03 — Governance


# Runtime Governance


Jurisdictional rule packs enforced at runtime. Every agent action evaluated against the right framework, in the right jurisdiction, designed for real-time verification on customer infrastructure.







Governance, in three pages


## Frameworks · Runtime · Audit Trail



[01 — Coverage proof


### Frameworks

Six rule packs, article-by-article. EU AI Act (Art. 26 enforces 2026-08-02), GDPR, NIST AI RMF, MGAIF, POPIA, OWASP ASI. What your regulator wants to see.
Read frameworks →](/governance/frameworks)
[02 — Enforcement proof


### Runtime

/api/protect flow, 12 enforced layers × 5 packs, real reason_codes (EU_AI_ACT_*, GDPR_*, NIST_RMF_*, SG_MGAIF_*, ZA_POPIA_*). What stops bad agent behaviour.
Read runtime →](/governance/runtime)
[03 — Auditor handoff


### Audit Trail

Ed25519-signed receipts, customer-cloud invariant (signed receipts only return), retention, SIEM export. What your SOC2/GDPR/Article 26 auditor walks away with.
Read audit trail →](/governance/audit-trail)








The problem


## Compliance lives in PDFs. Agents act in milliseconds.




Most "AI governance" is a quarterly audit, a binder, a checkbox. Agents don't ask permission — they act. By the time the audit catches the violation, the contract is signed and the data is gone.


AiEGIS Governance evaluates every agent action against the applicable jurisdictional rule pack at runtime. The decision arrives before the action does. The audit trail is signed, immutable, and yours.








Rule packs in production


## Five frameworks. One enforcement engine.


Pack versions evolve continuously — current pack metadata is published live at `/registry/jurisdiction/packs`.




#### EU AI Act

Articles 9, 10, 11, 12, 13, 14, 15, 50, 72. Article 50 enforces 2026-08-02. Penalties up to 7% global revenue.



#### GDPR

Lawful basis, data minimisation, automated decision rights, transparency, DPIA hooks.



#### NIST AI RMF

Govern, Map, Measure, Manage. Risk classification, behavioural baselining, anomaly response.



#### Singapore MGAIF

Multi-jurisdiction agent governance: Singapore IMDA, jurisdictional extensions, cross-border data flow.



#### South Africa POPIA

Lawful processing, special personal information, cross-border transfer.



#### OWASP ASI Top 10 (2026)

Agentic application security baseline. Identity, tool sandbox, memory integrity, supply-chain.







Identity standards alignment


## Tracking NIST + W3C agent-identity direction.


AiEGIS Identity (Ed25519 cryptographic passport with operator-key trust-root + v1.8 governance-payload signature enforcement) is being built compatibly with the canonical agent-identity standards emerging in 2026.




#### NIST AI Agent Standards Initiative

Announced Feb 2026 ([NIST press release](https://www.nist.gov/news-events/news/2026/02/announcing-ai-agent-standards-initiative-interoperable-and-secure)). Concept paper on agent identity + authorization at [CSRC](https://csrc.nist.gov/pubs/other/2026/02/05/accelerating-the-adoption-of-software-and-ai-agent/ipd). AiEGIS tracks this direction; alignment statement v0.1.



#### W3C DID + VC

Decentralized Identifiers + Verifiable Credentials. Compatible primitives in our roadmap: `did:aiegis` method spec + VC envelope export for shipped passports.









How it works


## 12 layers. One API.




**12-layer defense-in-depth.** Identity, compliance, agent police, model gate, input sanitiser, memory integrity, tool sandbox, data protection, network, behavioural intelligence, confidence scoring, correlation engine.


**Single REST API.** `/api/protect` evaluates, decides, and signs. Designed for real-time verification on customer infrastructure. Self-hosted. No data leaves your perimeter.


**Cryptographically-signed audit trail.** Every decision Ed25519-signed and stored on your infrastructure. Article 26 evidence-ready.


[See the 12-layer stack](/architecture)








Part of the AiEGIS umbrella

AiEGIS is four products under one stack: **Aegis Eye** (endpoint visibility), **Identity** (Ed25519 agent passports), **Governance** (12-layer runtime enforcement), and **Grid** (agent-to-agent marketplace). Same identity, same policy enforcement, same audit trail across all four.


[Aegis Eye](/aegis-eye)
[Identity](/identity)
[Governance](/governance)
[Grid](/grid)






About AiEGIS


## This is one product under the AiEGIS umbrella.


AiEGIS is the universal layer for autonomous AI: cryptographic agent identity, runtime governance across 5 jurisdictional rule packs (EU AI Act, GDPR, NIST AI RMF, Singapore MGAIF, South Africa POPIA), endpoint visibility, and the agent-to-agent marketplace. EU sovereign, built in Ireland, deployed on customer infrastructure.


[What is AiEGIS?](/)
[Identity](/identity)
[Governance](/governance)
[Eye](/aegis-eye)
[Grid](/grid)