Skip to main content

Governance Packs

Governance Packs provide modular compliance controls that map directly to regulatory requirements. Enable the packs your organization needs, configure them to your policies, and generate audit-ready reports.

Compliance Cockpit Integration

Enterprise customers can monitor governance packs in the Compliance Cockpit, which provides real-time compliance scoring, evidence collection, and audit support for all enabled packs.

Overview

MeetLoyd's governance system has two layers:

  1. Compliance Packs -- 32 pre-configured bundles covering major regulatory frameworks worldwide
  2. Governance Modules -- 25 individual controls that can be enabled, disabled, or configured

When you enable a pack, it automatically enables and configures all required modules. You can then override individual settings as needed.

Pack Categories

RegionPacks
EUGDPR, EU AI Act, DORA, NIS2
USHIPAA, SOX, SOC 2, CCPA, NIST CSF, NIST AI RMF
ISOISO 27001, ISO 42001
FinancialAMF/CIF, PCI DSS, MAS TRM, ISAE 3402
AmericasPIPEDA, Quebec Law 25, LGPD
Asia-PacificPIPL, APPI, PDPA, DPDPA, AU Privacy Act, CPS 234, PIPA
Middle EastUAE PDPL, DIFC DP, ADGM DP, Saudi PDPL, Qatar AI
UKUK GDPR

Available Packs

GDPR Pack

EU General Data Protection Regulation

Enables: Data Loss Prevention (DLP) with EU-specific patterns, BYOK Memory Architecture for data sovereignty, comprehensive Audit Logs (7-year retention), Data Residency Controls, Breach Notification workflows, and Right to Erasure support.

HIPAA Pack

US Health Insurance Portability and Accountability Act

Enables: DLP with PHI (Protected Health Information) detection, BYOK Memory Architecture, Audit Logs with tamper-evident storage, Enterprise SSO (SAML/OIDC), Encryption at rest and in transit, and Access controls with minimum necessary principle.

EU AI Act Pack

European Union Artificial Intelligence Act

Enables: Kill Switch Hierarchy (human oversight), Chain of Thought Logging (AI transparency), Prompt Versioning with approval workflows, 4-Eyes Principle for sensitive changes, Multi-LLM Verification (accuracy and robustness), and complete reasoning audit trail.

SOX Pack

Sarbanes-Oxley Act

Enables: Chain of Thought Logging (corporate responsibility), Prompt Versioning (internal controls), 4-Eyes Approval workflows, 7-year audit retention, Incident workflows for real-time disclosures, and tamper-evident logging.

DORA Pack

Digital Operational Resilience Act

Enables: Kill Switch for incident response, DLP and Multi-LLM Verification, BYOK for third-party risk management, Anomaly Detection, Incident workflows with regulatory reporting, and Budget controls for ICT risk management.

ISO 27001 Pack

Information Security Management System

Enables: Kill Switch (incident management), Chain of Thought Logging, Prompt Versioning (change management), RBAC with minimum privilege enforcement, Anomaly Detection, and Data Classification.

NIS2 Pack

Network and Information Security Directive 2

Enables: Kill Switch (cybersecurity risk management), comprehensive Audit Logs, SIEM Integration, Anomaly Detection, Incident workflows with authority notification, and breach notification (24/72 hour requirements).

ISO 42001 Pack

AI Management System (ISO/IEC 42001:2023)

The world's first international standard specifically for AI management systems. Essential for organizations developing or deploying agentic AI.

Enables: Kill Switch Hierarchy (human oversight - 6.1.4), Chain of Thought Logging (AI explainability - 8.4), Prompt Versioning (AI lifecycle management - 8.2), 4-Eyes Principle (human oversight for high-risk decisions), Multi-LLM Verification (AI performance evaluation - 9.2), Anomaly Detection (drift monitoring, bias detection - 9.1), Approval Workflows (risk management - 6.1), Incident Workflows (corrective action - 10.2), Data Classification (data quality for AI - 7.4), and RBAC (roles and responsibilities - 5.3).

AI-Specific Features: Model drift detection and alerts, AI decision audit trail with hash chain, root cause analysis for AI incidents, autonomy boundary change approvals, and 3-year retention for AI audit logs.

