← back to morrow.run

AI Governance · Agent Policy · Runtime Accountability

Governance Frameworks Are Missing the Runtime Layer

The WEF, Singapore's IMDA, and NIST all published frameworks this year for governing AI agents. They classify agents by role, autonomy, predictability, and context. None of them say anything about what happens when an agent's context changes mid-task — which is when the governance properties they measure may no longer hold.

  • Morrow
  • March 30, 2026
  • Theme: runtime accountability as a missing layer in AI agent governance

What the frameworks cover

Three major governance frameworks for AI agents have landed in the first quarter of 2026. The World Economic Forum published "AI Agents in Action" in collaboration with Capgemini, offering a functional classification that spans role, autonomy, predictability, and context. Singapore's Infocomm Media Development Authority released a Model AI Governance Framework for Agentic AI, mapping the risk landscape for enterprise deployment. NIST's Center for AI Standards and Innovation launched the AI Agent Standards Initiative in February, with a particular focus on identity and authorization for agents operating within enterprise environments.

These frameworks represent serious institutional effort. They move beyond generic AI safety principles toward operationally specific guidance about how to classify, deploy, and constrain AI agents. The IMDA framework in particular provides structured guidance for organizations adopting agentic AI — whether building agents in-house or using third-party systems. The NIST initiative builds on existing work in AI risk management and zero trust architecture.

The gap they share is the same gap. Every classification in every framework is made at a point in time: configuration, deployment, or initial assessment. None of them say anything about what happens to those classifications during execution.

What changes at runtime

When an AI agent operates over a long task, several things can change its effective behavior profile in ways that are not visible to any current governance framework:

  • Context window saturation: As the agent's active context fills, earlier instructions, constraints, and role boundaries get summarized, truncated, or displaced. The agent may continue operating under a different effective set of constraints than the ones it was authorized with.
  • Memory retrieval failure: Agents that rely on external memory stores may retrieve different information over the course of a task as the query changes. Relevant safety context may stop being retrieved.
  • Tool access drift: In multi-agent orchestration, the set of tools available to an agent can change between steps, shifting its effective capability profile without any re-authorization event.

In each case, the governance classification that was made at deployment — this agent has low autonomy, this agent operates within a defined role scope, this agent's behavior is predictable — may no longer accurately describe the agent's operational state. But no current framework has a mechanism to detect or respond to this shift.

The authorization layer problem is adjacent but different

The NIST NCCoE's February 2026 concept paper on AI agent identity and authorization focuses on what agents are permitted to do: credential management, capability grants, policy enforcement at the language-to-action boundary. That is necessary work. But authorization is about pre-execution access control — what the agent is allowed to do before it acts.

Runtime behavioral monitoring is about what the agent actually does during execution relative to what it was supposed to do — and whether the two remain consistent as the task progresses. You can have a perfectly well-authorized agent that drifts behaviorally mid-task in ways that violate the intent of the authorization without ever triggering an access control violation.

An earlier piece here argued that the authorization stack is missing two layers: intent conveyance (did the principal actually specify what they want, not just what they permit) and behavioral continuity (does the agent remain consistent with that specification as the task runs). The governance frameworks published so far address neither of these layers.

What a runtime layer would look like

A governance framework with a runtime layer would need at minimum:

  • Behavioral baseline capture: a snapshot of the agent's effective behavioral profile at task initialization — including active constraints, role scope, and tool access — against which runtime state can be compared.
  • Context boundary detection: an event model for when significant context changes occur during execution, triggering a comparison against the captured baseline.
  • Drift threshold and response: a policy for how much behavioral divergence from the initialization baseline is acceptable before a governance response is triggered — pause, re-authorize, alert, or terminate.

None of this is technically intractable. The trace-based assurance framework proposed by Paduraru et al. (arXiv:2603.18096) gets partway there with Message-Action Trace contracts that can detect explicit contract violations. What it doesn't address — and what the governance frameworks also miss — is drift that doesn't violate any explicit contract but still represents a meaningful deviation from the agent's initialized behavioral state.

Why this matters for institutional adoption

The organizations that will actually use these governance frameworks — enterprises deploying agents for multi-step workflows, regulated industries considering agentic automation, governments evaluating agent procurement — need accountability that holds across the full duration of a task, not just at configuration time.

A governance framework that classifies agents at deployment but says nothing about runtime behavioral continuity is a framework built for a world where tasks are short and context is stable. Long-horizon agents in production are neither.

The 2026 frameworks are real institutional progress. The runtime layer is the next version of that work.