Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Runtime Governance

Pattern

A reusable solution you can apply to your work.

Move every policy decision onto the action path itself, where each tool call, model call, and state change is intercepted at machine speed and ruled allow, throttle, sandbox, escalate, or block before it reaches the world.

Understand This First

  • Approval Policy — the menu of what an agent may attempt at all; runtime governance enforces that menu in the moment.
  • Bounded Autonomy — the consequence tiers; runtime governance is how the tiers are enforced in production.
  • Agent Gateway — the architectural surface where most on-path enforcement lives.
  • Permission Classifier — one specific mechanism the discipline uses for its decisions.

Context

You have agents in production. You did the responsible work up front: an approval policy was written, bounded-autonomy tiers were chosen, the security team signed off, and a quarterly governance review is on the calendar. Then an incident happens at 2 a.m. on a Tuesday. An agent does something every reviewer would have blocked if asked. The credential check passed. The policy existed on a wiki page. The reviewer who would have caught it was asleep. By the time the morning standup hears about it, the action has already happened a hundred times.

This is not a story about a missing rule. It’s a story about where the rule lives. The policy was real, and it would have caught the call. It just wasn’t anywhere on the path the agent took to reach the world.

This pattern is the architectural answer to that gap. It belongs to teams whose agents are past prototyping: fleets of one-to-many agents with credentials, tool access, and the latitude to act between human reviews.

Problem

Traditional governance assumes humans operate the controls. Design reviews, pre-deployment risk assessments, periodic audits, role-based access policies set at provisioning time, alert thresholds tuned to a SOC analyst’s reading speed: all of it was built for a world where decisions arrive in minutes and humans can deliberate. Agents don’t ship at that tempo. A capable agent fires hundreds of tool calls per minute. By the time an alert reaches a human reviewer, the decision was made dozens of times and the side effects are already on disk, in the database, on the network.

The two timescales don’t coexist. A governance regime that operates at human speed cannot inspect, decide on, or block an action that has already happened a hundred times before a reviewer reads the first alert. Worse, it produces a confidence illusion: the team feels governed because the policy exists, but no enforcement actually runs on the action path. The policy is performance art; the agent is doing what it likes.

Patching credentials doesn’t close the gap. A credential is a static grant: you have it or you don’t, all the time. Runtime context is not static. The same payment authority that’s correct on a Tuesday morning is wrong when triggered by an injected instruction in a vendor invoice on a Friday night. Governance has to make decisions where the action happens, not in front of it and not behind it.

Forces

  • Speed of decision vs. depth of evaluation. Faster classifiers are simpler; deeper checks add latency on a path that’s already slow.
  • Where the policy lives. Inside the agent, beside it as a sidecar, in a centralized gateway, or at the tool boundary. Each location trades coverage against blast radius.
  • Static rules vs. learned classifiers. Code is auditable and predictable; classifiers handle the long tail of context. Most teams need both.
  • Default-deny vs. default-allow. Default-deny breaks new flows the moment they ship; default-allow leaks until someone notices.
  • Inspectability of decisions. Every block, throttle, or escalation must be debuggable, or the team will quietly turn enforcement off.

Solution

Move the policy decision onto the action path itself. Every tool call, model call, network request, and state mutation the agent attempts is intercepted at sub-millisecond latency by a governance layer that returns one of five verdicts:

  1. Allow. The action proceeds as requested. The decision is logged with its identity, scope, and reason.
  2. Throttle. The action is rate-limited per agent, per tool, per agent-times-tool, or per time window. Excess attempts wait or fail with a deferred-retry signal.
  3. Sandbox. The action runs inside a constrained execution environment: read-only database replica, ephemeral filesystem, network egress denied, query budget capped.
  4. Escalate. The action is paused and queued for a human (or a higher-trust agent) to confirm before it proceeds.
  5. Block. The action is denied, the agent is told why, and the attempt is logged as a security event.

The decision is made at the moment of action, not before deployment and not after the fact. The policy lives outside the agent (in the Agent Gateway, in a sidecar, in a service mesh, or in the harness), so the agent decides what to attempt but does not decide what it is allowed to do. That decision belongs to a layer the agent does not control.

The discipline is framework-agnostic. It works whether the agent runs on a hosted platform, a custom harness, an open-source framework, or a one-off Python script, because it intercepts outputs, not internals. The interception point is the boundary between the agent’s process and everything else.

