Why a new governance protocol?

Agentic AI changes the nature of risk. With a chatbot, the worst drift is a bad answer. With an agent, the worst drift is an action: a wire transfer sent, a contract signed, an HR decision made. Traditional governance frameworks, designed for passive tools, cannot handle this transition.

BCG notes that 69% of executives acknowledge having no formal framework for governing AI agents. Yet ISO 42001, the EU AI Act, and the NIST AI RMF now impose concrete obligations: traceability, supervision, documentation, reversibility. LOOP™ was designed to meet these requirements without sacrificing execution speed.

LOOP™ is not a brake on AI. It's the accelerator that allows you to delegate with confidence.

The 4 trust zones

Each deployed agent is classified in a zone, based on its risk level, the impact of an error, and the reversibility of its actions.

Green zone — supervised autonomy

The agent acts alone, its decisions are logged, and reviewed by sampling. Typical: document sorting, email categorization, ticket routing. Limited risk, reversible actions.

Orange zone — active supervision

The agent proposes, but a human validates within a defined period (e.g. 24h). Typical: drafting a customer response, pre-qualifying a candidate, generating a legal summary. The error can be caught before it leaves the organization.

Red zone — mandatory human validation

Every decision goes through a human before taking effect. Typical: financial decisions, contracts, HR decisions, legal recommendations. The agent is a co-pilot, never the pilot.

Does this apply to you?

Need an AI governance framework tailored to your organization?

Identify my use case →

Black zone — prohibited

Some use cases must not be entrusted to an agent. Examples: medical diagnosis, dismissal decisions, disciplinary sanction calculations. The black zone is reviewed quarterly.

The 3 escalation levels

LOOP™ defines three types of escalation that the agent must be able to trigger autonomously:

  • Information — the agent notifies the human but acts. Used for routine low-risk cases.
  • Validation — the agent pauses its action and awaits the human decision. Used in orange and red zones.
  • Blocking — the agent refuses the action, logs the event, and raises an alert. Used when a request crosses a critical threshold (amount, sensitive data, black zone).

The living registry

LOOP™ requires a single registry of all agents deployed in the organization. For each agent: business owner, IT sponsor, zone, use case, volume, incidents, review date. The registry is accessible to the CAIO, DPO, CISO, and audit. It is the single source of truth.

Regulatory alignment

LOOP™ is aligned with ISO 42001 (AI management system), the EU AI Act (risk-level classification), and the NIST AI RMF (traceability and monitoring). Organizations that adopt it save time on regulatory audits.

Practical implementation

Deploying LOOP™ in an organization typically takes 4 to 6 weeks:

  1. Week 1: audit of existing use cases, initial classification in the 4 zones
  2. Week 2: sponsor designation, SLA definition, escalation rule writing
  3. Week 3: registry setup, monitoring tooling
  4. Week 4: team training, first dry quarterly review
  5. Weeks 5-6: adjustments and production deployment

Koneetiv supports implementation via the Claude Cockpit service, or directly with CIOs via CIO Acceleration. The protocol is publicly documented, but its application requires expertise in regulatory frameworks and business specifics.

LOOP™ in practice: a customer collections agent example

To make the protocol concrete, let's take the example of a customer collections agent in finance. Here's how LOOP™ governs it end-to-end.

Step 1: Initial classification

The agent identifies overdue invoices, generates a personalized follow-up email, and sends it automatically. First analysis: sending a commercial email commits the company to its client. Medium reversibility (you can apologize), medium impact (customer relationship). Classification: orange zone, active supervision.

Step 2: Defining escalation rules

The rules are as follows: below €5,000, the email is sent automatically. Between €5,000 and €50,000, the email is held for 4 hours for the accountant's validation. Above €50,000, mandatory CFO validation. If the client has less than 6 months' history or if a commercial dispute is open, automatic blocking.

Step 3: Progressive deployment

For the first two weeks, the agent runs in "shadow" mode: it generates emails but doesn't send them. Accountants compare the generated emails to what they would have written. After 10 days of validation, the agent moves to real production on a limited scope.

Step 4: Monitoring and evolution

After 3 months of stable operation without incident, the agent can be re-evaluated. If it handled 98% of cases correctly without drift, the review committee may decide to move it to the green zone for certain categories (e.g. follow-ups under €5,000 for clients with over 2 years' tenure).

LOOP™ and the organization

A governance protocol only has value if it is carried by clear roles. LOOP™ defines three essential roles:

The business sponsor

Carries the ROI and operational responsibility for the agent. They validate thresholds, handle exceptions, and arbitrate in case of incidents.

The CAIO (Chief AI Officer)

Ensures the coherence of the agent portfolio, alignment with the regulatory framework, and evolution of the registry. The CAIO can be internalized or outsourced via Claude Cockpit.

The IT lead

Carries technical integration, security, and monitoring. The guardian of production.

10 pitfalls that LOOP™ avoids

Drawing on more than a hundred deployments, we have identified 10 recurring pitfalls that LOOP™ helps avoid:

  1. An agent deployed without a clear business sponsor
  2. Classification that changes based on committee mood
  3. Escalation rules not documented in code
  4. An agent registry that is not kept up to date
  5. Monitoring that only looks at technical metrics, not business ones
  6. No quarterly review
  7. Agent updates not tracked
  8. Dependence on a single model provider
  9. Misalignment between IT, business, and compliance
  10. No disconnection strategy in case of incident

LOOP™ versus other market frameworks

Several frameworks coexist in the AI governance market. Each has its own logic and scope. Here's how LOOP™ positions itself.

ISO 42001 — the management system

ISO 42001 defines an AI Management System. It's a certifiable standard, focused on organization, roles, and processes. It doesn't impose specific operational mechanisms. LOOP™ fits within it as an execution protocol.

EU AI Act — the regulation

The EU AI Act classifies AI systems by risk level (unacceptable, high, limited, minimal). LOOP™ addresses this classification requirement with its 4 zones, operationalizing them. LOOP™'s black zone corresponds to the AI Act's unacceptable risk.

NIST AI RMF — the risk management framework

The NIST AI Risk Management Framework proposes a four-function risk management approach: govern, map, measure, manage. LOOP™ operationalizes all four functions with concrete mechanisms.

Consulting firm frameworks

BCG, McKinsey, and Accenture each have their own framework. These are useful but rarely public and rarely testable by buyers. LOOP™ is publicly documented and backed by more than a hundred deployments.

How to start with LOOP™

Three paths exist for adopting the protocol:

  1. Read and self-apply: download the public documentation, classify your own agents
  2. Claude Cockpit guidance: guided deployment in 4 to 6 weeks with a Koneetiv expert
  3. Full integration via Ignite AI Act: tooling + protocol + real-time monitoring

Most organizations start with option 2 and switch to option 3 once their agent portfolio is consolidated.

What LOOP™ changes for executives

For a leadership team, LOOP™ brings four tangible changes. First, a common vocabulary across all stakeholders (IT, business, compliance). Second, continuous visibility over the entire agent portfolio via the living registry. Third, the ability to make rapid decisions on new use cases because the framework is pre-established. Fourth, a credible posture vis-à-vis regulators, auditors, and clients.

This last point is often underestimated. In enterprise RFPs, clients increasingly ask vendors for proof of AI governance. Being able to present a structured protocol becomes a commercial advantage, not just a regulatory obligation.

Discover the Governance page for full protocol details, or book a call for a diagnostic of your current framework.