A compliance-minded director books demos with two AI governance vendors in the same week. The first demo is all model dashboards, drift alerts and fairness metrics. The second is intake forms, policy mapping and regulator-ready documentation packs. Both products call themselves AI governance platforms. Neither resembles the other, and neither obviously answers the question that prompted the demos, which was whether the firm’s use of AI would hold up if a client or the ICO started asking hard questions about personal data.
The confusion is built into the category. Vendors arrived from different directions, some from model monitoring, some from privacy compliance, some from enterprise risk, and they all adopted the same label. Comparing them on their own terms is close to impossible. Comparing them on the three capabilities data protection actually depends on is straightforward, and it collapses a field of forty to a shortlist. Sometimes a shortlist of none.
What choice are you actually facing?
The choice underneath the vendor comparison is whether to buy a platform at all or extend the controls you already run. For data protection, three capabilities carry the weight, an inventory of the AI systems in use, controls on what data reaches those systems, and an audit trail you can hand to a client, a regulator or a court.
The platforms themselves cluster into recognisable groups. Credo AI, Holistic AI, Trustible and OneTrust sell enterprise-first governance, with AI registries, risk scoring and policy mapping against frameworks such as the EU AI Act. Monitaur and Fiddler come from model monitoring, tracking drift, accuracy and anomalies in production systems. Arthur focuses on runtime guardrails and discovery for agentic AI. VerifyWise is the outlier, a source-available platform that can be self-hosted and explicitly aims below enterprise scale.
Much of what these products sell sits outside the three capabilities. Bias dashboards, fairness metrics and performance monitoring matter when AI makes consequential decisions about people, in lending, hiring or case triage, and choosing that tooling is a separate purchase decision. Neither the ICO nor the NCSC prescribes any product for data protection. Both ask for proportionate controls, documented decisions and clear accountability, achieved by whatever mechanism fits your size.
When does what you already run genuinely cover it?
If your firm’s AI use is confined to productivity and marketing tools, a disciplined register in a spreadsheet, the data loss prevention controls already in Microsoft 365 or Google Workspace, and the ICO’s AI and data protection risk toolkit cover the core obligations. The demanding part is discipline, one named person accountable for keeping the records current.
That describes a large share of the market. YouGov polling of UK owner-managed businesses found around 31 per cent using AI, with task automation at 54 per cent of users and marketing at 45 per cent. Only around 19 per cent use AI for decision-making. A firm drafting emails with Copilot and generating campaign copy faces real data protection questions, but they are questions a register, sensible DLP rules and staff training can answer.
The register lists each AI tool, its purpose, the categories of personal data it touches, the legal basis and an owner. DPIAs extend to cover new AI features. DLP rules get updated when an integration arrives, and people are trained not to paste sensitive data into public tools. I’ve published a simple AI risk register template that does the inventory job at this scale. What regulators reward is demonstrable control, and a spreadsheet maintained well demonstrates more than a platform configured badly.
When is a dedicated platform worth buying?
A platform earns its place under three conditions. Your AI use has grown complex, with multiple models, autonomous agents or third-party AI wired into critical workflows. Your regulatory exposure spans frameworks, the EU AI Act, ISO 42001 or sector rules demanding continuous evidence. Or teams are procuring AI independently and shadow AI has made your register unreliable. Any one of the three shifts the sums.
Match the condition to the platform. For agentic complexity, Arthur’s runtime guardrails filter personal data before and after model calls, and its discovery tooling surfaces agents introduced through SaaS products nobody flagged. For multi-framework exposure, Trustible maps controls to the EU AI Act, NIST and ISO 42001 and generates its audit trail as the work happens, while VerifyWise claims coverage of more than twenty-four frameworks. For sprawl across teams, Holistic AI leads with shadow AI discovery across the whole estate.
Scale matters in the other direction too. Credo AI and Holistic AI are built for large enterprises and regulated sectors, and independent comparison commentary places enterprise governance contracts in the six-figure range. Trustible frames implementation as a 90-day programme. VerifyWise, free to start and self-hostable, is the one platform in this field that explicitly targets firms below enterprise scale, which makes it the natural first look for an owner-managed business that has crossed into genuine need.
What does getting it wrong cost?
Buying wrong costs more than the subscription. An enterprise platform your team cannot configure becomes shelfware, absorbing budget while the actual register goes stale. Deferring wrongly carries its own bill. A firm that cannot show which AI systems touched personal data, and under what controls, has no defensible answer when a client’s due diligence questionnaire or an ICO enquiry lands.
Over-buying is the commoner failure at this scale. Detailed EU AI Act mapping is vital to a multinational bank and peripheral to a twenty-person consultancy using Copilot. A platform that only records what you type into it adds structure to knowledge you already hold, which a spreadsheet does for nothing. And if producing audit evidence requires custom configuration or specialist interpretation, the tool will not be maintained, and unmaintained governance tooling is worse than none because it implies oversight that has stopped happening.
Under-buying shows up later. When departments adopt AI tools independently, the register stops being true within months, and each of the three capabilities degrades at once. The moment you notice is usually the moment somebody outside the firm asks.
What should you ask every vendor before you decide?
Five questions expose whether a platform fits, and they map straight onto the three capabilities. How does it discover AI systems beyond manual entry? What does it actually do to data flows? How would it answer an ICO documentation request? Which frameworks does it cover, including UK GDPR specifically? And what would a twenty-person firm need to implement and run it?
Certain answers should end the meeting. If discovery amounts to staff filling in forms, the product is a prettier spreadsheet. If the platform never touches data flows and assumes your existing DLP does the minimisation work, the workflow features alone have to justify the price, and at this scale they rarely do. If evidence for a regulator requires custom scripting, expect shelfware. If the framework list is long on global standards and short on concrete UK GDPR engagement, you are paying for someone else’s compliance problem. And if the implementation story assumes a dedicated governance team, the vendor has just told you who the product is for.
Walking away counts as a result. A director who applies the three-capability lens, concludes that a register, existing DLP and the ICO toolkit cover today’s footprint, and books a review date for when AI use grows has made a sound governance decision, and one that will read well in front of a regulator.
The comparison that seemed impossible across two demos becomes manageable once you stop letting vendors set the terms. Judge every product against the three capabilities, inventory, data-flow controls and audit trail, and judge it against the spreadsheet and controls you already run, because that incumbent is the one any platform has to beat. If you would like a second pair of eyes on the shortlist before anything is signed, Book a conversation.



