What "AI agent governance" actually means (when the agent can act on its own)
"AI governance" used to mean model policy: which models are allowed, what data they train on, bias and transparency reviews. That's still real. But once an agent can take actions in the world — spend money, call a production API, move data, message a customer — a second, more operational question shows up that model-level governance doesn't answer:
For each action this agent is about to take: is it allowed, who says so, and can we prove what was decided?
That's agent governance in the operational sense — and it's the layer most teams building with agents right now don't have yet.
The four questions agent governance has to answer
- Authority — what is this agent even allowed to do? Not "what can the model output," but what actions are in scope: which tools, which vendors, which spend, which data. This is the agent's mandate. Without it, "governance" is just logging.
- Decision — is this specific action allowed, right now? Evaluated before it happens, against the mandate, org policies, budgets, and risk signals — resolving to allow, hold for a human, or deny.
- Enforcement — can the agent actually be stopped? A decision that the agent can ignore isn't governance. Enforcement means the no holds — which, for an untrusted agent, means it shouldn't hold the credential needed to act without asking.
- Evidence — can you show a trustworthy record of what was decided and what outcome came back? After an incident or for an auditor, "trust our logs" is circular. You need a record whose chain can be checked independently — with external anchors to expose a rewrite of committed history (and note what such a record does not prove — see the limits below).
A tool or process that only does #1–2 is a policy engine. Only #4 is an audit log. Governance is all four as one loop: authority → decision → enforcement → evidence.
Governance vs. the things it's confused with
- ≠ Observability. Tracing tells you what the agent did, afterward. Governance decides what it may do, before. Complementary — see enforcement vs. observability.
- ≠ Guardrails / prompt filtering. Content guardrails shape what the model says. Agent governance constrains what an action is allowed to do — a well-behaved prompt can still trigger a payment you never authorized.
- ≠ Model governance. Model cards, eval suites, and approval boards govern which model and how it's built. Agent governance governs what the deployed agent is allowed to do at runtime. You need both; they're different layers.
- ≠ IAM, exactly — but the closest analogy. It's IAM-shaped (identity, scope, least privilege) plus agent-oriented controls conventional IAM doesn't usually combine: spend budgets with holds, per-action human approval, a behavioral risk gate, and a tamper-evident record of every decision on the actions routed through it.
An honest note on limits
Governance is a system property, not a product you install. No single layer makes an agent "safe":
- It governs the actions routed through it. An agent that can act by a path you didn't put under governance is ungoverned on that path — coverage is an architecture decision, not a checkbox.
- Enforcement depends on the agent not holding the keys. If the agent has the credential, a policy it can skip isn't enforcement. That's the difference between cooperative (trust-based) and enforcing (credential-held-for-you) modes.
- Evidence proves integrity, not omniscience. A good audit trail lets you detect alteration of its entries — not that every action was captured or executed. Coverage improves when the enforcing layer exclusively controls the relevant credential/path, and external anchors constrain rewrites of committed history; the record still doesn't prove every action was captured.
Anyone selling agent governance as a magic box is selling the checkbox, not the property. The real thing is a set of controls you compose and can reason about.
Where Provenant fits
Provenant is a control plane and tamper-evident audit ledger built for exactly this loop: it holds each agent's mandate, decides each action routed through it against your policies and budgets (allow / hold for a human / deny), enforces the decision — in enforcing mode by holding the downstream credential so the agent can't make the controlled call without an allow — and records each decision to a hash-chained ledger whose chain you re-derive yourself, offline. Authority, decision, enforcement, evidence, as one system. Free tier, self-hostable, Apache-2.0 SDKs.
See it deny something in about a minute: app.provenant.identiqube.com · or start with the documentation.