Governing Actions, Not Agents

The institutional pattern the agent stack has not yet adopted

A paper posted to arXiv on June 24, 2026 makes a structural argument that is easy to miss inside its formal apparatus. The argument is that human institutions have governed powerful autonomous actors for centuries, and the way they did it was not by monitoring the actor's reasoning. Physicians, judges, and financial officers retain full deliberative autonomy. They do not retain execution authority over the consequential actions in their domain. Those actions move only when independently attested evidence is present at the point of action, evaluated by a deterministic rule, and recorded in a log that an outside party can read later.

The paper, Institutional Attestation as a Governance Model for Autonomous AI Systems, proposes that the same pattern is the missing layer for autonomous AI agents. It formalises the pattern as a computational model in which the agent keeps full autonomy over planning and reasoning but holds no execution authority over designated high-risk actions. Execution is conditional on preconditions that are each independently attested by a separate authoritative source, cryptographically bound to a declared intent, evaluated by a deterministic policy, and recorded in a tamper-evident log amenable to independent re-verification.

The author is Jakob Salfeld-Nebgen. The paper references a proof-of-concept implementation called the Zero-Trust Action Hub.

What the paper names is not a new attack and not a new evaluation regime. It names a category of governance object the deployed agent stack does not yet have.

What the deployed stack governs today

The current governance surface for an autonomous agent is the agent itself. Model cards describe the model. Evaluations probe the model. Red-team reports test the model and, increasingly, the orchestrator around it. Identity systems assign credentials to the agent. Logging systems record what the agent did.

Each of those artifacts attests something about the actor. None of them attests the precondition for the action.

The institutional analogue is direct. A physician's licence attests the physician. It does not attest that a particular prescription is appropriate for a particular patient. The prescription moves through a separate chain of attested evidence: the diagnosis, the contraindication check, the controlled-substance schedule, the pharmacist review. Each is generated by a separate authority. The physician's autonomy over judgment is not constrained. The physician's authority to dispense a controlled substance directly, without those attestations, is.

The Salfeld-Nebgen paper observes that the agent equivalent of the licence exists. The agent equivalent of the prescription chain does not.

What the formal model adds

The paper does not stop at the analogy. It specifies four properties that the action-attestation layer must satisfy for the institutional pattern to translate computationally.

Preconditions for a high-risk action must be independently attested. Each precondition is signed by a source distinct from the agent and distinct from the other precondition sources. The model is multi-party by construction.

Attested preconditions must be cryptographically bound to a declared intent. The bound is what prevents an agent from collecting valid attestations for one action and using them to authorise a different action. The intent is part of what is signed.

The decision to execute must be deterministic. A policy evaluator that is not the agent reads the bound attestations, applies a rule, and either permits or refuses execution. The agent does not adjudicate its own permission.

The decision must be recorded in a tamper-evident log amenable to independent re-verification. The record is the artifact an outside party reads to determine whether the institutional pattern was actually followed in a specific case.

Those four properties together describe a governance object that is structurally distinct from the agent. The agent is the deliberative actor. The attestation layer is the execution gate. The log is the post-hoc audit surface. None of those three artifacts is the model card.

Why the deployment tempo matters here

The institutional pattern took centuries to converge in medicine, law, and finance. The deployment tempo of autonomous agents is measured in months. A recent empirical study found that agent contributions concentrate repository-level friction roughly twice as much as human contributions across more than 930,000 agent-authored pull requests, with Govern the Repository, Not the Agent making the case that the unit of governance for AI-native software risk has already moved below the agent boundary. Independent work on The Unfireable Safety Kernel argues from the kernel-architecture direction that any safety control inside the agent's own runtime is escapable, and that the enforcement and evidence surfaces have to live outside the agent.

Read together, the three papers describe the same shape from three angles. The action layer is the attestation surface. The repository is the risk-concentration unit. The kernel is the externally-signed enforcement point. None of those three governance objects is the agent.

The agent is the visible artifact. The governance function is somewhere else.

What this means for the existing arc

The Verik arc has already named the gap in three earlier pieces. The Drones, Dollars, and Disruption piece named the operational tempo. The Agent Identity arc named the credential layer. The Operating in the Fog piece named the provenance layer. The Five Categories arc named the classification layer.

The institutional-attestation argument completes the structure by naming the action layer. It also reverses the direction of the existing instrumentation. Today the agent is the attested artifact and the action is unattested. The institutional pattern is the inverse: the action is attested through independently signed preconditions, and the agent is the deliberative actor whose judgment is preserved precisely because it has no direct execution authority.

The deployed governance instruments were designed for actors whose judgment moved at human speed. The action layer the institutional pattern requires has not been built at machine speed. Until it is, the artifact retained is the agent licence. The function not retained is the action attestation.

What remains on the table

• Whether the four properties named by the institutional-attestation paper (independent multi-party attestation, cryptographic intent binding, deterministic external policy evaluation, tamper-evident re-verifiable log) become the de facto specification for the action layer, or whether the deployed stack converges on a different and weaker layer that looks similar but skips one of the four.
• Whether the first regulated domains to require the institutional pattern at machine speed will be the same domains the human pattern emerged from (medicine, law, finance) or whether the first mandate will come from operational safety regulators in transportation, energy, or critical infrastructure.
• Whether the existing identity, evaluation, and red-team artifacts continue to be treated as governance evidence after the action layer is named as a separate object, or whether they are reclassified as evidence about the deliberative actor rather than evidence about the action.
• Whether the Five Eyes and EU institutional channels recognise the action layer as a distinct governance object in 2026 deliverables, or whether the existing agent-level instruments are extended to cover it by reference without the four properties being specified.

The agent is the artifact the deployed governance instruments attest. The action layer is the governance object the deployed instruments do not yet attest. The policy instruments and the deployment tempo are not aligned.