Governance
Who decides what agents may do, and who owns the outcome.
The governance gap Organizations are deploying first and governing later, or not governing at all. The gap is not closing; it is widening. The governance architecture Four interlocking systems (structure, identity, oversight, runtime) that must align. The Agentic Blame Loop lives in the gaps. Agent identity Every agent as a first-class identity with its own lifecycle, scoped permissions and audit trail. Most enterprises bypassed all of it. Oversight models HITL, HOTL and governed autonomy, calibrated to reversibility and impact. Beware the rubber stamp and the blame loop. Guardrails The fences inside the wrapper: technical and organizational controls on what an agent may decide, access and execute. The regulatory context 2026 is the year enforcement begins. Internal governance done right is the most efficient path to compliance. NIST AI RMF The pragmatic US framework for AI risk. One framework done well buys multi-jurisdictional alignment largely for free. ISO/IEC 42001 The certifiable AI management system standard. What ISO 27001 is for information security, 42001 is for AI governance. AIUC-1 The first certifiable standard designed specifically for AI agents. Close to 50 threat-specific controls across six domains.