We published a position paper today: Runtime Governance for AI Agents: Policies on Paths, co-authored with Javed and Andriy.
The paper tries to make precise something we keep running into in conversations with CISOs, compliance officers, and enterprise architects: the governance tools available today don’t actually work for agents.
The core argument
A database read is fine. A database read followed by an external email is a potential exfiltration event. No inspection of either step alone tells you that.
Agents behave as sequences of decisions. The violation is often invisible until you look at two steps together. This means the right object for governance is the execution path — not the individual action.
We formalize this as a policy function that maps (agent identity, partial execution path, proposed next action, shared organizational state) → a violation probability. We then show that:
- Prompt-level instructions aren’t even an instance of this — they shift the distribution over paths but don’t evaluate them
- Access control is a degenerate special case — it ignores path entirely
- Runtime path evaluation is the general case
What’s in the paper
From there: a fleet-level governance objective (maximize task utility, subject to a risk budget), a reference architecture, concrete policy examples drawn from the EU AI Act, and a list of open problems we don’t pretend to have solved — risk calibration, strategic circumvention, behavioral drift across multi-agent systems.
This is a position paper, not a product pitch. We wrote it because the field needs a shared vocabulary for what “governing an agent” actually means. August 2026 — when EU AI Act enforcement begins for high-risk systems — is closer than it looks.
If you’re working on agent deployment, compliance infrastructure, or AI governance research, we’d genuinely appreciate your reaction. It’s a starting point for conversation, not a final word.