The Term

Governance as a Service.

What the term means, the four things people use it for, why the AI-agent era finally made it real — and how the version built for agents works.

Governance as a Service (GaaS) is the delivery of governance — the rules, checks, approvals, and audit records that keep an organization's actions inside policy — as a subscribable service you plug into, rather than a department you staff or a system you build. In the AI-agent era, it means an external layer that checks every consequential agent action against your rules before it executes — allowing, holding, or blocking it, with an immutable record of every decision.

Governance, following the "-aaS" pattern.

Software became SaaS when you stopped installing it and started subscribing to it. Infrastructure became IaaS when you stopped racking servers. Payments, identity, and communications all made the same move: a hard, specialized capability turned into a service with an API, and everyone stopped building their own.

Governance as a Service applies that pattern to governance itself. Governance is the machinery that keeps an organization's actions inside its policies: the approval flows, the spending thresholds, the compliance checks, the audit trail that proves what happened and why. Historically that machinery was people — committees, review boards, sign-off chains — or brittle internal tooling that had to be rebuilt for every new system that could act.

Delivered as a service, governance becomes something you wire in: actions are declared to the service, evaluated against your rules in real time, and either allowed, held for a human, or blocked — with every verdict written to an immutable, hash-chained audit record. You author the rules; the service enforces them.

One term, four meanings.

"Governance as a Service" gets used in four distinct markets. If you searched the term, you were probably looking for one of these:

This site

AI agent governance as a service

A runtime enforcement layer for autonomous AI agents: every consequential action — send, post, order, pay — is checked against policy before it executes, and every verdict is recorded. This is what GaaS (this site) does, and what this page is about.

What is AI agent governance? →

Adjacent

Data governance as a service

A managed program for cataloging, classifying, and controlling access to data: quality rules, lineage, stewardship, access policies. It governs what you store and who can see it — not what your software does.

Adjacent

Compliance & GRC as a service

Outsourced governance, risk, and compliance programs — often delivered by MSPs or consultancies: policy libraries, control frameworks, assessments, and audit preparation for standards like SOC 2 or ISO 27001.

Adjacent

Cloud governance as a service

Guardrails for cloud accounts: cost controls, configuration policy, identity and access management across AWS, Azure, or GCP estates. It governs infrastructure settings, not autonomous actors.

Why the distinction matters

The first three govern records and paperwork. When the actor is an autonomous AI agent, governance has to happen at the moment of action — in the execution path, in milliseconds — or it isn't governance, it's archaeology.

Agents made governance a runtime problem.

For decades, governance could afford to be slow, because the actors it governed were people, and people were already slow. A quarterly review board worked fine when the riskiest thing in the building was a purchase order.

AI agents broke that assumption. They act — send the email, place the order, publish the post, move the money — hundreds of times an hour, unattended. The only check most operators have is the prompt the agent was given: a paragraph of instructions the agent is trusted to follow, living inside the very system it's supposed to constrain. Hope is not a control.

That's the gap Governance as a Service closes. Every other consequential actor in the economy — an employee, a contractor, a bank transfer — passes through checks that exist outside the actor. GaaS gives AI agents the same thing: an external gate, fast enough to sit in the execution path, mapped to 12 regulatory frameworks including the EU AI Act, GDPR, HIPAA, PCI DSS, and SOC 2.

The research caught up to the runtime definition.

In August 2025, researchers Suyash Gaurav, Jukka Heikkonen, and Jatin Chaudhary published "Governance-as-a-Service: A Multi-Agent Framework for AI System Compliance and Policy Enforcement" (arXiv:2508.18765) — and independently arrived at the same definition this page opened with. The paper defines GaaS as "a modular, policy-driven enforcement layer that regulates agent outputs at runtime" that doesn't require retraining the model or the agent's cooperation.

That's the academic literature converging on the runtime-enforcement meaning of the term — not the data-governance or GRC meanings covered above. The paper formalizes the framework; GaaS is a production implementation of it, running that same policy-driven, runtime-enforcement pattern on real agent traffic today.

Declare, check, decide — in milliseconds.

The agent declares its intent; the service enriches it with real-world context, evaluates it against your policies and 12 regulatory frameworks, and returns one of three verdicts — in under 100 milliseconds for routine actions:

Allow

Lets it through

Clearly fine actions clear in well under a tenth of a second — fast enough that the agent never notices governance happened.

Hold

Holds it for a human

Actions that need judgment wait for a yes from the person who owns the risk — on their schedule, with the context in front of them.

Block

Stops it cold

Actions that cross a line never execute. And because the rule lives outside the model, the agent can't argue its way past it.

Every verdict is written to an immutable, hash-chained audit record — a receipt you can show a client, an auditor, or a regulator.

Go Deeper

The step-by-step lives at How It Works; the full architecture at Technical Specifications; the audit spec at Trust & Audit.

As-a-service vs. the two ways teams do it now.

Prompt guardrails Build it in-house Governance as a Service
Where the rules live Inside the model's context Custom middleware you maintain External service, outside the agent
Can the agent bypass it? Yes — instructions can be argued away Depends on what you built No — verdicts are enforced, not suggested
Token cost per governance cycle 23,000–65,000 Varies 200–500
Audit trail None If you built one Immutable, hash-chained, every decision
Regulatory framework coverage None Your legal team's problem 12 frameworks, 60+ policies built in
Time to deploy Minutes (and it shows) Months An afternoon, starting in Shadow Mode

Token figures from The Context Dividend — the white paper on what prompt-based governance actually costs.

Twelve frameworks, named.

"12 regulatory frameworks" is a claim explainers make and rarely back up. Here's the actual list GaaS ships built-in coverage for:

EU AI Act GDPR HIPAA PCI DSS SOC 2 NIST 800-53 FedRAMP CMMC NIST CSF NIST AI RMF FERPA COPPA
Go Deeper

Full control-by-control mapping — what's enforced vs. mapped for each framework — lives at Technical Specifications.

