Governance Packs
Governance Packs provide modular compliance controls that map directly to regulatory requirements. Enable the packs your organization needs, configure them to your policies, and generate audit-ready reports.
Enterprise customers can monitor governance packs in the Compliance Cockpit, which provides real-time compliance scoring, evidence collection, and audit support for all enabled packs.
Overview
MeetLoyd's governance system has two layers:
- Compliance Packs -- 32 pre-configured bundles covering major regulatory frameworks worldwide
- Governance Modules -- 25 individual controls that can be enabled, disabled, or configured
When you enable a pack, it automatically enables and configures all required modules. You can then override individual settings as needed.
Pack Categories
| Region | Packs |
|---|---|
| EU | GDPR, EU AI Act, DORA, NIS2 |
| US | HIPAA, SOX, SOC 2, CCPA, NIST CSF, NIST AI RMF |
| ISO | ISO 27001, ISO 42001 |
| Financial | AMF/CIF, PCI DSS, MAS TRM, ISAE 3402 |
| Americas | PIPEDA, Quebec Law 25, LGPD |
| Asia-Pacific | PIPL, APPI, PDPA, DPDPA, AU Privacy Act, CPS 234, PIPA |
| Middle East | UAE PDPL, DIFC DP, ADGM DP, Saudi PDPL, Qatar AI |
| UK | UK GDPR |
Available Packs
GDPR Pack
EU General Data Protection Regulation
Enables: Data Loss Prevention (DLP) with EU-specific patterns, BYOK Memory Architecture for data sovereignty, comprehensive Audit Logs (7-year retention), Data Residency Controls, Breach Notification workflows, and Right to Erasure support.
HIPAA Pack
US Health Insurance Portability and Accountability Act
Enables: DLP with PHI (Protected Health Information) detection, BYOK Memory Architecture, Audit Logs with tamper-evident storage, Enterprise SSO (SAML/OIDC), Encryption at rest and in transit, and Access controls with minimum necessary principle.
EU AI Act Pack
European Union Artificial Intelligence Act
Enables: Kill Switch Hierarchy (human oversight), Chain of Thought Logging (AI transparency), Prompt Versioning with approval workflows, 4-Eyes Principle for sensitive changes, Multi-LLM Verification (accuracy and robustness), and complete reasoning audit trail.
SOX Pack
Sarbanes-Oxley Act
Enables: Chain of Thought Logging (corporate responsibility), Prompt Versioning (internal controls), 4-Eyes Approval workflows, 7-year audit retention, Incident workflows for real-time disclosures, and tamper-evident logging.
DORA Pack
Digital Operational Resilience Act
Enables: Kill Switch for incident response, DLP and Multi-LLM Verification, BYOK for third-party risk management, Anomaly Detection, Incident workflows with regulatory reporting, and Budget controls for ICT risk management.
ISO 27001 Pack
Information Security Management System
Enables: Kill Switch (incident management), Chain of Thought Logging, Prompt Versioning (change management), RBAC with minimum privilege enforcement, Anomaly Detection, and Data Classification.
NIS2 Pack
Network and Information Security Directive 2
Enables: Kill Switch (cybersecurity risk management), comprehensive Audit Logs, SIEM Integration, Anomaly Detection, Incident workflows with authority notification, and breach notification (24/72 hour requirements).
ISO 42001 Pack
AI Management System (ISO/IEC 42001:2023)
The world's first international standard specifically for AI management systems. Essential for organizations developing or deploying agentic AI.
Enables: Kill Switch Hierarchy (human oversight - 6.1.4), Chain of Thought Logging (AI explainability - 8.4), Prompt Versioning (AI lifecycle management - 8.2), 4-Eyes Principle (human oversight for high-risk decisions), Multi-LLM Verification (AI performance evaluation - 9.2), Anomaly Detection (drift monitoring, bias detection - 9.1), Approval Workflows (risk management - 6.1), Incident Workflows (corrective action - 10.2), Data Classification (data quality for AI - 7.4), and RBAC (roles and responsibilities - 5.3).
AI-Specific Features: Model drift detection and alerts, AI decision audit trail with hash chain, root cause analysis for AI incidents, autonomy boundary change approvals, and 3-year retention for AI audit logs.
AMF/CIF Pack
French Wealth Management Compliance
For French CGP, CIF, and MFO firms. Enables: comprehensive Audit Logs (conseil duty traceability), DLP (client data protection), RBAC (access controls), Retention Policy (5-10 year legal retention), Data Classification, 4-Eyes Principle (material recommendation approval), and Approval Workflows (KYC/AML workflows).
