A procurement editor's read on the May 2026 governance tier — the controls that genuinely move the audit posture forward, and the baseline features that quietly migrated into the new paid tier.
Disclosure. This article is published by ASCENDING, an AWS Advanced Consulting Partner (founded 2018, Fairfax VA) that builds the Jarvis AI platform (product page) — including the MCP Gateway and Jarvis Registry referenced in the closing section. We compete with Glean in some accounts. The procurement read below sticks to the public collateral and the conversations we ran with customers and partners during May 2026; the comparison appears only at the end and is flagged.
The Protect Plus announcement landed alongside Glean's broader May 2026 platform launch, with the early third-party pricing reads — GoSearch's Glean pricing explainer and the AI Business coverage of Glean's model — landing within the week. The framing in the press release was "enterprise-grade governance for AI agents." The framing in the procurement calls I sat in on that week was sharper: "is this the SKU we have to buy to keep our existing audit posture, or is this net-new capability we're choosing to add?"
Honest answer, after a week of reading the SKU sheets and comparing them against last year's contract language: it's both. Some of Protect Plus is a real governance investment from Glean — controls that didn't exist in any tier six months ago. Some of it is repackaging, where baseline features moved up the SKU ladder so the existing tier looks thinner. Telling those two categories apart is the job this article tries to do.
What Protect Plus actually includes
The published Protect Plus surface, as of late May 2026, breaks down to seven control families that procurement teams need to read against their existing controls before signing. Expanded audit trails with per-Skill and per-Adaptive-Reasoning execution records, replacing the per-session connector-level logs that shipped in the 2025 base tier. PII redaction at the retrieval boundary, configurable by data class and connector, with the policy decision logged in the audit event. Data residency elections at the tenant level for inference, embedding, and storage paths, addressing the multi-state healthcare and EU data-locality concerns that stalled procurement reviews through 2025. BAA scope that covers the LLM inference and embedding path under a single Glean agreement (where the base tier left sub-processors uneven). Customer-managed encryption keys for the index and the audit store. Identity-aware policy that binds Skill execution to the requesting user's role and the data class of the source. Retention and legal hold controls with a documented seven-year retention option for audit records.
Each of those is a real feature. Taken together, they close most of the procurement gaps that surfaced in Glean evaluations through 2025. The question — the one this article exists to ask — is which of them are net-new and which ones used to be in the base tier.
What's net-new versus repackaged
I read the 2024 and 2025 versions of the Glean security collateral side by side with the May 2026 Protect Plus SKU sheet. Three categories of change emerged.
Genuinely net-new. Per-Skill audit, per-Adaptive-Reasoning execution records, customer-managed encryption keys for the audit store, and identity-aware policy bound to Skill execution. None of these existed in any form in the 2025 product. Building them required real engineering, and shipping them as a paid tier — at premium-tier pricing — is a defensible commercial choice.
Repackaged from base tier. Connector-level audit logs, basic data residency election, and the standard BAA template were available in the 2025 base offering. In May 2026 they remain in the base tier nominally, but the useful versions — the per-call detail, the multi-region residency for inference specifically, the BAA scope that includes the embedding path — moved into Protect Plus. A 2025 customer who relied on those controls for their compliance posture is now in a position where the base tier "still has" the feature, but the feature as actually used by procurement has migrated upmarket.
Genuinely paywall-trick. Two specific items. The seven-year audit retention option used to be configurable in the base tier for an additional storage fee; in May 2026 it's a Protect Plus inclusion only. And the data-export commitment for audit logs in a structured format — important for any customer running their own SIEM — is now part of Protect Plus where it was previously available on request in the base tier without a SKU change.
That's a procurement story, not a security story. The capability didn't get worse. The price of access to the same capability went up. Worth naming.
The audit-trail question: per-call versus per-session
This is the question that decides whether Protect Plus is the SKU your CISO needs.
Glean's pre-2026 audit story was per-session at the connector boundary. You knew which user asked a question, which connectors served documents, and what the synthesized answer was. You did not know — not in a structured, queryable, machine-readable way — which retrieval tool fired at what moment, which policy version was attached, or what the Skill execution chain looked like inside Adaptive Reasoning.
