%20copy.png){kind=small}
Mainframes gave us serialisation. Distributed systems gave us consensus. Cloud microservices gave us observability. Each was a coordination invention — not a compute invention. The value was never the raw capability. It was the architecture that made capability trustworthy at scale.
Agentic AI ecosystems are at that same inflection point. The agents exist. The intelligence exists. What does not yet exist — in any platform, from any vendor — is the layer that governs what happens when an agent acts across a boundary. Not within a system. Across one.
Governance is not a compliance checkbox. It is a structural advantage. The organisations that establish a governed AI infrastructure before their first enforcement action — before their first cross-boundary transaction fails, before their first audit reconstruction exercise — will operate in a fundamentally different position from those that discover the gap the hard way.
This is what that position looks like.
A governed decision is made inside your organisation. The counterparty, regulator, or auditor cannot act on it directly. They ask again. Their team reconstructs your reasoning from logs you were never designed to produce. Days pass. Costs accumulate.
The governed decision arrives with its own proof — cryptographically sealed, verifiable by the receiving party on their own infrastructure, without calling back to your systems. The counterparty does not re-review. They verify and act. Time to decision: minutes, not days.
AI-assisted processes that cross institutional boundaries at the speed of the underlying technology — not at the speed of manual reconstruction.
A regulator or auditor requests evidence of how a decision was made. Your team begins reconstruction — pulling logs, tracing tool calls, reassembling reasoning from systems that were never designed to tell this story. The process takes weeks. The result is often incomplete.
The audit trail was created at the moment of decision. Tamper-evident. Exportable. Every agent action, every authorisation event, every confidence score — recorded as it happened, in a form that satisfies ICO, FCA, and EU AI Act requirements. Audit preparation time: hours, not weeks.
Regulatory inspections become a retrieval exercise, not a reconstruction exercise. The evidence already exists. It always has.
Your AI agents operate well within your own systems. At every external boundary — a counterparty system, a regulatory submission, a partner API, a legacy estate from a different technology era — governance breaks down. Each crossing requires manual intervention, a new approval process, a fresh verification. The boundary is where AI stops working at scale.
Every system in your estate — from a 1990s mainframe to a 2024 SaaS API — has its consistency model and failure behaviour documented in a machine-readable registry. Your agents know what each system can and cannot reverse before they act. The boundary is no longer where AI stops. It is where governed AI starts.
AI agents that operate across your full enterprise estate — including the heterogeneous legacy infrastructure that makes up most of it — with the same governance confidence as within a single modern platform.
A single ICO enforcement action under the DUAA can reach 4% of global annual turnover. For a major regulated institution, that is a nine-figure number. The EU AI Act carries equivalent penalties. Neither framework makes allowances for organisations that were planning to address this next quarter.
The organisations that deploy governed AI infrastructure first will also accumulate something their competitors cannot buy: a decision record that compounds. Every governed agent action, every purpose compatibility assessment, every audit trail — these build an institutional compliance asset that takes years to replicate. Early movers do not just avoid the fine. They build a structural lead.
"Most of them are governing the trajectory. None of them are fixing the crossing."
Household names such as ServiceNow, Salesforce, AWS, Microsoft, and Oracle have all invested heavily in agentic AI governance. Agent orchestrators, control towers, identity layers, observability dashboards. The capability is real.
The gap is structural — and it is the same gap in every case. Every vendor governs within its own platform. Nobody governs what happens at the boundary between platforms — when an agent crosses from one institution, one system, one era of technology, to another.
The academic consensus is converging. The April 2026 framework reviewed by Chief Model Risk Officers at eight major financial institutions solves the internal trajectory governance problem with rigour. In doing so, it exposes the crossing problem with equal clarity: governed telemetry supports reconstruction. It does not automatically create external reliance.
LGT.io — The Agentic Governance Layer provides the crossing.
Each connected system's consistency model, failure modes, and rollback capability — machine-readable, consulted at runtime before any action executes.
The confidence threshold required to authorise an action scales with its irreversibility. High-reversibility actions run autonomously. Low-reversibility actions escalate.
A trace explains what happened. A governed artifact gives the next independent system something it can verify and act on directly — without reconstruction.
The LGT.io Agentic Governance Layer is an open specification and commercial implementation that addresses all three missing primitives simultaneously. The specification is published under Apache 2.0 — technology-agnostic and vendor-neutral by design.
The commercial implementation is built on a purpose-built graph database substrate: sub-millisecond query performance at governance decision time, single binary deployment, no cloud dependency, fully sovereign. One file. One process. On your hardware.
The governance layer builds a lineage graph overlay without replacing your existing systems. Data origin, collection purpose, transformation history — all mapped, none moved.
