Who's in AI governance.
The market split into four camps in 2024-2026. Each solves a different slice of the problem. None of them, on their own, satisfies the regulator-grade demand stack for AI agents that take actions. Here's the map.
Published 2026-05-19 · reviewed 2026-05-19 · ~5-min read
The four camps
| Camp | What they sell | Where they fall short for agents |
|---|---|---|
| Enterprise GRC suites e.g. ServiceNow, MetricStream, OneTrust, Archer | Risk registers, policy management, audit workflow, vendor risk. AI modules added 2024-2025. | Documentation-grade, not runtime-grade. Don't bind actions. Evidence is reconstructed from logs. |
| AI risk newcomers e.g. Credo AI, Trustible, Holistic AI, Fairly AI | AI use-case registry, EU AI Act / 42001 control mapping, policy templates, RAI metrics. | Strong on framework mapping, weak on runtime enforcement. Built for models, retrofitted to agents. |
| Model-eval platforms e.g. Arize, WhyLabs, Fiddler, Robust Intelligence | Drift detection, model performance monitoring, eval frameworks, red-team automation. | Solve model-quality, not authority. Don't answer "may this agent take this action". |
| Agent-governance specialists e.g. KYE Protocol™, plus a small handful of others | Runtime authority binding, Replay-Proof evidence, GovernedUI approval surfaces, control attestation. | This is what KYE™ does. The category is new — fewer than ten credible vendors as of 2026-Q2. |
Where each player sits on the authority lifecycle
The clearest way to read the landscape is not by company but by which stage of the agentic-governance lifecycle a tool occupies — Intent → Action Admissibility™ → Authority Resolution™ → Delegation/Scope → Execution Control → Evidence Pack™ → Authority Finality™ → Reality Coupling™ → Contestability → Renewal/Revocation. Almost every adjacent product is strong at one stage. KYE Protocol™ is the layer that resolves and signs authority and finality across the whole spine, and consumes the others' outputs as inputs.
| Adjacent player / category | What it does | KYE™ complement |
|---|---|---|
| Agent identity / STS e.g. Uber's agent-identity work, OAuth/MCP gateways | Proves who the caller is — the agent, its actor chain, its token. | Identity is the input. KYE™ proves whether the action that caller took had authority. |
| Execution-integrity specs e.g. Veraxis / VEIP | Pre-commit authorization evidence + deterministic supervisory replay at the commit boundary. | Veraxis governs the transition; KYE™ governs the authority lifecycle behind it — federated, contestable, with Reality Coupling™. |
| Enforcement gateways e.g. Cerbos, local tool-call guards | Allow/deny one action at one boundary against a policy. | A local guard governs one hop; KYE™ governs the chain across six trust domains, Replay-Proof™ from public keys alone. |
| Observability / eval e.g. Datadog, Arize | Monitor model + agent behaviour, drift, quality in production. | They watch the action after the fact; KYE™ authorises it before, and binds the evidence. |
| GRC suites + AI-risk e.g. OneTrust, Credo AI | Risk registers, framework mapping, policy templates, audit workflow. | They document the policy; KYE™ enforces it at runtime and feeds them signed Evidence Packs™. |
| Legal-agent platforms e.g. Flank, LawLM | Draft, review, summarise and analyse legal work and evidence. | They do the legal work; KYE™ proves it was authorised, reviewed, evidenced and final. |
| Contract certification e.g. TermScout | Certify that contract terms are fair / market-aligned. | They certify the document; KYE™ certifies the authority chain behind the contract action. |
| Payments infrastructure e.g. multi-rail checkout / PSPs | Route and settle value across cards, banks, stablecoins, local methods. | Rails move value; KYE™ proves the authority to move it — payer, payee, budget, rail, jurisdiction, approval threshold. |
| Agent frameworks e.g. LangGraph, CrewAI | Compose the agent's plan, tools and execution loop. | Agents compose the path; KYE™ resolves and signs the finality decision (server-side, deterministic). |
| KYE Protocol™ | Runtime authority binding + Replay-Proof™ evidence + Authority Finality™ + contestability. | Spans the whole lifecycle — Intent through Finality to Renewal/Revocation — and consumes every row above as an input. |
Positioning is by category; named examples illustrate the camp and are not endorsements. The structured stage-by-player registry that powers the lifecycle visual lives at the agentic governance lifecycle map.
What KYE Protocol™ does differently
- Action-binding, not action-monitoring. Authority is checked at the point of action, not after. An agent without authority cannot act.
- Replay-Proof™ evidence. A third party re-derives the decision from public signatures + the public spec. No trust-the-vendor.
- GovernedUI™ for irreversibles. Two-person and two-person-with-legal sign-off modes for actions that can't be undone.
- Self-governing protocol. The platform itself emits the same audit chain it demands of customers. Regulators verify against the protocol that runs the protocol.
- Open spec, open vocabulary, open profiles. Not a black-box. Procurement reviews see the actual contract.
How to pick
- If you need audit-evidence for a documented AI use: a GRC suite + an AI-risk newcomer probably covers you.
- If you need to monitor model quality + drift: a model-eval platform.
- If your AI takes actions in regulated workflows (payments, KYC, underwriting, claims, deployments, customer messaging): agent-governance specialist required. The other three camps don't bind actions.
- If you sell into the EU and need ISO 42001 certification: any of the above can help on documentation. None obviates the need for an AIMS.
The honest answer is most large buyers run two — a GRC suite for board-level visibility, plus a runtime layer for the actual agents. KYE Protocol™ is built to be that runtime layer, and to feed evidence packs into whatever GRC system you already operate.