Governance as a Service.
What the term means, the four things people use it for, why the AI-agent era finally made it real — and how the version built for agents works.
Governance, following the "-aaS" pattern.
Software became SaaS when you stopped installing it and started subscribing to it. Infrastructure became IaaS when you stopped racking servers. Payments, identity, and communications all made the same move: a hard, specialized capability turned into a service with an API, and everyone stopped building their own.
Governance as a Service applies that pattern to governance itself. Governance is the machinery that keeps an organization's actions inside its policies: the approval flows, the spending thresholds, the compliance checks, the audit trail that proves what happened and why. Historically that machinery was people — committees, review boards, sign-off chains — or brittle internal tooling that had to be rebuilt for every new system that could act.
Delivered as a service, governance becomes something you wire in: actions are declared to the service, evaluated against your rules in real time, and either allowed, held for a human, or blocked — with every verdict written to an immutable, hash-chained audit record. You author the rules; the service enforces them.
One term, four meanings.
"Governance as a Service" gets used in four distinct markets. If you searched the term, you were probably looking for one of these:
AI agent governance as a service
A runtime enforcement layer for autonomous AI agents: every consequential action — send, post, order, pay — is checked against policy before it executes, and every verdict is recorded. This is what GaaS (this site) does, and what this page is about.
Data governance as a service
A managed program for cataloging, classifying, and controlling access to data: quality rules, lineage, stewardship, access policies. It governs what you store and who can see it — not what your software does.
Compliance & GRC as a service
Outsourced governance, risk, and compliance programs — often delivered by MSPs or consultancies: policy libraries, control frameworks, assessments, and audit preparation for standards like SOC 2 or ISO 27001.
Cloud governance as a service
Guardrails for cloud accounts: cost controls, configuration policy, identity and access management across AWS, Azure, or GCP estates. It governs infrastructure settings, not autonomous actors.
The first three govern records and paperwork. When the actor is an autonomous AI agent, governance has to happen at the moment of action — in the execution path, in milliseconds — or it isn't governance, it's archaeology.
Agents made governance a runtime problem.
For decades, governance could afford to be slow, because the actors it governed were people, and people were already slow. A quarterly review board worked fine when the riskiest thing in the building was a purchase order.
AI agents broke that assumption. They act — send the email, place the order, publish the post, move the money — hundreds of times an hour, unattended. The only check most operators have is the prompt the agent was given: a paragraph of instructions the agent is trusted to follow, living inside the very system it's supposed to constrain. Hope is not a control.
That's the gap Governance as a Service closes. Every other consequential actor in the economy — an employee, a contractor, a bank transfer — passes through checks that exist outside the actor. GaaS gives AI agents the same thing: an external gate, fast enough to sit in the execution path, mapped to 12 regulatory frameworks including the EU AI Act, GDPR, HIPAA, PCI DSS, and SOC 2.
The research caught up to the runtime definition.
In August 2025, researchers Suyash Gaurav, Jukka Heikkonen, and Jatin Chaudhary published "Governance-as-a-Service: A Multi-Agent Framework for AI System Compliance and Policy Enforcement" (arXiv:2508.18765) — and independently arrived at the same definition this page opened with. The paper defines GaaS as "a modular, policy-driven enforcement layer that regulates agent outputs at runtime" that doesn't require retraining the model or the agent's cooperation.
That's the academic literature converging on the runtime-enforcement meaning of the term — not the data-governance or GRC meanings covered above. The paper formalizes the framework; GaaS is a production implementation of it, running that same policy-driven, runtime-enforcement pattern on real agent traffic today.
Declare, check, decide — in milliseconds.
The agent declares its intent; the service enriches it with real-world context, evaluates it against your policies and 12 regulatory frameworks, and returns one of three verdicts — in under 100 milliseconds for routine actions:
Lets it through
Clearly fine actions clear in well under a tenth of a second — fast enough that the agent never notices governance happened.
Holds it for a human
Actions that need judgment wait for a yes from the person who owns the risk — on their schedule, with the context in front of them.
Stops it cold
Actions that cross a line never execute. And because the rule lives outside the model, the agent can't argue its way past it.
Every verdict is written to an immutable, hash-chained audit record — a receipt you can show a client, an auditor, or a regulator.
The step-by-step lives at How It Works; the full architecture at Technical Specifications; the audit spec at Trust & Audit.
As-a-service vs. the two ways teams do it now.
| Prompt guardrails | Build it in-house | Governance as a Service | |
|---|---|---|---|
| Where the rules live | Inside the model's context | Custom middleware you maintain | External service, outside the agent |
| Can the agent bypass it? | Yes — instructions can be argued away | Depends on what you built | No — verdicts are enforced, not suggested |
| Token cost per governance cycle | 23,000–65,000 | Varies | 200–500 |
| Audit trail | None | If you built one | Immutable, hash-chained, every decision |
| Regulatory framework coverage | None | Your legal team's problem | 12 frameworks, 60+ policies built in |
| Time to deploy | Minutes (and it shows) | Months | An afternoon, starting in Shadow Mode |
Token figures from The Context Dividend — the white paper on what prompt-based governance actually costs.
Twelve frameworks, named.
"12 regulatory frameworks" is a claim explainers make and rarely back up. Here's the actual list GaaS ships built-in coverage for:
Full control-by-control mapping — what's enforced vs. mapped for each framework — lives at Technical Specifications.
