Co-authored by Josh Woodruff (MassiveScale.AI, CSAI) and Imran Siddique (Opaque Systems)
Key takeaways:
Governing AI agents takes composable layers: a framework that defines what to govern, a runtime that enforces it, and protocols that connect agents.
The Agent Governance Toolkit (AGT) published the first formal conformance assessment against the Agentic Trust Framework (ATF): 25 of 25 requirements addressed, 18 fully met, assessed at the Senior maturity level.
Inline policy enforcement is effectively free: 0.011 ms per evaluation against a 500 ms LLM call, about 0.006% of the latency budget.
AGT and ATF independently arrived at the same delegation principle: authority can only decrease as it flows down a chain.
MCP is a founding project of the Agentic AI Foundation (AAIF); A2A is hosted directly by the Linux Foundation.
1. The 20 questions weren't the point
This article caps a five-part series that asked 20 hard questions about running AI agents in production. Behavioral observability. Multi-agent delegation. Financial governance. Supply chain integrity. Digital sovereignty. The questions are real, and most teams can't answer them.
But the questions were the diagnostic. The architecture is the prescription.
None of these problems gets solved by a single layer. They get solved by layers that compose: a framework that says what to govern, a runtime that enforces it, and protocols that let agents prove who they are to each other. This is that architecture.
2. The architecture, named
Three fundamental layers. Each answers a different question. None replaces the others.
Framework: the operating model. What gets governed, who owns the decision, what good looks like at every maturity level. CSAI's Agentic Trust Framework lives here.
Runtime: the enforcement plane. Every agent action is intercepted and evaluated against declarative policy before execution. The agent never touches a tool, sends a message, or delegates authority without a policy verdict. Agent Governance Toolkit lives here.
Protocol: the interoperability surface. How agents communicate, delegate, and prove identity to each other. MCP and A2A are the open standards here. MCP is a founding project of the Agentic AI Foundation (AAIF), a directed fund under the Linux Foundation; A2A is hosted directly by the Linux Foundation. Implementations like AGT's IATP show what inter-agent trust looks like in practice.
The healthy split: standards bodies write the framework, foundations host the protocols, runtimes implement against both.
3. What's working today
What the runtime layer looks like in production
The runtime layer isn't a proposal. It's shipping.
AGT evaluates policy at the application layer, in-process and synchronous, before every action. No sidecar, no network hop, no proxy in the critical path. Single-rule evaluation runs at 0.011 ms p50, 84K ops/sec. With 100 rules, 0.030 ms p50. At 1,000 concurrent agents, 47K ops/sec with near-linear scaling. The governance layer is 1,000x to 10,000x faster than the LLM call it's protecting. These numbers are published and reproducible in the AGT benchmarks.
The lowest-friction entry point is two lines:
from agentmesh.governance import governsafe_tool = govern(my_tool, policy="policy.yaml")
That wraps any callable with policy enforcement, audit logging, and GovernanceDenied exceptions. No agent rewrite required. For teams that need more control, the PolicyEvaluator API supports programmatic policy construction, OPA/Rego and Cedar backends, and custom condition operators.
What's deployed: 24 framework integration packages, covering the agent frameworks teams actually use. Adapter overhead is 0.005 to 0.007 ms per action, which means governance is invisible in the latency profile of any real workload. AGT maps controls to all 10 categories of the OWASP Agentic Security Initiative 2026 Top 10, verified by agt verify, which produces machine-readable compliance evidence.
The conformance story is the part that matters for this post. AGT ships 10 formal specifications written in RFC 2119 style, with 992 conformance tests that run in CI on every commit. The specs cover policy evaluation semantics, identity and trust scoring, execution control, trust coordination, SRE governance, MCP security, audit compliance, framework adapter contracts, wire protocol, and RL training governance. These specs function as a behavioral contract, enforced in CI: any implementation that passes the suite implements AGT correctly.
What the framework underneath it defines
A runtime needs something to enforce. That's the framework layer, and it's where ATF lives.
