Sector brief · April 2026
Primary profile: Custom (/x/)
Legal and enterprise governance
Risk teams are done with pilots. They need runtime evidence: sequences of agent actions, approvals, and policy boundaries that line up with Articles 11, 12, and 14 of the EU AI Act and similar frameworks.[5][6]
Market context
Enterprise AI governance spend is still measured in hundreds of millions globally, but downside risk is asymmetric. The EU AI Act advertises fines large enough to matter to Fortune 500 CFOs.[4]
Identity vendors now argue the agentic enterprise needs a new control plane—RBAC screens assumed a human behind every session, which breaks once agents act on their own.[3]
Structural gaps
Where incumbents sit
Vanta and Drata own continuous control monitoring. Harvey and peers own firm-internal gen-AI. DeepJudge-style tools own search.[6] The missing layer is enforcement at the wire: gates that stop out-of-policy tool use and an append-only narrative auditors can replay.
Building on more.md (implementation map)
Custom (`/x`) profiles for assurance packs that do not fit stock kinds
EU AI Act documentation, trust annexes, and append-only agent-action bundles often need tenant-specific shapes. Publish them as `/x` extensions with stable URLs so auditors, regulators, and counsel pull the same structure your monitors emit.[3][1]
Profile changelogs as an append-only narrative
Record human, agent, and system actors on each mutation so compliance tooling can diff policy drift without scraping Slack.[4]
TOON for high-volume monitors
Stream compact encodings to Python services that watch for anomalies at token budgets JSON cannot afford.[2]
DIDs and signed payloads
Use `did:web` and HMAC-signed envelopes (e.g. `@eep-dev/signer`) so non-repudiation claims survive export to counsel.[3]
Capability gates
Enforce human-issued boundaries at the network layer so an agent cannot escalate privilege by prompt hacking a softer tier.[5]
Competitive context
Names below appear in third-party sources listed under References. The contrast column sketches where an agent-first build on more.md sits relative to each player. Complement in some layers, substitute in others.
| Player | Position in market | Contrast with more.md-shaped build |
|---|---|---|
| Vanta / Drata | GRC automation for SOC2/ISO and similar frameworks. | Control tracking vs runtime SSE + structured agent traces. |
| Harvey | Gen-AI workflows inside law firms. | Drafting productivity vs external assurance on autonomous behavior. |
| DeepJudge | Enterprise legal search. | Discovery vs programmable gates that block disallowed calls. |