Fifteen is the smallest number that gives each governance concern a layer of its own without conflating concerns. Earlier 12-layer drafts collapsed identity-rotation into identity-issuance and correlation into telemetry; both collapses caused production incidents.

Do all 15 layers need to be present from day one?

No. The bottom six layers (identity, signing, transport, audit, policy, evidence) are the load-bearing minimum for any deployment claiming EU AI Act Article 26 alignment. Layers 7-15 are added as the deployment matures or as additional regulatory regimes apply.

How does this map to NIST AI RMF or ISO/IEC 42001?

Both frameworks operate at the governance-process level (what controls exist, who is accountable). The 15-layer stack operates at the implementation level (what is running in production). They are complements: the framework states the obligation, the stack ships the evidence.

Building an AI governance stack: 15 layers from identity to correlation

A reference architecture. What each layer owns, what it depends on, what fails if you skip it.

Why The Layer Model

"AI governance" as a phrase is a category, not an artefact. It can mean a board-level policy document, a procurement checklist, a runtime guard, an audit log, a correlation feed, an incident playbook, or all of those together. Without a layer model the conversation between the CISO, the platform engineer, and the compliance lead descends into category confusion within a quarter.

The 15-layer model below is the reference architecture AiEGIS uses to keep that conversation tractable. Each layer has one owner, one input from the layer below, one output to the layer above, and a single failure mode that determines what breaks if the layer is absent.

The Bottom Six: The Load-Bearing Minimum

If your deployment claims EU AI Act Article 26 alignment, layers 1–6 are not optional. Each maps directly to a paragraph or pair of paragraphs in the Regulation.

L#	Layer	Owns	Fails if absent
1	Agent identity	Per-agent cryptographic identifier (did:key + Ed25519).	You cannot answer "which agent did this" to a regulator.
2	Signing & verification	Per-request signature; offline verifier path.	Audit log is a claim, not evidence.
3	Transport & auth	mTLS or signed JWT at the wire; rate limiting.	Standard web-tier compromises remain unmitigated.
4	Audit ledger	Append-only event store with storage-layer enforcement.	Article 26§6 fails on first adversarial review.
5	Policy engine	Per-request decision: allow / deny / require-step-up.	"Human oversight" is a policy document, not a runtime gate.
6	Evidence packaging	Signed bundle per period, fetchable on request.	Article 26§11 cooperation has nothing to hand over.

The single most common deployment pattern that fails an audit walkthrough is skipping layer 4 in favour of "we have logs in Datadog". Datadog is a telemetry layer, not an audit layer. The retention model, the tamper model, and the chain-of-custody model are different.

The Middle Five: The Operational Spine

L#	Layer	Owns	Fails if absent
7	Identity rotation & revocation	Per-agent key lifecycle, revocation list, cascade.	A compromised agent stays trusted indefinitely.
8	Capability assertion	Signed claim of what each agent is permitted to do.	An agent can advertise capabilities it cannot back.
9	Guard / preflight	Input-side checks (prompt-injection patterns, PII, jailbreak signatures).	Layer 5 (policy) operates blind to known attack surface.
10	Postflight / output review	Output-side checks (PII leakage, policy violation, hallucination signals).	Bad outputs reach the consumer; remediation is per-incident, not class-based.
11	Risk & vulnerability scoring	Per-agent AIVSS score; trend over time.	Risk decisions are gut-feel; insurance and procurement cannot price the deployment.

The Top Four: The Observability And Settlement Spine

L#	Layer	Owns	Fails if absent
12	Telemetry & metrics	Latency, throughput, error-rate, per-tool counters.	Operability collapses; incidents take longer to detect.
13	Tracing & replay	Per-request trace tree; deterministic replay for forensic analysis.	Post-incident investigation is anecdotal.
14	Marketplace & settlement	Cross-organisation discovery, capability cards, atomic settlement.	Each peer connection is a bespoke integration.
15	Cross-tenant correlation	Pattern detection across deployments (shared attack signatures, regression clusters).	Each tenant relearns the same attacks individually.

What Goes Wrong When Layers Are Conflated

Three conflations show up regularly in deployments we review:

Layer 4 (audit) folded into Layer 12 (telemetry). Telemetry is sampled, lossy, mutable, and retention is operationally bounded by storage cost. Audit must be unsampled, lossless, immutable, and retention is bounded by law. Conflating them produces a system that does neither well.
Layer 9 (preflight) treated as a substitute for Layer 5 (policy). A guard is a filter; a policy is a decision with context. A guard cannot say "this agent normally allowed for this tool, except this user is in a category that requires step-up." Trying to encode policy logic in regex guards produces unmaintainable rule sets within two quarters.
Layer 11 (scoring) bolted on after the fact. AIVSS-style scoring needs the per-request signed audit trail from Layer 4 to compute trend metrics. Adding scoring on top of an opaque deployment produces snapshot scores with no time series and no replay path. See AIVSS vs CVSS for why this matters.

How To Adopt Incrementally

No greenfield team builds all 15 layers at once. The defensible incremental path:

Ship layers 1–4 before first production use. This is the EU AI Act Article 26 floor; everything else is harder without it.
Add layers 5–6 before first external user. Without policy + evidence packaging, the deployment cannot satisfy a customer due-diligence questionnaire.
Add layers 7–10 before second tenant. Multi-tenant introduces failure modes that single-tenant defaults paper over.
Add layer 11 before procurement requires it (typically when annual revenue from regulated customers crosses ~€1M).
Layers 12–13 are observability hygiene; add when SRE on-call cost justifies them.
Layers 14–15 are unlock layers; add when you participate in a marketplace or want correlation across deployments.

Where AiEGIS Sits On The Stack

The AiEGIS platform ships implementations for layers 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 14, and 15. Layers 3, 12, and 13 are intentionally outside scope — your existing web tier, observability platform, and tracing stack already cover those, and re-implementing them inside the governance layer produces duplication rather than value.

The full architecture breakdown is at /architecture. The harness implementation that ships layers 4–11 is documented at /harness.