Skip to main content
Springvanta
All posts
AI Security & GovernanceJun 2, 2026 · 6 min read

Frameworks Govern What Models Say. Almost Nothing Governs What Agents Do.

Three independent sources converged on the same diagnosis this week: the governance gap for AI agents is runtime authorization, not policy docs. 72% of orgs are already deploying agents.

By Springvanta

This week, three independent voices from three different corners of the AI industry said the same thing: the governance gap for AI agents isn't about what models say. It's about what agents do, and almost nothing controls that.

Alex Olivier at Cerbos published a post on June 1 that opens with a quote from Jonathan Care at KuppingerCole: "Frameworks govern what models say. Almost nothing governs what agents do." The same day, The Hacker News reported that someone stole OpenAI Codex authentication tokens through a malicious npm package. Two days earlier, the Futurum Group published survey data from 820 enterprise decision makers showing 55% of them rank agent reliability and hallucination management as their top challenge. 72% are already piloting or deploying agentic AI.

The adoption train has left the station. The governance controls haven't caught up.

The three layers nobody built

Olivier breaks the problem into three pieces. The first is identity. Most companies issue one long-lived API key for "the agent" and treat every instance as the same actor. That works until one agent spawns another, and you end up with a chain of actions you can't trace to a human. What should exist instead: short-lived credentials scoped to a single tool call, with each agent instance tied to a named human sponsor. If that person leaves the company, the agent stops running.

The second is audit. When an agent delegates to a sub-agent, standard audit logs break. They tell you a service account did something. They don't tell you which human authorized it, through which chain, for what purpose, or on what data. The chain of custody is missing, and it's more important than people give it credit for.

The third layer has no mature product category yet. Care calls it orchestration — the agent-to-agent and agent-to-tool boundary. Tool gating, inter-agent trust enforcement, fail-closed behavior when the policy engine goes down. Today this layer is whatever the agent framework happens to expose. Olivier's description stuck with me: "often the agent itself decides what tools it can call, which is the security model of asking a child whether they're allowed dessert."

The data layer, not the policy layer

Phillip Merrick, writing on Unite.AI, argues that governance conversations are stuck at the wrong level. Companies treat governance as a policy exercise run by legal and compliance, enforced through documentation and reviews. Necessary, but not enough. Governance becomes real when it's enforced at the system level — where data lives, gets accessed, and gets transformed.

His observation about agents is worth sitting with. A poorly governed query returns a bad answer. A poorly governed agent acts on that bad answer — updating records, triggering workflows, propagating decisions across systems before anyone notices. The failure mode changes completely when the thing making decisions runs autonomously across multiple systems.

He cites MIT's GenAI Divide report: 95% of enterprise AI pilots fail to deliver measurable business impact. The barrier isn't model capability. It's broken enterprise integration. Data quality and governance issues show up as the leading cause in 60-70% of failed projects.

Agent governance stack: where controls live today versus where they need to be

What the enterprise numbers say

Futurum Group's survey of 820 organizations, fielded in the first half of 2026:

  • 72% are researching, piloting, or deploying agentic AI
  • 55% say agent reliability and hallucination management is their top challenge
  • 53% point to data privacy and security as the primary concern
  • 43% can't figure out how to measure business value from AI projects

Executives from Danone, Capital One, Warner Bros. Discovery, Ford Credit, and Gilead Sciences shared their approaches. Danone trained 90,000 employees in prompt engineering and safe agent interaction. Capital One and Ford Credit are running agents in controlled sandboxes before production.

Futurum's analysts note that sandboxes and early wins get you started but don't get you to production. Technical experimentation is now easier than proving sustained value. The organizations that pull ahead will make governance continuous, not a one-time approval gate.

The supply chain attack that illustrates the gap

On June 1, The Hacker News reported that OpenAI Codex authentication tokens were stolen through a malicious npm package called codexui-android. It posed as a remote web UI for Codex. It exfiltrated developer credentials.

This is the kind of attack a runtime policy layer would catch. If the tool-call boundary were gated by an external policy engine — one checking identity, context, scope, and authorization chain — a package trying to phone home with tokens would hit a deny rule before data left the machine.

Microsoft's Pete Bryan made a connected point at BlueHat on May 27, presenting a year of red teaming agentic AI systems. His finding: attacks have moved from compromising models directly to exploiting the systems around them. Goal hijacking. Session context contamination. Memory manipulation. Capability leakage. Supply chain risks. Small weaknesses across an agent's architecture chain into real damage. And traditional defenses fall short when they rely on probabilistic model behavior instead of deterministic enforcement.

What to actually do

Olivier's practical list:

Inventory your agents. Most companies don't know how many they already run. Security says "we don't use agents" while three product teams spin them up independently. Shadow AI moves faster than shadow IT ever did.

Sponsor every agent. Each agent needs a named human owner. If that person leaves, the agent stops. Governance and technical implementation, rolled into one.

Move policy out of the agent. Use a runtime policy engine that evaluates agent-to-tool calls externally. Prompt-level guardrails and system prompt instructions live inside the same probabilistic system you're constraining. Controls written by the thing you're controlling aren't controls.

Wire the audit chain. Every agent action should carry the human sponsor, the original purpose, and the policy decision that authorized it, all the way to the leaf tool call.

Test fail-closed behavior. If the policy engine is unreachable, does the agent proceed? If yes, the runtime fails open. That's the worst kind of defect in this layer.

Why this week matters

The EU AI Act's high-risk obligations under Annex III were originally set for August 2026. The Commission's Digital Omnibus proposal pushed for deferral to December 2027, and Council and Parliament reached provisional agreement on that in early May. The date may slip. The architecture obligation won't.

Three independent threads — KuppingerCole's IAM framework, Cerbos's runtime policy architecture, and the CoSAI agentic IAM reference — converge on the same shape. Identity scoped per agent. Audit chains that survive delegation. A runtime policy plane that gates tool calls from outside the agent.

The category has been named. The implementations need to catch up.

For anyone running AI agents in production or planning to, the question isn't whether to add runtime governance. It's whether to build it before or after the first incident. The Cloud Security Alliance found two-thirds of organizations have already suffered a security incident tied to AI agent deployment. The "before" window is getting narrow.

Sources:

Continue reading

← Previous

AI Intake: The Deployments That Worked, and the One That Didn't

Next →

Coding Agents Don't Just Assist Anymore. They Orchestrate.

Read more

Like this kind of writing?

One email when something good ships — usually once or twice a month.

SubscribeAll posts