A persistent graph recording every agent decision, tool call, authorisation event, and reasoning step. Sessions are disposable. The graph is durable. The LLM is stateless. The record is not.
Purpose compatibility, reversibility classification, confidence threshold, escalation routing, and circuit-breaker primitives — executed as graph operations before any governed action proceeds. Authority before execution. Not evidence after.
Consistency models, failure modes, and rollback capabilities of every connected system — from ACID mainframe to eventually-consistent SaaS API. Enables the validator mesh to reason about reversibility across era boundaries before acting.
A tamper-evident, cryptographically-sealed, single-file record of every governed decision. Post-quantum secure. Portable across institutional boundaries. Verifiable by the receiving system — without the originating engine, without reconstruction, without a vendor relationship.
The EU AI Act's December 2027 enforcement deadline is the headline. But the UK Data (Use and Access) Act 2025 is already in force. AI agents processing personal data without an auditable, purpose-compatible governance layer are already non-compliant. The deadline moved. The requirement did not.
In force now
UK Data (Use and Access) Act 2025
Requires demonstrable purpose compatibility and auditable decision trails for any system processing personal data. Multi-agent deployments create silent compounding liability under existing law today.
In force now
UK GDPR / Article 22
Automated decision-making producing legal or similarly significant effects requires human oversight and the right to explanation. AI agents without auditable decision trails are already non-compliant.
Active 2026
FCA AI Oversight
The FCA has flagged AI governance as a supervisory priority for 2026–27. Regulated firms must demonstrate that AI-assisted decisions are explainable, fair, and auditable.
Dec 2027 enforcement
EU AI Act
High-risk AI systems in financial services face mandatory technical documentation, human oversight, and conformity assessment. The Digital Omnibus package moved enforcement to December 2027. The governance architecture required is identical regardless of the deadline.
In force
PRA SS1/23
Model risk management principles for banks. Inventory, validation evidence, monitoring plans, and change control requirements remain binding when models become agentic. These obligations do not relax for AI agents.
Jan 2025
DORA (EU)
Digital Operational Resilience Act requires demonstrable auditability for financial entities' ICT systems, including AI components. Organisations with EU operations or EU customers are in scope.
Organisations that deploy the governance layer first will have a compliance asset that compounds over time. Governance decision records, purpose compatibility assessments, and audit trails cannot be replicated quickly by later adopters. The window to establish the standard is open. It will not remain open indefinitely.
Annual licence covering the full five-layer governance stack, deployed on your sovereign infrastructure. No cloud dependency. No vendor relationship at rest. Designed for banks, asset managers, insurers, and regulated enterprises with DUAA and EU AI Act compliance obligations.
Full five-layer governance architecture deployed on-premise
DUAA purpose compatibility assessment at every agent action
Governed artifact production — portable across institutional boundaries
A Model Context Protocol server deployable via MCP marketplaces and hosted on UK sovereign cloud infrastructure. Accessible by any MCP-compatible AI agent framework at runtime. Subscription or usage-based pricing. No enterprise procurement cycle required.
The LGT.io Agentic Governance Layer is an open specification — technology-agnostic in its requirements, with the commercial implementation as the reference substrate. Any organisation can implement the governance layer on their preferred infrastructure. Apache 2.0 explicitly permits this.
The specification defines five layers, maps each to DUAA and EU AI Act compliance requirements, and identifies three open problems — two with candidate technical primitives already provided by the commercial implementation.
The specification has attracted substantive contributions from practitioners across financial services, regulatory technology, and cryptographic infrastructure.
github.com/CJHodgson/Agentic-Governance-Spec
Apache 2.0 licence · Five-layer architecture · DUAA and EU AI Act compliance mappings · Open problems framework · Standards alignment documentation
How does a governed act formed in one domain become readable, verifiable, and actionable by a receiving domain without reconstruction? Candidate technical primitive exists: multi-recipient cryptographic addressability in the governed artifact format.
How does a governance artifact formed today remain verifiable under post-quantum standards in future regulatory proceedings? Addressed by post-quantum cryptographic primitives native to the artifact format.
How is purpose compatibility assessed for a decision resulting from coordination between multiple agents, none of which individually exceeds a compliance threshold? Out of scope for v1.0. A natural roadmap candidate given the mathematical properties of the substrate.
If you are deploying AI agents in a regulated environment and need to understand your DUAA exposure today — we should speak.
If you are an investor with a thesis on regulatory infrastructure or AI governance in financial services — we have a full briefing available.
If you are building on the MCP ecosystem and want early access to the MCP Governance Server — register your interest.
Email: hello@lgt.io