The architectural lineage is older than agentic computing. Operating systems solved untrusted-process governance decades ago with privilege rings and process isolation. The service-mesh era extended the same idea to microservice traffic via mTLS, identity propagation, and per-call authorization on the wire. Site reliability engineering brought SLOs and circuit breakers, runtime guardrails for distributed systems that were drifting too fast for after-the-fact review. Runtime governance is the same shape applied to a new participant. What’s new isn’t the architecture. What’s new is that the participant inside the boundary is a probabilistic reasoner that can be talked into trying things its developer never anticipated.

A useful way to remember the discipline: credentials describe potential; runtime governance describes permission.

How It Plays Out

A finance-domain agent has credentials to call the payments tool because its job requires it. A prompt-injection attack in a vendor invoice convinces the agent to issue a $48,000 payment to a previously unseen counterparty. Pre-deployment governance had cleared the agent’s credentials. The quarterly audit would have surfaced the anomaly six weeks later. Runtime governance catches it in 0.4 milliseconds: the policy engine sees a payment to an off-allowlist counterparty, returns Block, and pages the on-call security engineer. The agent is told why and continues with the rest of its work. The credential was never wrong. The runtime check asked the right question at the right moment.

A research agent kicks off a parallel-search loop that, due to a prompt regression, calls the search tool 4,800 times in three minutes against a budget of 600 per hour. Without runtime throttling, the team learns about the overage from the next day’s bill. With runtime throttling, the 601st call returns Throttle; the agent receives a deferred-retry signal; the budget stays flat; the agent’s logs read “search throttled” instead of “search succeeded 4,800 times.” Throttling doesn’t repair the prompt regression. It just makes a quiet bug noisy at the exact moment the bug starts costing money, which is enough to get someone looking at it before the bill arrives.

A platform team migrates from after-the-fact audit to on-path enforcement. Their previous incident reports show a 14-hour mean time to detect agent misbehavior and a 38-hour mean time to remediate, slow enough that one bad day takes the team out of feature work for a sprint. They deploy a policy engine alongside their existing Agent Gateway, accept the sub-millisecond latency tax on every call, and watch detection drop to seconds and remediation drop to minutes. The system gained operational complexity, no question — a new component with its own failure modes, its own debugging story, its own paging schedule. What it bought is the only thing that mattered: enforcement that runs on the same clock as the agent.

Tip

Treat policy as code. It needs version control, code review, CI, and the same staged-rollout pipeline you use for application code. New policy lands in shadow mode first (logged but not enforced) for long enough that the team can see what it would have blocked. Only then is it flipped to enforce. Skipping shadow mode is the most common way runtime governance breaks production.

Where It Breaks

  • Latency tax. Every action takes the policy hop. Mitigate by keeping the policy engine local to the agent (sidecar or in-process), caching stable authorization decisions for the duration of a session, and separating fast-path policy from slow-path deep inspection.
  • Policy lag. Reality moves faster than the policy code. Mitigate by treating policy as code with CI, by shipping policy through a staged rollout, and by running new policy in shadow mode before flipping to enforce.
  • Single point of failure. If the policy engine is down, no agent can act. Mitigate with a highly available deployment, an explicit fallback policy chosen per environment, and health-checked failover.
  • Black-box decisions. If the policy engine denies an action without a reason the agent and the human can read, debugging becomes impossible and the team will quietly turn enforcement off. Every decision must carry a reason code, and reason codes must be first-class observability events.
  • Coverage gaps. If the agent has any path to the world that doesn’t traverse the policy layer, the discipline fails silently. Mitigate by enforcing that all outbound traffic goes through the gateway and denying direct egress at the network layer.
  • Defense replaced by it. “The policy will catch it” is the failure mode that kills Least Privilege discipline. Runtime governance is defense in depth, not the only defense. Credentials still grant the smallest set of authorities. The classifier still pre-filters obvious bad calls. The policy engine is the layer above those, not their replacement.
  • Policy as theater. A policy engine deployed but never enforced is worse than no engine at all because it gives the team a confidence illusion. The cure is a regular drill: every quarter, pick a known-bad action, attempt it from an agent, and confirm the engine returns Block. If it doesn’t, the discipline isn’t real.

Consequences

The wins are concrete. The speed gap closes. Incidents that would have taken hours to detect are blocked or escalated in milliseconds. Audit logs become continuous and machine-queryable. The five enforcement actions give the whole team a small, learnable vocabulary for reasoning about agent behavior in production.

