"Governance" is quietly changing meaning in AI. Here is what's actually happening.

Governance in AI is shifting from committees and documentation toward runtime enforcement, and agentic systems are forcing it down to the moment of action.

Terry Nederveldessay
An engineer alone at a desk at night, calmly watching a live system in warm low light

In software, "governance" is quietly being stretched.

Classically, governance is the system of decision rights and accountability: who decides, who's responsible, what the policies are, and how you prove you followed them. Committees, approvals, documentation, audits. It answers who is allowed to decide what.

Increasingly, though, the word means something closer to operational controls: policy enforcement, telemetry, runtime permissions, audit logs, guardrails, and incident response. It's starting to answer what the system is actually allowed to do, right now, as it acts.

The word hasn't fully changed meaning. But the center of gravity has clearly moved.

The reason isn't that traditional governance failed. It's that traditional governance by itself is too slow and too static for agentic AI. Governance now needs teeth at runtime.

What changed

Older software governance leaned on relatively stable artifacts: architecture reviews, SDLC gates, change control, access reviews, data classification, model cards, risk assessments, audits.

With agents, the risky action often isn't known at design time. An agent decides which tool to call, what data to retrieve, which API to invoke, what to pass along, and whether to chain several actions together.

That's why recent vendor toolkits are framed as runtime governance. Microsoft's Agent Governance Toolkit evaluates tool calls, resource access, and inter-agent messages before execution, with allow/deny decisions and audit logs — described in its launch as bringing "runtime security governance" to autonomous agent systems. Google uses similar language, with Vertex AI Agent Builder touting "enhanced tool governance" over what agents can use and under what conditions.

Vendors are increasingly calling runtime enforcement a form of governance.

Why the old artifacts don't fit

Here's the deeper issue. Classical software is deterministic: same input, same output, every time. That determinism is why our governance artifacts worked. A Software Architecture Document, a C4 diagram, an SDLC gate — these capture a system whose behavior is fixed at design time. You document it once because it doesn't change when it runs.

AI breaks that assumption. Agents are non-deterministic and behavioral. The same prompt can produce different paths, different tool calls, different chains of action. The behavior emerges at runtime — it isn't fully specified anywhere in advance.

So a document describing what the system is supposed to do no longer describes what it actually does. You can't capture an agent in a C4 diagram, because the interesting part — which tools, in what order, with what data — isn't in the boxes and arrows. It's in the run.

The mistake is treating AI as just another kind of software. It isn't. It lives outside that box, and the governance built for the box doesn't stretch to fit it. That's not a tooling gap. It's a category difference — and it's the real reason governance is being forced down to runtime.

Where the standards agree

AI governance is becoming continuous, lifecycle-based, and evidence-producing — not just pre-deployment review.

NIST's AI Risk Management Framework is built around Govern, Map, Measure, and Manage, with governance applying across all stages. ISO/IEC 42001 defines an AI management system emphasizing implementation, maintenance, and continual improvement. The OECD's updated AI Principles frame AI around the full lifecycle, including operation, monitoring, and retirement.

Regulation pushes the same direction. The EU AI Act's post-market monitoring obligations require providers of high-risk systems to document monitoring proportionate to risk. That's not runtime blocking in the Microsoft sense, but it's part of the same shift — from one-time approval to ongoing operational assurance.

What the research is saying

The strongest emerging argument: agent governance must govern behavior paths, not just artifacts.

Runtime Governance for AI Agents: Policies on Paths argues the execution path is the central object for runtime governance. [1] It formalizes policies as functions over agent identity, partial execution path, proposed next action, and organizational state — because which tools get invoked, in what order, with what arguments, are runtime decisions, not fixed code paths.

"Governance-as-a-Service" proposes a policy-driven enforcement layer that governs agent outputs at runtime without modifying model logic or assuming agent cooperation. [2] MI9 argues pre-deployment governance alone can't anticipate agentic behavior, so real-time telemetry and continuous authorization monitoring are required. [3]

The point isn't that traditional governance is useless. It's subtler: static governance is necessary but insufficient.

The practical synthesis

A good mental model: governance decides what should be true. Runtime controls make it true — or at least observable — when the system acts.

Governance asks who owns this agent; runtime answers with an agent registry and owner metadata. Governance asks what it's allowed to do; runtime answers with scoped credentials and policy-as-code. Governance asks what data it can access; runtime answers with authorization and retrieval controls. Governance asks when a human must approve; runtime answers with approval gates. Governance asks how we prove compliance; runtime answers with audit logs and traces. Governance asks how we catch drift; runtime answers with monitoring and anomaly detection.

This is why "governance" now absorbs terms that used to live under security, platform engineering, SRE, compliance automation, and observability.

Is this just vendor rebranding?

Partly. "Governance" is now a market umbrella, and vendors are stuffing a lot under it. Some is sensible convergence. Some is label inflation.

A useful test:

  • Weak governance: a dashboard or policy doc with no enforcement path.
  • Strong governance: policies connected to identity, authorization, runtime enforcement, monitoring, evidence, escalation, and accountability.

The old version was institutional: committees, policies, approvals, audits. The new version is institutional plus operational: policy-as-code, runtime control, monitoring, evidence, intervention.

The best framing might be this: governance as an operating system, not a constitution alone.

The constitution still matters. But agents also need traffic lights, guardrails, black boxes, kill switches, and sometimes a very stern bouncer at the tool-call door.

Quick gut check for anyone running agents in production: if one of your agents went rogue at 2am — chained the wrong tool calls, touched data it shouldn't — would your "governance" stop it, or just document it afterward?

If the honest answer is "document it," we should ask why we still call that governance.

References

[1] Kaptein, Khan & Podstavnychy, Runtime Governance for AI Agents: Policies on Paths (2026) — https://arxiv.org/abs/2603.16586

[2] Governance-as-a-Service: A Multi-Agent Framework for AI System Compliance and Policy Enforcement (2025) — https://arxiv.org/abs/2508.18765

[3] MI9 – Agent Intelligence Protocol: Runtime Governance for Agentic AI Systems (2025) — https://arxiv.org/abs/2508.03858

  • AI Governance
  • Agentic AI
  • AI Agents
  • Runtime Security
  • Responsible AI