ADG defines what controls. KYE™ proves which actions met them.
EC-Council ADG (Adopt · Defend · Govern, 2026) names three pillars, nine governance surfaces, twelve minimum controls (MC-1..MC-12), and three autonomy tiers (HITL / HOTL / HOOTL). It is an operating-model framework — it tells an organisation what controls to operate. KYE Protocol™ is the runtime authority layer beneath it — it proves a specific action was authorised, admissible, evidenced, and final. The two stacks are complementary, not competing. This page is the analyst-grade crosswalk: every ADG surface and every MC-1..MC-12 control mapped to the KYE™ Minimum Authority Control™ (KAC™) and canonical evidence schema that materially discharges it at runtime.
Complementary stacks — distinct accountability layers.
| Stack | Layer | Unit of accountability | Buyer-facing artefact |
|---|---|---|---|
| EC-Council ADG | Operating model | Control declaration | Framework adoption attestation |
| KYE Protocol™ | Runtime authority | Action admissibility + evidence | Per-action Replay-Proof™ envelope |
A regulator-grade deployment runs both: ADG as the operating frame, KYE™ as the per-action runtime proof. ADG without KYE™ relies on after-the-fact log scraping to prove the control held. KYE™ without ADG ships a runtime authority layer without the operating-model frame that puts it in the board pack.
Surface → KYE™ primitive.
| ADG surface | KYE™ primitive | KAC™ | Canonical schema |
|---|---|---|---|
| Identity surface | Verified Entity | KAC™-1 | entity.json + kye.governedui.entity_passport.v1 |
| Tools & MCP Register | KYE Tool & MCP Authority Register™ | KAC™-4 | kye.tool_mcp_register.v1 |
| Agentic orchestration | Chain of Authority™ | KAC™-3 | kye.federation.cross_org_delegation.v1 |
| Runtime monitoring | Evidence Pack™ + drift signal | KAC™-7 | kye.evidence.pack.v1 + kye.signal.drift.detected.v1 |
| Incident response / forensic replay | Replay Proof™ | KAC™-8 | kye.evidence.trace_replay_spec.v1 |
| Decision rights / authority | Authority Finality™ | KAC™-9 | kye.estate.authority_finality.v1 |
| Lifecycle / revocation | Revocation + expiry control | KAC™-10 | kye.purpose.grant.v1 + kye.purpose.admissibility.v1 |
| Human oversight | GovernedUI™ critical-point review | KAC™-11 | kye.governedui.critical_point_review.v1 |
| Assurance / certification | KYE Seal™ | KAC™-12 | kye.compliance.attestation.v1 |
Same twelve. KYE™ materially enforces them.
| ADG MC | Title | KAC™ | Coverage on KYE™ |
|---|---|---|---|
| MC-1 | Verified entity / identity register | KAC™-1 Entity Registry | enforced |
| MC-2 | Delegation envelope | KAC™-2 Delegation Envelope™ | enforced |
| MC-3 | Chain of authority across organisations | KAC™-3 Chain of Authority Map | enforced |
| MC-4 | Action-class declaration / scope | KAC™-2 + KAC™-5 (admissibility scope) | enforced |
| MC-5 | Admissibility floor | KAC™-5 Action Admissibility™ Gate | enforced |
| MC-6 | Runtime policy resolution | KAC™-6 Runtime Policy Resolution | enforced |
| MC-7 | Tools & MCP register | KAC™-4 Tool & MCP Authority Register | enforced — pilot SKU live |
| MC-8 | Revocation + expiry control | KAC™-10 Revocation and Expiry Control | enforced |
| MC-9 | Evidence capture per action | KAC™-7 Evidence Capture at T=0 | enforced |
| MC-10 | Forensic replay capability | KAC™-8 Replay Proof | enforced |
| MC-11 | Decision rights / authority terminality | KAC™-9 Authority Finality™ Record | enforced |
| MC-12 | Human oversight + critical-point review | KAC™-11 Human Oversight and Escalation | enforced |
HITL / HOTL / HOOTL ↔ A0 / A1 / A2 / A3.
ADG names three autonomy tiers. KYE Autonomy Tiers™ compresses to four so that the runtime-controls floor is unambiguous. See /autonomy-tiers.html for the per-tier control matrix.
| ADG tier | KYE™ tier | KYE™ required | KAC™ floor |
|---|---|---|---|
| (n/a) | A0 Human-only | no | none |
| HITL | A1 Assist | optional | KAC™-1 |
| HITL / HOTL | A2 Scoped delegation | yes | KAC™-1, 2, 4, 5, 6, 7, 8, 10, 11, 12 |
| HOOTL | A3 Autonomous with Authority Finality™ | yes | KAC™-1..KAC™-12 (all twelve) |
35 ADG requirements → KYE™ canonical artefacts — bijection enforced.
The full requirement-by-requirement deep mapping lives at /compliance/ec-council-adg.html, generated from internal on every build. Every cited kye.<ns>.*.v1 schema MUST resolve to a canonical declaration on disk; the framework-coverage-bijection gate fails the merge if anything drifts. Honest coverage breakdown: 22 enforced / 11 designed / 2 advisory / 0 out-of-scope (63% enforced; the runtime-authority surface where KYE™'s wheelhouse sits is enforced wall-to-wall, with deployer-side operating-model concerns honestly marked advisory).
Same twelve controls. ADG declares them. KYE™ proves them.
A regulator-grade deployment runs both stacks. The crosswalk is the analyst-grade artefact that lets a CISO, regulator, or auditor see which KYE™ primitive discharges which ADG control without translation.