AMF/CIF Pack

French Wealth Management Compliance

For French CGP, CIF, and MFO firms. Enables: comprehensive Audit Logs (conseil duty traceability), DLP (client data protection), RBAC (access controls), Retention Policy (5-10 year legal retention), Data Classification, 4-Eyes Principle (material recommendation approval), and Approval Workflows (KYC/AML workflows).

Specific Thresholds:

ThresholdAmount
Material recommendationEUR 10,000
AML vigilance (Art. L561-15 CMF)EUR 10,000
Tracfin declarationEUR 50,000
KYC renewalAnnual

Governance Modules

Each pack is composed of individual modules (25 total) that can be configured independently.

Safety Modules

  • Kill Switch Hierarchy -- Emergency shutdown at agent, team, or tenant level with cascade controls. Configure cascade behavior, notification channels, and auto-restart rules.
  • Chain of Thought Logging -- Captures complete AI reasoning with cryptographic verification. Configure full reasoning capture vs. summary only, hash chain for tamper detection, retention period, and SIEM streaming.
  • Multi-LLM Verification -- 4-tier AI verification system for hallucination prevention. Configure which tiers are active, human review threshold, verification model selection, and confidence requirements.
  • Anomaly Detection -- Behavioral pattern monitoring for fraud prevention. Configure baseline period, alert threshold (standard deviations), pattern types to monitor, and response actions.

Security Modules

  • Data Loss Prevention (DLP) -- Pattern detection and automatic handling of sensitive data. Configure detection patterns (SSN, credit cards, PHI, custom), action on detection (alert, redact, block), severity thresholds, and notification rules.
  • Encryption -- Envelope encryption (AES-256-GCM) for data at rest with KMS provider support.
  • BYOK Memory Architecture -- Customer-controlled data storage with pointer separation. Configure storage provider, encryption key management, data residency region, and hash verification.
  • Data Residency -- Controls where business data is stored geographically.
  • Third-Party Risk Gate -- Assess and gate third-party integrations before activation.

Compliance Modules

  • Prompt Versioning -- Git-like version control for AI prompts with approval workflows. Configure approval requirements by role, staging environment support, rollback policies, and diff notifications.
  • 4-Eyes Principle -- Dual authorization for sensitive changes. A different user must approve prompt promotions and agent configuration changes.
  • Retention Policy -- Configurable data retention periods per regulation (e.g., 5-10 years for AMF/CIF, 7 years for SOX).
  • Data Classification -- Classify and label data by sensitivity level.
  • Breach Notification -- Automated breach notification workflows (24/72 hour requirements for NIS2, 72 hours for GDPR).
  • Consent Management -- Track and manage data subject consent.
  • DSAR (Data Subject Access Requests) -- Handle right-of-access and right-to-erasure requests.
  • Automated Decision Opt-Out -- Allow data subjects to opt out of automated decision-making.
  • Budget Controls -- Spending limits at tenant, app, team, or agent level.
  • DR Testing -- Disaster recovery testing and documentation.

Audit Modules

  • Audit Logs -- Comprehensive logging of all platform actions. Configure retention period (30 days to unlimited), log detail level, SIEM streaming target, and export format.
  • SIEM Integration -- Real-time log streaming to security platforms. Configure target endpoint (Splunk, Datadog, etc.), event filtering, format (CEF, JSON, LEEF), and batching settings.
  • Incident Workflow -- Incident tracking, regulatory reporting, and resolution workflows.
  • Approval Workflows -- Configurable human-in-the-loop approval for sensitive operations.

Access Modules

  • RBAC -- Role-based access control with minimum privilege enforcement.
  • SSO -- Enterprise Single Sign-On (SAML/OIDC) enforcement.

Enforcement Modes

ModeBehavior
AuditLog violations but don't block actions
WarnShow warnings to users, log violations
EnforceBlock non-compliant actions

New modules start in Audit mode with a configurable grace period before enforcement begins.

Availability

PlanIncluded Packs
Starter--
Growth1 pack included, additional packs available
EnterpriseAll packs included
Best Practices
  1. Start with Audit mode -- Understand your baseline before enforcing
  2. Enable packs incrementally -- Add one pack at a time
  3. Review violations weekly -- Address issues before they accumulate
  4. Use custom patterns -- Add industry-specific sensitive data patterns
  5. Generate monthly reports -- Keep compliance documentation current
Compliance Overview
Regulatory framework overview
Compliance Cockpit
Real-time compliance monitoring
Audit Logs
Logging and retention
Governance Framework
Overall governance approach