Specific Thresholds:
| Threshold | Amount |
|---|---|
| Material recommendation | EUR 10,000 |
| AML vigilance (Art. L561-15 CMF) | EUR 10,000 |
| Tracfin declaration | EUR 50,000 |
| KYC renewal | Annual |
Governance Modules
Each pack is composed of individual modules (25 total) that can be configured independently.
Safety Modules
- Kill Switch Hierarchy -- Emergency shutdown at agent, team, or tenant level with cascade controls. Configure cascade behavior, notification channels, and auto-restart rules.
- Chain of Thought Logging -- Captures complete AI reasoning with cryptographic verification. Configure full reasoning capture vs. summary only, hash chain for tamper detection, retention period, and SIEM streaming.
- Multi-LLM Verification -- 4-tier AI verification system for hallucination prevention. Configure which tiers are active, human review threshold, verification model selection, and confidence requirements.
- Anomaly Detection -- Behavioral pattern monitoring for fraud prevention. Configure baseline period, alert threshold (standard deviations), pattern types to monitor, and response actions.
Security Modules
- Data Loss Prevention (DLP) -- Pattern detection and automatic handling of sensitive data. Configure detection patterns (SSN, credit cards, PHI, custom), action on detection (alert, redact, block), severity thresholds, and notification rules.
- Encryption -- Envelope encryption (AES-256-GCM) for data at rest with KMS provider support.
- BYOK Memory Architecture -- Customer-controlled data storage with pointer separation. Configure storage provider, encryption key management, data residency region, and hash verification.
- Data Residency -- Controls where business data is stored geographically.
- Third-Party Risk Gate -- Assess and gate third-party integrations before activation.
Compliance Modules
- Prompt Versioning -- Git-like version control for AI prompts with approval workflows. Configure approval requirements by role, staging environment support, rollback policies, and diff notifications.
- 4-Eyes Principle -- Dual authorization for sensitive changes. A different user must approve prompt promotions and agent configuration changes.
- Retention Policy -- Configurable data retention periods per regulation (e.g., 5-10 years for AMF/CIF, 7 years for SOX).
- Data Classification -- Classify and label data by sensitivity level.
- Breach Notification -- Automated breach notification workflows (24/72 hour requirements for NIS2, 72 hours for GDPR).
- Consent Management -- Track and manage data subject consent.
- DSAR (Data Subject Access Requests) -- Handle right-of-access and right-to-erasure requests.
- Automated Decision Opt-Out -- Allow data subjects to opt out of automated decision-making.
- Budget Controls -- Spending limits at tenant, app, team, or agent level.
- DR Testing -- Disaster recovery testing and documentation.
Audit Modules
- Audit Logs -- Comprehensive logging of all platform actions. Configure retention period (30 days to unlimited), log detail level, SIEM streaming target, and export format.
- SIEM Integration -- Real-time log streaming to security platforms. Configure target endpoint (Splunk, Datadog, etc.), event filtering, format (CEF, JSON, LEEF), and batching settings.
- Incident Workflow -- Incident tracking, regulatory reporting, and resolution workflows.
- Approval Workflows -- Configurable human-in-the-loop approval for sensitive operations.
Access Modules
- RBAC -- Role-based access control with minimum privilege enforcement.
- SSO -- Enterprise Single Sign-On (SAML/OIDC) enforcement.
Enforcement Modes
| Mode | Behavior |
|---|---|
| Audit | Log violations but don't block actions |
| Warn | Show warnings to users, log violations |
| Enforce | Block non-compliant actions |
New modules start in Audit mode with a configurable grace period before enforcement begins.
Enabling Packs
Via Dashboard
- Navigate to Settings > Governance
- Select the packs your organization requires
- Review the modules that will be enabled
- Configure any overrides for individual module settings
- Set enforcement mode (start with Audit, then Warn, then Enforce)
- Save changes
Module Configuration
Each module has its own configuration schema. After enabling a pack, you can override its defaults for individual modules from the same settings page. For example, you can enable the GDPR pack but customize the DLP patterns to include your organization's internal project codes.
Compliance Checking
Run on-demand compliance checks from Settings > Governance > Run Check. The response includes per-module status and any violations found.
Compliance Reports
Generate audit-ready reports from Settings > Governance > Reports. Reports include overall compliance score per regulation, per-module status breakdown, violation history and remediation, and configuration audit trail. Available in PDF and CSV formats.
Availability
| Plan | Included Packs |
|---|---|
| Starter | -- |
| Growth | 1 pack included, additional packs available |
| Enterprise | All packs included |
- Start with Audit mode -- Understand your baseline before enforcing
- Enable packs incrementally -- Add one pack at a time
- Review violations weekly -- Address issues before they accumulate
- Use custom patterns -- Add industry-specific sensitive data patterns
- Generate monthly reports -- Keep compliance documentation current