The first week, realistically.

Competing explainers describe governance rollouts in the abstract. Here's what actually happens, in order:

Afternoon one

Wire in Shadow Mode

Install the SDK (three lines), declare your first intent, and Shadow Mode starts recording verdicts on real agent actions — enforcing nothing.

The rest of the week

Author policy in plain language

Watch what Shadow Mode would have allowed, held, or blocked, and write the rules that match your actual risk tolerance — no policy DSL to learn.

When you're ready

Flip one flag to enforce

When the would-have-blocked list matches your instincts, turning enforcement on is a single flag change — not a migration.

Start Now

The step-by-step lives at How It Works; start the afternoon at Start Free Shadow Mode.

It costs less than the prompt you're using now.

Governance stuffed into prompts burns 23,000 to 65,000 tokens per cycle. Governance as a Service uses 200 to 500, and hands back 30 to 60% of the agent's context window.

Read The Context Dividend

The plan ladder, and who pays nothing.

Five tiers, all metered on governed actions: Free ($0, 1,000 actions/mo) → Developer ($99/mo, 10,000 actions) → Starter ($500/mo, 50,000 actions, 3 agents) → Growth ($2,500/mo, 500,000 actions, 15 agents) → Enterprise ($10,000+/mo, 5M+ actions, unlimited agents, custom SLAs). Every plan includes deliberation inference — H2Om runs the LLM compute for multi-agent panels, no separate model bill to reconcile.

Free For Life

Nonprofits, NGOs, and veteran-owned businesses qualify for free governance for life — contact sales@gaas.is. Full breakdown at Pricing.

Governance as a Service, answered.

Governance as a Service (GaaS) is the delivery of governance — the rules, checks, approvals, and audit records that keep an organization's actions inside policy — as a subscribable service you plug into, rather than a department you staff or a system you build. Applied to AI agents, it is an external layer that checks every consequential agent action against your rules before it executes, allowing, holding, or blocking it, with an immutable record of every decision.

GaaS stands for Governance as a Service, following the same as-a-service pattern as SaaS (software), IaaS (infrastructure), and PaaS (platform). Instead of building governance in-house — committees, review boards, hand-rolled approval flows — you subscribe to it as a service with an API.

Data governance as a service is a managed program for cataloging, classifying, and controlling access to data. Governance as a Service for AI agents governs actions, not data: it evaluates what an agent is about to do — send, post, order, pay — against policy before it executes. One governs what you store; the other governs what your software does.

Most AI governance platforms are documentation layers: model inventories, risk assessments, compliance questionnaires. Governance as a Service is a runtime enforcement layer: it sits in the execution path and actually allows, holds, or blocks individual agent actions in real time, producing an audit record for each one. Paperwork tells you what your policy is; enforcement is what makes an agent follow it.

Anyone whose AI agents act in the world — send email, publish content, place orders, move money, touch records. Regulated teams get mappings to 12 frameworks including the EU AI Act, GDPR, HIPAA, PCI DSS, and SOC 2; every other operator gets control over what their agents do and a receipt for every decision. Start at GaaS for AI Operators.

No. Routine actions clear the full pipeline in under 100 milliseconds. Only genuinely high-stakes decisions take longer, and only because your policy asked for deliberation or a human approval.

With GaaS you start free in Shadow Mode, no card. There is a free tier, then plans from $99 a month, and under a cent per governed action at scale. It typically costs less than prompt-based governance: guardrails stuffed into prompts burn 23,000 to 65,000 tokens per cycle, while GaaS uses 200 to 500. See pricing.

Yes. Shadow Mode runs the entire governance pipeline on your real agent actions while enforcing nothing — you see exactly what would have been allowed, held, or blocked before you ever turn enforcement on. It's free and takes an afternoon to wire in. Start Shadow Mode.

Yes. arXiv:2508.18765 (Gaurav, Heikkonen, and Chaudhary, August 2025), "Governance-as-a-Service: A Multi-Agent Framework for AI System Compliance and Policy Enforcement," defines GaaS as a modular, policy-driven enforcement layer that regulates agent outputs at runtime — the same runtime-enforcement definition this page uses. GaaS, the product, is a production implementation of that pattern.

Twelve, built in: EU AI Act, GDPR, HIPAA, PCI DSS, SOC 2, NIST 800-53, FedRAMP, CMMC, NIST CSF, NIST AI RMF, FERPA, and COPPA. Full control-by-control mapping is at Technical Specifications.

SaaS (Software as a Service) delivers an application over the internet. GaaS (Governance as a Service) delivers a control layer: it doesn't do the work, it decides whether the work is allowed to happen. A SaaS product replaces software you would have installed; GaaS replaces the review board, the policy binder, and the audit spreadsheet you would have built around your AI agents — as a service that rules on every action in real time.

In AI, GaaS means Governance as a Service: a runtime layer that evaluates each AI agent action against policy before it executes and keeps a signed record of every decision. (Not to be confused with GaAs — gallium arsenide, the semiconductor material — which dominates search results for the bare acronym but has nothing to do with AI governance.)

A GaaS company operates governance infrastructure that other organizations plug their AI agents into — policy evaluation, human escalation, and immutable audit records delivered as a subscription instead of an internal build. GaaS (gaas.is, by H2Om) is the governance-as-a-service company this page belongs to; the category also includes advisory-style AI governance program providers.

See Governance as a Service on your own agents.

Start free in Shadow Mode — the full pipeline runs on your real agent actions, enforcing nothing, so you can watch governance work before you turn it on. No credit card.

Start Free Shadow Mode