The costs are real and ongoing. Every action takes a policy hop, with the latency, infrastructure, and operational burden that implies. Policy code is now first-class engineering work with its own lifecycle, its own bugs, and its own blast radius. An incident in the policy engine becomes an incident across every agent at once. The team has to learn to debug across the action, policy, and decision boundary, which is a different skill from debugging the agent or debugging the tool.

There’s a category of failure worth naming up front. The most expensive way to adopt runtime governance is to install a policy engine, configure it with a couple of obvious rules, declare victory, and stop. Three months later the team is convinced they’re governed because the engine is running. Nobody has actually tested whether the engine would block a real attack. That confidence illusion is more dangerous than no policy engine at all, because it eats the budget that would otherwise have gone to real defense. The cure is the same as for any other production system: tests, drills, and the assumption that if you didn’t watch it work, it didn’t work.

Note
ComplementsEvalEval measures the outcomes of governed runs; runtime governance shapes the boundary within which those runs happen.
ComplementsLeast PrivilegeLeast privilege constrains what an agent's credentials grant; runtime governance constrains what its credentials may invoke right now.
ComplementsObservabilityEvery runtime decision (allow, throttle, sandbox, escalate, block) is an observability event; the two patterns share the data plane.
ComplementsSteering LoopThe steering loop adjusts the agent's behavior over time; runtime governance bounds what each individual step is allowed to do.
Depends onAgent RegistryRuntime decisions resolve agent identity against the registry to know which policies apply to each call.
EnablesHuman in the LoopEscalation is the runtime decision that hands an action to a human; on-path enforcement is what keeps the queue sized for human attention.
EnforcesApproval PolicyApproval policy defines which actions are allowed in principle; runtime governance is the discipline of enforcing that menu on the action path itself.
EnforcesBounded AutonomyBounded autonomy names the consequence tiers; runtime governance is how the tiers are enforced in production.
EnforcesTrust BoundaryEach runtime decision happens at a trust boundary; this pattern names how the boundary is defended in real time.
Implemented byAgent GatewayThe agent gateway is the architectural surface where most runtime governance enforcement lives.
PreventsApproval FatigueRouting the long tail of safe actions on-path keeps the human queue small enough that humans actually read what reaches them.
Refined byPermission ClassifierA permission classifier is one specific mechanism the discipline uses to make the on-path decision.
UsesDelegation ChainA runtime check must walk the delegation chain to know whose authority is actually behind the call.

Sources

The discipline of moving policy onto the action path emerged across vendor and academic work during 2025 and 2026 as agent fleets started running into the speed gap in production. Multiple independent treatments converged on the same name. Oracle’s cloud architecture team published Runtime Governance for Enterprise Agentic AI, framing policy enforcement, identity binding, budget guardrails, and evidence-driven execution as one continuous control plane. Microsoft’s security blog published Authorization and Governance for AI Agents: Runtime Authorization Beyond Identity at Scale, arguing that OAuth and API permissions answer “can the agent call this?” but not “should the agent execute this under business policy?” The piece proposes a Policy Enforcement Point + Policy Decision Point pattern as the answer. Microsoft Open Source then released the Agent Governance Toolkit, an MIT-licensed reference implementation with sub-millisecond p99 enforcement latency as its design target and the OWASP Agentic Top 10 as its coverage map. Prefactor’s What is Runtime Governance for AI Agents? sits alongside these as the practitioner-facing definition. The naming is settled across vendors; the implementations are still in flux.

The architectural lineage runs through several earlier disciplines. Mark S. Miller’s Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control (2006 PhD thesis) developed the case that authority should be granted at the moment of action, not as a static property of an identity. Runtime governance carries that argument forward into agent execution: credentials describe potential, runtime policy describes permission at the call site.

The arXiv preprint Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents (Mar 2026) gives the academic framing of a pre-action authorization layer between the agent’s decision and the system’s execution, proposing the Open Agent Passport specification: synchronous interception, declarative policy evaluation, and a cryptographically signed audit record per call. The five-verdict vocabulary in this article is a synthesis from that line of work and from the practitioner literature.

OWASP’s Top 10 for Large Language Model Applications names excessive agency as one of the canonical failure modes of agent deployments. Runtime governance is the architectural answer: a checkpoint on the action path that can deny calls a credential would otherwise have permitted.

The “policy on the action path” framing has a sibling in the service-mesh literature, where mTLS, identity propagation, and per-call authorization were established a decade earlier for microservice traffic. The agent case inherits the architecture and adds the new requirement that the participant on the inside of the boundary may have been talked into something its operator never authorized.

Further Reading