Protect Plus moves the audit closer to per-call. The new event schema, per the SKU sheet and the partner training session I sat in on May 22, captures Skill identifier, Adaptive Reasoning step, retrieval tool invoked, policy version in force at the moment of invocation, and PII redactions applied with the data class that triggered them. That's most of what an ISO/IEC 42001 auditor or an FFIEC examiner will ask for in a routine review, and noticeably more than the per-session story that shipped in 2025. The two pieces it doesn't yet capture, as far as I can tell from the published collateral and three customer conversations, are the rejected planner options (what the planner considered and didn't pick during Adaptive Reasoning) and the moment-in-time tool catalog snapshot (what was actually available to be picked at the instant of the call). For a routine SOC 2 or HITRUST review, the gap is unlikely to matter. For an SR 11-7 model-risk review or an EU AI Act Annex IV documentation request, it might.
Both omissions matter for different audiences. The rejected planner options matter for legal discovery — "what could the agent have done that it chose not to do" is a real question in a regulated environment. The tool catalog snapshot matters for change management — proving that a deprecated tool wasn't available at the moment of the call requires the catalog state, not just the call record.
So: Protect Plus is materially better than the 2025 baseline. It's not yet at the per-call protocol-layer audit that an MCP gateway emits natively. Whether that gap matters depends on your audit regime.
How it stacks against ISO 42001 and NIST AI RMF requirements
The standards both got more specific through 2025 and into 2026.
ISO/IEC 42001 (published 2023) requires an AI management system with a documented inventory of AI components, a governance loop, and risk-treatment evidence. Protect Plus, with the per-Skill audit and the identity-aware policy controls, maps onto the governance-loop and risk-treatment clauses well. It maps less cleanly onto the inventory clause — Glean does not currently expose Skills as inventory entries with ownership, lifecycle state, risk class, and change history in the way the standard contemplates. You can build that inventory in a spreadsheet that points to Glean Skills. You cannot get it as a platform output.
NIST AI 600-1 (the Generative AI Profile of the AI RMF) emphasizes per-call provenance and the ability to reconstruct decisions. Protect Plus closes most of the per-call gap with the new event schema. The decision-reconstruction story depends on whether you treat the Adaptive Reasoning plan as the decision artifact — Glean does, and the audit captures it.
HIPAA and the BAA scope. Glean's standard BAA, in the base tier, covers data at rest and a defined set of sub-processors, with the inference and embedding paths handled through addendums that vary by deal and by sub-processor. The Protect Plus BAA, per the collateral and the partner training session I sat in on May 22, expands the scope to cover the LLM inference path, the embedding model, and the third-party reranker as a single contractual surface, with the sub-processor list named explicitly in the agreement rather than incorporated by reference. For healthcare buyers — particularly hospital systems on Epic in states with their own health-data localization rules layered on top of HIPAA — this is the change that moves Glean from "we'll get the BAA negotiated, give it ten weeks" to "the BAA scope works as written, we can sign on the standard form." That's a real procurement-cycle compression and worth the SKU upgrade on its own for healthcare buyers under timeline pressure.
FFIEC and SR 11-7. For financial-services buyers under the FFIEC IT Examination Handbook and SR 11-7 model-risk-management guidance, the relevant artifact is the per-call evidence that proves which underlying tool was invoked and what was returned. Protect Plus produces most of that artifact. The piece it doesn't yet produce in a clean form is the model-risk classification — what tier of model risk was attached to the specific call. Banks I've talked to are reading this as "good enough to clear the third-party governance committee, still requires a custom mapping for SR 11-7 documentation."
Three procurement questions to ask before signing
For procurement teams running a Protect Plus evaluation right now, three questions surface the gaps before the contract closes.
One. "Show me the full audit event schema, in writing, including which fields are guaranteed populated and which are best-effort." The base SKU sheet leans on summary language. The actual schema is what your SIEM team will ingest. Get it in the order form annexes, not the marketing one-pager.
Two. "Walk me through the BAA scope clause-by-clause, and name the sub-processors that fall inside and outside the expanded scope." Protect Plus expands the BAA, but expansion is not the same as comprehensive coverage. There are still third-party services in the Glean stack — content extractors, OCR providers, specific model endpoints — that may or may not be inside the new scope. Read the redlines, not the headline.
Three. "If we leave Glean, what do we get for the audit history and the configured policies, in what format, on what timeline?" Protect Plus pricing makes the egress question more expensive to get wrong. A seven-year audit retention that you cannot export in a structured form at exit is a seven-year audit retention that lives at Glean, not at you. Get the export commitment in writing, with a defined SLA and a structured-format guarantee.
The three questions also work as a quick test of whether you're talking to a Glean rep who's seen real procurement reviews or one who's working from the marketing kit. The good ones will answer all three on the call. The others will need a week.
How a Jarvis-class governed layer compares
Disclosure stands. Read this section knowing the bias is in the byline.