ATF answers five questions, one per element. Identity: who are you? Behavior: what are you doing? Data governance: what are you consuming, and what are you producing? Segmentation: where can you go? Incident response: what happens if you go rogue? Each question maps to a set of normative requirements, 25 in total, expressed in RFC 2119 language. Each requirement is leveled across a four-stage maturity model, Intern through Principal, so an organization knows not just what to govern but what "good" looks like at its current stage of agent autonomy.
A framework only counts when implementations conform to it. ATF ships a conformance specification: 25 requirements with formal IDs, a maturity matrix, and a MUST/SHOULD/MAY rubric for each. An implementation can assess itself against that rubric and produce an auditable result.
That's not theory. AGT did it. AGT, originally developed at Microsoft, published a formal conformance assessment in its compliance directory: 25 of 25 requirements addressed, 18 fully met, 7 partially met with documented gaps, assessed at the Senior maturity level. The assessment uses ATF's requirement IDs and maturity matrix and cites the ATF specification as the normative source. It sits alongside the EU AI Act and OWASP mappings.
This is what the framework-runtime relationship is supposed to look like. The framework defines the requirements. The runtime conforms to them. The conformance is a document anyone can check, not a logo on a slide. AGT is the first runtime to produce one against ATF. It won't be the last.
4. The worked example: governance at the MCP boundary
Every layer in this architecture meets at one place an agent actually does something: the tool call. The MCP tool-call boundary is where governance gets real, and it's where the framework and runtime layers do different jobs on the same traffic.
Framework-layer enforcement. A lightweight interceptor sits at the MCP tool-call boundary, reads a policy derived from ATF requirements, and gates the call against the agent's maturity level and declared scope. Out-of-scope calls are blocked, in-scope calls pass, and every decision logs the ATF requirement ID that triggered it. It's a working prototype with production-grade policy patterns.
What sets it apart from a gateway: the policy comes from a governance spec and a maturity model, not a threat-signature list. The same interceptor reading an Intern policy blocks most of a workflow; reading a Senior policy it lets more through. Enforcement tracks earned autonomy. That's the maturity model made executable.
Runtime-layer detection at the same boundary. AGT ships an MCP Security Gateway with 127 conformance tests. It catches the adversarial side: tool poisoning, schema drift, typosquatting, hidden instructions, rug pulls in tool definitions. It's been through fuzzing the prototype hasn't, 7 fuzz targets via ClusterFuzzLite.
Same boundary, two threat models, both necessary. The interceptor answers "is this agent allowed to do this." The gateway answers "is this tool what it claims to be." Neither covers the other, and a governed deployment wants both.
And both feed one audit trail. The receipt the interceptor produces becomes a signal source for AGT's Decision BOM, which reconstructs a bill of materials from observability signals: the policy evaluated, the identity verified, the trust score, the verdict, and the reasoning. Enforcement at the boundary, audit downstream, closed loop between them.
5. What's next
The runtime roadmap is public, tracked in issues and tutorials:
Decision BOM, made automatic.
Today it reconstructs from explicit instrumentation. Next it reconstructs from OpenTelemetry signals with no manual setup.
Cost and token governance through delegation.
Budget enforcement exists; the next step is budget inheritance across delegation chains, so a parent agent's limits constrain everything it spawns.
Human-in-the-loop approval chains.
Adding LLM-judge and human-approver nodes to the policy pipeline.
Wire-protocol-aware policy.
Extending evaluation beyond HTTP to SQL, gRPC, and Kubernetes API semantics.
On the framework side, the near-term work is delegation chain governance, and it's worth showing where the two layers landed independently.
Both AGT and ATF arrived at the same core principle for multi-agent delegation: authority can only decrease as it flows down a chain. A parent can't grant a child more than it holds. AGT implements this as trust ceiling propagation in its runtime. ATF specifies it as a governance requirement: the supervisory plane MUST retain full visibility of the delegation chain (originator, every intermediary, the scope at each hop, timestamps), while an executing agent sees only its immediate delegator by default. Exposing more of the chain to the agent itself is a MAY, not a MUST, because leaking the full topology to every participant is a security cost, not a feature.
