A $14B addressable market with a hard deadline stapled to it.
AI governance is not a discretionary line item. Between August 2026 (EU AI Act high-risk go-live) and 2028 (ISO/IEC 42001 becoming the reference certification and the Colorado AI Act inspiring 10+ US states), every enterprise deploying meaningful AI acquires a permanent, growing GRC obligation.
Sizing
TAM / SAM / SOM.
$14.2B
TAM by 2028
Global AI GRC + model risk software, bottoms-up
$4.6B
SAM
EU + US regulated: FS, health, insurance, public sector, F2000 tech
$180M
5yr SOM
1.3% penetration of SAM
TAM logic. ~48,000 organizations globally fall under EU AI Act high-risk provisions or equivalent (ISO 42001-certified aspirants + US regulated ML users). Blended ACV target $60K enterprise / $18K mid-market. Weighted average $47K × 48K entities × 63% software-serviceable share = $14.2B.
SAM logic. First 5-year serviceable segment: EU-headquartered enterprises deploying high-risk AI (est. 12K), US banks & insurers under SR 11-7 / NAIC Model 668 (est. 4.5K), US healthcare providers & payers with clinical AI (est. 3.8K), F2000 tech deploying customer-facing LLM systems (est. 2.1K). Weighted ACV $57K → $4.6B SAM.
SOM logic. 1.3% share of SAM inside 5 years — conservative given fragmented competition and no clear category winner. Path traced explicitly in the financials.
Personas
Who signs, who champions, who uses.
| Persona | Job-to-be-done | Current workaround | WTP signal |
|---|---|---|---|
| Chief AI Officer Economic buyer | Prove to the board that the AI portfolio is governed, insurable, and audit-ready before EU AI Act enforcement. | Big Four assessment + internal steering committee + Excel inventory. | $400K–$1.2M annual consulting spend redirectable. |
| Chief Information Security Officer Co-signer | Extend the existing GRC posture (SOC2, ISO 27001) to cover AI-specific risks and third-party model risk. | OneTrust or Vanta bolt-ons that don't understand model artifacts. | Existing $300K–$2M GRC budget with an AI expansion line. |
| Head of Model Risk Management Technical champion | Continuously validate models per SR 11-7 without a 3-week rewrite every retraining. | Word docs, quant teams doing validation as a side job. | Direct P&L: validation backlog blocks model deployment. |
| General Counsel Sign-off | Answer 'are we EU AI Act compliant' with a defensible, dated audit trail — not a slide deck. | External counsel memos + insurance carrier questionnaires. | D&O and cyber insurance premium impact. |
| ML Platform Lead End user | Ship models without a 6-week manual documentation cycle each release. | Copy-pasting MLflow metadata into templated Word docs. | Time-to-production is the operational KPI they're measured on. |
Tailwinds
Why the window opens now.
The EU AI Act phase-in
Prohibited practices in force Feb 2025, GPAI obligations Aug 2025, high-risk system obligations Aug 2026, full applicability Aug 2027. Fines up to €35M or 7% of global revenue.
ISO/IEC 42001
Published Dec 2023, becoming the reference AI management system certification for enterprise procurement RFPs starting late 2025.
State AI laws
Colorado AI Act (effective Feb 2026), NYC Local Law 144, California SB 942 / AB 2013. Multi-jurisdiction complexity is the exact fragmentation SaaS wins.
Agentic AI in production
2026 is the first year of meaningful agentic deployments. Existing governance frameworks (built for classification models) do not describe agent runtime risk — a green-field control category to own.