Jarvis Registry, ASCENDING's governed-AI platform, ships its governance surface as the base architecture rather than as a paid tier. The per-call audit emitted by the MCP Gateway carries the policy snapshot, the resource indicator (RFC 8707, mandatory in MCP since March 15, 2026), the tool version, the requesting agent identity, and the redaction trace as a single structured event. Customer-managed keys for the audit store are standard, not premium. The BAA scope covers the gateway, the agent, and the embedding path under one ASCENDING agreement.
Where Glean's Protect Plus is genuinely competitive: the connector breadth. Glean's connector catalog is one of the broadest in the segment, and Protect Plus does extend governance evenly across that catalog. If your stack is mostly the SaaS sources Glean has spent years indexing — Confluence, SharePoint, Slack, Salesforce, Jira, Google Drive — Protect Plus on Glean is a smaller integration project than building from a registry-and-gateway base.
Where the comparison turns on architecture: the inventory clause of ISO/IEC 42001 maps onto Jarvis Registry directly — every registered agent and MCP server has an owner, lifecycle state, risk class, and change history as platform-emitted artifacts. Protect Plus does not yet produce that artifact, regardless of tier. For a buyer whose compliance program treats the inventory clause as load-bearing, that's a structural difference, not a feature gap.
The honest pitch is procedural, not absolute. If your governance program treats per-call protocol-layer audit and platform-emitted inventory as the table stakes, evaluate a registry-and-gateway architecture. If your program treats per-Skill application-layer audit and a strong BAA as sufficient, Protect Plus closes most of the gap for you. Both can be the right answer; the one that's wrong is buying Protect Plus expecting protocol-layer audit and finding application-layer audit when the auditor arrives.
For the broader governance pillar (what an enterprise AI governance program actually looks like end to end) see the AI governance field guide. For the regulated-industries shortlist that compares Glean, Microsoft 365 Copilot in GCC High, and Jarvis Registry on FedRAMP, HIPAA, and FFIEC axes, see Glean alternatives for regulated industries. For the pricing math on Protect Plus inside the broader Glean total cost of ownership picture, including base seat around $45-50, agentic add-on around $15, Protect Plus layered on top, and three-year TCO landing around $350K-480K for a 500-seat deployment, see Glean pricing alternatives.
FAQ
Is Protect Plus required for HIPAA-covered workloads? Practically, yes. The base BAA covers data at rest and a defined sub-processor set. The Protect Plus BAA covers the inference and embedding path under a single contractual surface, which is the version most hospital systems will require. You can run base-tier Glean with a heavily-negotiated BAA addendum, but the negotiation typically lands you in Protect Plus territory on price anyway.
Does Protect Plus enforce RFC 8707 resource indicators? Not at the protocol layer, as of the May 2026 collateral. The audit captures retrieval-tool invocations with policy version, but the token-resource binding that RFC 8707 mandates in MCP since March 15, 2026 is not enforced as a gateway-layer control in Glean's architecture. For buyers whose audit regime treats spec compliance as load-bearing, this is a gap to size.
Can the per-Skill audit be exported in a structured format for our SIEM? The collateral says yes; ask for the schema in writing and confirm the export cadence. We've seen "structured export" interpreted as nightly CSV in one Glean account and as a streaming JSON event source in another. Both are useful; they are not the same artifact.
Does Protect Plus include FedRAMP authorization? No. Glean is not FedRAMP High authorized at the time of writing, and Protect Plus does not change that status. Federal and IC workloads that require FedRAMP High should evaluate Microsoft 365 Copilot in GCC High or an AWS GovCloud-hosted alternative; Protect Plus is a commercial-tier governance SKU, not a public-sector authorization.
What's the realistic price uplift for Protect Plus on a 500-seat deployment? Per published commentary and our customer conversations in May 2026, Protect Plus lands in the range of $8-12 per seat per month on top of the base $45-50 and the $15 agentic add-on. On a 500-seat deployment, that's roughly $48K-72K annually, before the standard 10% support fee. For the full pricing breakdown including the 7-12% renewal escalator and the comparison to Jarvis Registry's marketplace tiers, see Glean pricing alternatives.
About ASCENDING
ASCENDING is an AWS Advanced Consulting Partner founded in 2018 in Fairfax, Virginia. We build Jarvis AI Agent, a governance-first, MCP-native agent platform, and we work with regulated buyers on FedRAMP, HIPAA, FFIEC, and ISO/IEC 42001 alignment. If you want to test Protect Plus against your specific audit posture, talk to us — we'll tell you when Glean is the right answer.