§ 03Market Opportunity

A $14B addressable market with a hard deadline stapled to it.

AI governance is not a discretionary line item. Between August 2026 (EU AI Act high-risk go-live) and 2028 (ISO/IEC 42001 becoming the reference certification and the Colorado AI Act inspiring 10+ US states), every enterprise deploying meaningful AI acquires a permanent, growing GRC obligation.

Sizing

TAM / SAM / SOM.

$14.2B

TAM by 2028

Global AI GRC + model risk software, bottoms-up

$4.6B

SAM

EU + US regulated: FS, health, insurance, public sector, F2000 tech

$180M

5yr SOM

1.3% penetration of SAM

TAM logic. ~48,000 organizations globally fall under EU AI Act high-risk provisions or equivalent (ISO 42001-certified aspirants + US regulated ML users). Blended ACV target $60K enterprise / $18K mid-market. Weighted average $47K × 48K entities × 63% software-serviceable share = $14.2B.

SAM logic. First 5-year serviceable segment: EU-headquartered enterprises deploying high-risk AI (est. 12K), US banks & insurers under SR 11-7 / NAIC Model 668 (est. 4.5K), US healthcare providers & payers with clinical AI (est. 3.8K), F2000 tech deploying customer-facing LLM systems (est. 2.1K). Weighted ACV $57K → $4.6B SAM.

SOM logic. 1.3% share of SAM inside 5 years — conservative given fragmented competition and no clear category winner. Path traced explicitly in the financials.

Personas

Who signs, who champions, who uses.

PersonaJob-to-be-doneCurrent workaroundWTP signal
Chief AI Officer
Economic buyer
Prove to the board that the AI portfolio is governed, insurable, and audit-ready before EU AI Act enforcement.Big Four assessment + internal steering committee + Excel inventory.$400K–$1.2M annual consulting spend redirectable.
Chief Information Security Officer
Co-signer
Extend the existing GRC posture (SOC2, ISO 27001) to cover AI-specific risks and third-party model risk.OneTrust or Vanta bolt-ons that don't understand model artifacts.Existing $300K–$2M GRC budget with an AI expansion line.
Head of Model Risk Management
Technical champion
Continuously validate models per SR 11-7 without a 3-week rewrite every retraining.Word docs, quant teams doing validation as a side job.Direct P&L: validation backlog blocks model deployment.
General Counsel
Sign-off
Answer 'are we EU AI Act compliant' with a defensible, dated audit trail — not a slide deck.External counsel memos + insurance carrier questionnaires.D&O and cyber insurance premium impact.
ML Platform Lead
End user
Ship models without a 6-week manual documentation cycle each release.Copy-pasting MLflow metadata into templated Word docs.Time-to-production is the operational KPI they're measured on.

Tailwinds

Why the window opens now.

Regulatory

The EU AI Act phase-in

Prohibited practices in force Feb 2025, GPAI obligations Aug 2025, high-risk system obligations Aug 2026, full applicability Aug 2027. Fines up to €35M or 7% of global revenue.

Regulatory

ISO/IEC 42001

Published Dec 2023, becoming the reference AI management system certification for enterprise procurement RFPs starting late 2025.

US patchwork

State AI laws

Colorado AI Act (effective Feb 2026), NYC Local Law 144, California SB 942 / AB 2013. Multi-jurisdiction complexity is the exact fragmentation SaaS wins.

Technology

Agentic AI in production

2026 is the first year of meaningful agentic deployments. Existing governance frameworks (built for classification models) do not describe agent runtime risk — a green-field control category to own.