03 — Governance

Runtime Governance

Jurisdictional rule packs enforced at runtime. Every agent action evaluated against the right framework, in the right jurisdiction, sub-15ms p95 on customer infrastructure.

Governance, in three pages

Frameworks · Runtime · Audit Trail

01 — Coverage proof

Frameworks

Six rule packs, article-by-article. EU AI Act (Art. 26 enforces 2026-08-02), GDPR, NIST AI RMF, MGAIF, POPIA, OWASP ASI. What your regulator wants to see.

Read frameworks →
02 — Enforcement proof

Runtime

/api/protect flow, 12 enforced layers × 5 packs, real reason_codes (EU_AI_ACT_*, GDPR_*, NIST_RMF_*, SG_MGAIF_*, ZA_POPIA_*). What stops bad agent behaviour.

Read runtime →
03 — Auditor handoff

Audit Trail

Ed25519-signed receipts, customer-cloud invariant (signed receipts only return), retention, SIEM export. What your SOC2/GDPR/Article 26 auditor walks away with.

Read audit trail →
The problem

Compliance lives in PDFs. Agents act in milliseconds.

Most "AI governance" is a quarterly audit, a binder, a checkbox. Agents don't ask permission — they act. By the time the audit catches the violation, the contract is signed and the data is gone.

AiEGIS Governance evaluates every agent action against the applicable jurisdictional rule pack at runtime. The decision arrives before the action does. The audit trail is signed, immutable, and yours.

Rule packs in production

Five frameworks. One enforcement engine.

Pack versions evolve continuously — current pack metadata is published live at /registry/jurisdiction/packs.

EU AI Act

Articles 9, 10, 11, 12, 13, 14, 15, 50, 72. Article 50 enforces 2026-08-02. Penalties up to 7% global revenue.

GDPR

Lawful basis, data minimisation, automated decision rights, transparency, DPIA hooks.

NIST AI RMF

Govern, Map, Measure, Manage. Risk classification, behavioural baselining, anomaly response.

Singapore MGAIF

Multi-jurisdiction agent governance: Singapore IMDA, jurisdictional extensions, cross-border data flow.

South Africa POPIA

Lawful processing, special personal information, cross-border transfer.

OWASP ASI Top 10 (2026)

Agentic application security baseline. Identity, tool sandbox, memory integrity, supply-chain.

How it works

12 layers. One API.

12-layer defense-in-depth. Identity, compliance, agent police, model gate, input sanitiser, memory integrity, tool sandbox, data protection, network, behavioural intelligence, confidence scoring, correlation engine.

Single REST API. /api/protect evaluates, decides, and signs. Sub-15ms p95 on customer infrastructure (loopback). Self-hosted. No data leaves your perimeter.

Cryptographically-signed audit trail. Every decision Ed25519-signed and stored on your infrastructure. Article 26 evidence-ready.

Part of the AiEGIS umbrella

AiEGIS is four products under one stack: Aegis Eye (endpoint visibility), Identity (Ed25519 agent passports), Governance (12-layer runtime enforcement), and Grid (agent-to-agent marketplace). Same identity, same policy enforcement, same audit trail across all four.

Aegis Eye Identity Governance Grid