Governance Pack
Modular AI Compliance
Plug-and-play compliance modules for AI agents. Pick the regulations you need to comply with, activate the corresponding pack, and enforcement happens automatically -- from audit-only to full block.
What is a Governance Pack?
A Governance Pack is a pre-configured bundle of compliance controls for a specific regulation. Instead of manually configuring DLP rules, audit logging levels, approval workflows, and kill switches for each compliance requirement, you activate a pack and the platform does it for you.
Think of it like a car's safety package: you don't configure each airbag individually. You select "safety package" and the manufacturer installs the right combination of airbags, sensors, and alerts for your market's regulations.
The 9 packs
Pack activation flow
The six modules
Kill Switch
Immediately halt all agent activity for a tenant, team, or individual agent. Required by DORA (Article 11) and ISO 27001 (Annex A.12). One click, all agents stop. No graceful shutdown -- immediate termination of all running tasks.
DLP (Data Loss Prevention)
Prevents sensitive data from leaking through AI agents. Detects and redacts PII (names, SSNs, credit cards), PHI (medical records, diagnoses), and custom patterns before they reach the LLM. Required by GDPR, HIPAA, and SOX.
Chain-of-Thought Logging
Records the full reasoning chain of every AI decision -- not just the input and output, but the intermediate steps. Required by EU AI Act (Article 14) for high-risk AI systems. Enables post-hoc auditability of AI decisions.
Four-Eyes Review
Requires human approval before agents execute high-risk actions. Two humans must approve (hence "four eyes") for the most critical operations. Required by SOX (Section 404) and DORA for financial operations.
Multi-LLM Verification
Cross-checks agent outputs using a second LLM from a different provider. If Claude produces an answer, GPT-4o verifies it. Disagreements are flagged for human review. Reduces single-point-of-failure risk in regulated decisions.
Audit Logging
SOX-grade audit trails with hash chains for tamper evidence. Every action, every decision, every tool call -- logged with actor identity, timestamp, and cryptographic integrity proof. Optional separate audit database for compliance isolation.
Enforcement modes
Packs support three enforcement modes, enabling gradual rollout:
How MeetLoyd implements Governance Packs
All 9 packs are production-ready on MeetLoyd:
- Compliance Cockpit -- Dashboard UI showing pack status, active modules, recent violations, and enforcement mode per pack. Enterprise tier.
- Cascading policy -- Pack settings cascade from Platform Default --> Tenant --> Workspace --> Team --> Agent. Most specific wins. Undefined inherits from parent.
- LLM Gateway integration -- Packs configure the LLM Gateway automatically. HIPAA activates stricter PII thresholds. GDPR enables data minimization. SOX enforces four-eyes on financial operations.
- Stackable -- A healthcare fintech can activate both HIPAA and SOX simultaneously. Module configurations merge intelligently -- the stricter setting wins on conflicts.
- Separate audit DB -- Optional dedicated PostgreSQL instance for audit logs. Compliance team gets read access without touching production data.
Why modular?
Monolithic compliance is the enemy of adoption. If you have to implement everything to comply with anything, nobody implements anything. Governance Packs are modular because:
- Start small -- Activate SOX audit logging in
auditmode. See what gets flagged. Tighten toenforcewhen ready. - Mix and match -- A European bank needs GDPR + DORA + NIS2. A US hospital needs HIPAA. A French wealth manager needs AMF/CIF + GDPR. Each gets exactly what they need.
- No bloat -- A startup that doesn't need HIPAA doesn't pay the performance cost of PHI detection on every LLM call.