypted, is model-logging on, are the IAM grants least-privilege — verified by a CSPM / posture scanner) and a runtime authority+evidence layer (who was allowed to take this AI action, under what authority, proven later — KYE Protocol™). Neither half alone is sufficient. KYE Protocol™ governs the runtime authority and evidence of the AI action — whether it may proceed — and complements the posture layer. It does not author the policy, run the committee, maintain the inventory, deliver the training, or verify the infrastructure posture, and it never inflates its coverage to 100% of the framework.
Qualified AI-adoption partners — apply through the Foundry.
The KYE AI Solutions Framework Authority Pack™ is a §68 sector product productised through the KYE Sector Pack Foundry™ Build tier; commercial distribution is value-based, qualification-gated, and disclosed under NDA to qualified applicants.