Two teams, different layers, same architecture. That convergence is the signal worth naming. The next piece of work is making the AGT runtime model and the ATF governance requirement reference each other explicitly, so an implementer can read one and satisfy both. We'll take that up as a focused follow-up rather than fold it into this post.
6. What enterprises should do this year
Four moves.
Start with a two-line integration, not a six-month platform build. The fastest path to governed agents is wrapping your existing tools with policy enforcement and audit logging on day one. Add identity, trust scoring, and compliance mapping as your deployment matures. The "we just need this to work" instinct is right; the mistake is assuming "working" requires a platform program. It requires a wrapper and a policy file.
Pick a framework and assess against it. You can't enforce what you haven't defined. Choose a governance framework, run a maturity assessment, and find out where you actually stand before an auditor tells you. ATF's five elements and maturity model exist for exactly this, and the assessment is free.
Put enforcement in the action path. Detection that runs after the fact tells you what went wrong. Enforcement that runs inline stops it. For agents, the difference is the gap between an incident report and a blocked action.
Treat governance as infrastructure. The math: if your governance layer adds 0.030 ms per action and your LLM call takes 500 ms, governance is 0.006% of your latency budget. The cost of not governing is an incident. The cost of governing is a rounding error. That settles the "can we afford this" question.
Frequently asked questions
Do I need both a governance framework and a runtime, or does one replace the other?
Both, because they do different jobs. The Agentic Trust Framework defines what must be governed: 25 normative requirements across identity, behavior, data governance, segmentation, and incident response. The Agent Governance Toolkit enforces policy at runtime, in the agent's action path. A framework without a runtime is a document. A runtime without a framework enforces whatever someone happened to write down.
What does it mean that AGT is conformant with ATF?
AGT published a formal self-assessment against ATF's conformance specification: 25 of 25 requirements addressed, 18 fully met, 7 partially met with documented gaps, at the Senior maturity level. The assessment uses ATF's requirement IDs and cites the ATF spec as its normative source. It lives in AGT's public compliance directory, so anyone can check the claim rather than take it on faith.
How is this different from MAESTRO or the OWASP Agentic Top 10?
They answer different questions. MAESTRO is a threat modeling framework: it tells you what could go wrong. The OWASP Top 10 for Agentic Applications catalogs the most common threats. ATF answers the question that comes after both: how do you maintain control? The three are complements, and AGT maps its controls to all 10 OWASP categories alongside its ATF conformance.
Does adding a governance layer slow my agents down?
No, and the numbers are public. AGT's single-rule policy evaluation runs at 0.011 ms at the median. Against a typical 500 ms LLM call, that's 0.006% of the latency budget. The enforcement layer is 1,000x to 10,000x faster than the model call it protects, which means governance is invisible in any real workload's latency profile.
Where do I find out where my organization stands?
Start with a maturity assessment before an auditor starts it for you. The free ATF self-assessment at verifiedagents.ai takes about 10 minutes and scores your agent deployment across all five elements, showing exactly where your gaps are. The full ATF specification, maturity model, and conformance rubric are open at agentictrustframework.ai under CC BY 4.0.
Closing
The work isn't finished. But we're past the point of asking whether agent governance matters. The question now is how fast organizations build it into their stack.
The constants hold: observability that never turns off, trust that adjusts to behavior, human authority over the loop, and an audit record you can hand to a regulator. The framework defines them, the runtime enforces them, the protocols carry them between agents. Layers that compose.
Josh Woodruff is founder and CEO of MassiveScale.AI, a CSA Research Fellow, and Founding Chair of the Agentic Trust Framework at CSAI. Imran Siddique is Chief Platform Officer at Opaque Systems and creator and project lead of the Agent Governance Toolkit.