The first week, realistically.
Competing explainers describe governance rollouts in the abstract. Here's what actually happens, in order:
Wire in Shadow Mode
Install the SDK (three lines), declare your first intent, and Shadow Mode starts recording verdicts on real agent actions — enforcing nothing.
Author policy in plain language
Watch what Shadow Mode would have allowed, held, or blocked, and write the rules that match your actual risk tolerance — no policy DSL to learn.
Flip one flag to enforce
When the would-have-blocked list matches your instincts, turning enforcement on is a single flag change — not a migration.
The step-by-step lives at How It Works; start the afternoon at Start Free Shadow Mode.
It costs less than the prompt you're using now.
The plan ladder, and who pays nothing.
Five tiers, all metered on governed actions: Free ($0, 1,000 actions/mo) → Developer ($99/mo, 10,000 actions) → Starter ($500/mo, 50,000 actions, 3 agents) → Growth ($2,500/mo, 500,000 actions, 15 agents) → Enterprise ($10,000+/mo, 5M+ actions, unlimited agents, custom SLAs). Every plan includes deliberation inference — H2Om runs the LLM compute for multi-agent panels, no separate model bill to reconcile.
Nonprofits, NGOs, and veteran-owned businesses qualify for free governance for life — contact sales@gaas.is. Full breakdown at Pricing.
Governance as a Service, answered.
Governance as a Service (GaaS) is the delivery of governance — the rules, checks, approvals, and audit records that keep an organization's actions inside policy — as a subscribable service you plug into, rather than a department you staff or a system you build. Applied to AI agents, it is an external layer that checks every consequential agent action against your rules before it executes, allowing, holding, or blocking it, with an immutable record of every decision.
GaaS stands for Governance as a Service, following the same as-a-service pattern as SaaS (software), IaaS (infrastructure), and PaaS (platform). Instead of building governance in-house — committees, review boards, hand-rolled approval flows — you subscribe to it as a service with an API.
Data governance as a service is a managed program for cataloging, classifying, and controlling access to data. Governance as a Service for AI agents governs actions, not data: it evaluates what an agent is about to do — send, post, order, pay — against policy before it executes. One governs what you store; the other governs what your software does.
Most AI governance platforms are documentation layers: model inventories, risk assessments, compliance questionnaires. Governance as a Service is a runtime enforcement layer: it sits in the execution path and actually allows, holds, or blocks individual agent actions in real time, producing an audit record for each one. Paperwork tells you what your policy is; enforcement is what makes an agent follow it.
Anyone whose AI agents act in the world — send email, publish content, place orders, move money, touch records. Regulated teams get mappings to 12 frameworks including the EU AI Act, GDPR, HIPAA, PCI DSS, and SOC 2; every other operator gets control over what their agents do and a receipt for every decision. Start at GaaS for AI Operators.
No. Routine actions clear the full pipeline in under 100 milliseconds. Only genuinely high-stakes decisions take longer, and only because your policy asked for deliberation or a human approval.
With GaaS you start free in Shadow Mode, no card. There is a free tier, then plans from $99 a month, and under a cent per governed action at scale. It typically costs less than prompt-based governance: guardrails stuffed into prompts burn 23,000 to 65,000 tokens per cycle, while GaaS uses 200 to 500. See pricing.
Yes. Shadow Mode runs the entire governance pipeline on your real agent actions while enforcing nothing — you see exactly what would have been allowed, held, or blocked before you ever turn enforcement on. It's free and takes an afternoon to wire in. Start Shadow Mode.
Yes. arXiv:2508.18765 (Gaurav, Heikkonen, and Chaudhary, August 2025), "Governance-as-a-Service: A Multi-Agent Framework for AI System Compliance and Policy Enforcement," defines GaaS as a modular, policy-driven enforcement layer that regulates agent outputs at runtime — the same runtime-enforcement definition this page uses. GaaS, the product, is a production implementation of that pattern.
Twelve, built in: EU AI Act, GDPR, HIPAA, PCI DSS, SOC 2, NIST 800-53, FedRAMP, CMMC, NIST CSF, NIST AI RMF, FERPA, and COPPA. Full control-by-control mapping is at Technical Specifications.
SaaS (Software as a Service) delivers an application over the internet. GaaS (Governance as a Service) delivers a control layer: it doesn't do the work, it decides whether the work is allowed to happen. A SaaS product replaces software you would have installed; GaaS replaces the review board, the policy binder, and the audit spreadsheet you would have built around your AI agents — as a service that rules on every action in real time.
In AI, GaaS means Governance as a Service: a runtime layer that evaluates each AI agent action against policy before it executes and keeps a signed record of every decision. (Not to be confused with GaAs — gallium arsenide, the semiconductor material — which dominates search results for the bare acronym but has nothing to do with AI governance.)
A GaaS company operates governance infrastructure that other organizations plug their AI agents into — policy evaluation, human escalation, and immutable audit records delivered as a subscription instead of an internal build. GaaS (gaas.is, by H2Om) is the governance-as-a-service company this page belongs to; the category also includes advisory-style AI governance program providers.
See Governance as a Service on your own agents.
Start free in Shadow Mode — the full pipeline runs on your real agent actions, enforcing nothing, so you can watch governance work before you turn it on. No credit card.
Start Free Shadow ModeWant the product tour instead of the term? Read What Is GaaS? · New to the category? What Is AI Agent Governance?