Governance
Governance in MeetLoyd is built in, not bolted on. Instead of trusting that agents will behave, you set the rules once and the platform enforces them on every action — automatically, consistently, and with a record.
"Which governance packs apply to a French bank?" or "Turn on GDPR in audit mode for this workspace." Loyd knows the catalogue and can configure it with your approval. Meet Loyd →
Two layers of control
MeetLoyd governs agents at two levels that work together:
- Governance packs — pre-built bundles of rules for a specific regulation or standard. Switch on "GDPR" and the relevant controls apply without you wiring each one.
- Policy cascade — your own org-specific rules (budgets, tool access, approvals, data handling) that flow down a hierarchy and can be tightened anywhere.
Governance packs
MeetLoyd ships 32 regulatory packs covering the major regimes worldwide, so a multinational can run one platform and still meet local rules:
| Region | Examples |
|---|---|
| EU & UK | GDPR, UK GDPR, EU AI Act, NIS2, DORA, ISO 27001, ISO 42001, ISAE 3402, AMF/CIF |
| Americas | HIPAA, SOX, SOC 2, NIST CSF, NIST AI RMF, CCPA, PCI DSS, LGPD, PIPEDA, Quebec Law 25 |
| APAC | MAS TRM, PDPA, PIPL, APPI, Australia Privacy, CPS 234, India DPDPA, Korea PIPA |
| Middle East | UAE PDPL, DIFC, ADGM, Saudi PDPL, Qatar AI |
Each pack bundles concrete controls — data minimization and right-to-erasure for GDPR, four-eyes approval and separation of duties for SOX, PHI access logging for HIPAA, and so on.
Three enforcement modes
Every pack runs in one of three modes, so you can adopt safely:
| Mode | Behaviour | When to use |
|---|---|---|
| Audit | Log violations, change nothing | Start here — learn your baseline without disruption |
| Warn | Alert the right people on a violation | Build awareness before you block |
| Enforce | Block the violating action | Once you trust the rules |
The policy cascade
Your own policies resolve through a five-level hierarchy. The most specific level wins, so you set a sensible default once and override only where you need to:
Policies govern budgets and spend limits, which tools an agent may use, rate limits, data handling, and which actions need human approval. Set "no external email without approval" at the tenant level, then relax it for one trusted team — the rest of the org keeps the stricter rule.
What you get
- Compliance that travels — one platform, every region, no per-country rebuild.
- Safe adoption — audit → warn → enforce means you're never surprised by a hard block.
- Provable enforcement — every governance decision is recorded in the audit trail, which is exactly what regulators and your own risk team want to see.
- No black box — system prompts and policies are visible and editable. There's no hidden behaviour you can't inspect.