Frequently Asked Questions¶

AI agent governance is the discipline of binding what an autonomous AI system is allowed to do, proving what it did, and independently measuring whether it stayed inside its limits. The hard part is independent measurement: the company that builds and runs the AI cannot credibly grade its own governance, the same way a bank does not set its own credit score. AQ Score is a measurement standard, filed with the U.S. Patent and Trademark Office, for whether an AI system stayed inside the limits it was given, across both software agents and physical autonomous systems.

The category¶

What is AI agent governance?

AI agent governance is the set of controls that determine what an autonomous AI agent is allowed to do, enforce those limits at the moment it acts, record what actually happened in evidence the agent cannot edit, and let an independent party measure whether the governance held. It is distinct from AI safety (aligning model behavior) and from AI policy (how an organization adopts AI). Governance is about authority at the moment of action.

What is the AI agent governance gap?

The gap is that almost everyone builds the operator layer (controls that enforce policy) and almost no one builds the independent measurement layer (a party outside the operator who can score whether the controls held). Frameworks, products, and certifications crowd the operator side. The reviewer's seat stays empty because an operator cannot credibly grade itself.

What is runtime governance?

Runtime governance means the limits on what an AI is allowed to do are enforced in the moment it acts, not reviewed after the fact. Most of what gets called AI governance is process (how an organization adopts AI) or accountability (who is responsible after something happens). Runtime governance is the layer that decides, before the action, whether the AI is allowed to take it.

How is AI agent governance different from AI safety?

AI safety works on the model: aligning what the system tends to do. AI agent governance works on the action: binding what a specific deployed agent is authorized to do, at dispatch, and proving afterward whether it stayed in bounds. A perfectly aligned model still acts inside a deployment that needs governance; the two are complementary, not interchangeable.

Independent measurement¶

Why can't the company that builds an AI measure its own governance?

Because the grade is self-validating. When the company that sells the controls also issues the score on whether those controls held, the market has no reason to trust the result. Independent measurement requires structural separation from the operator, the same separation that makes FICO independent of lenders, UL independent of manufacturers, and the FDA independent of drug makers.

Why don't industry coalitions produce a governance score?

A coalition is a table of competitors. A real score implies winners and losers among its own members, so coalitions retreat to neutral taxonomy and best-practice guidance. That is why shared-body scorecards are repeatedly announced and rarely shipped.

What makes a score different from a governance framework?

A framework is advice. A score is a falsifiable, attributable claim that a third party relied on, with consequences if it was wrong. The liability profile is fundamentally different, which is why most of the field stops at severity ratings and maturity models.

Who should measure whether an AI agent stayed within its authority?

Someone with nothing to gain from the answer. The company that sold you the AI cannot credibly grade whether its own AI behaved, and an industry group cannot rank its own members. Independent measurement requires a party structurally separate from both the operators and the rule-writers.

AQ Score and the Five Laws¶

What is AQ Score?

AQ Score is a measurement standard for whether an AI system stayed inside the limits it was given. It turns the question "is this AI under control" into a number you can check, scored independently rather than by the company that sells the AI. It is filed with the U.S. Patent and Trademark Office as a measurement standard and covers both software AI and physical autonomous systems.

What are the Five Laws of AI Governance?

The Five Laws are a plain set of rules for what "under control" actually means. A system should not be allowed to grade itself, to be the only witness to what it did, to sign off on its own safety, or to keep running after someone has hit the stop button. And the limits have to be set before the AI acts, not explained after. They are published as a one-page reference.

What does "governed, attested, measured" mean?

It is the three-part requirement for an independent governance review. Governed: the AI's actions are bound by policy enforced before the action, not reviewed after. Attested: the system produces evidence of what it did and what it was allowed to do, evidence the governed system cannot edit. Measured: an independent party scores whether the governance held, against a standard the operator did not write. Most deployments have the first, fake the second, and skip the third.

Insurance and the regulatory clock¶

What is the AI proof gap in insurance?

The AI proof gap is the distance between having AI governance and being able to prove it held. In a 2026 Grant Thornton survey, most insurers reported that their controls exist but the evidence is fragmented across teams and tools, so only 24% were very confident they could pass an independent AI governance review in ninety days. The governance is real; the provable, on-demand evidence is missing.

Why do insurers feel the AI measurement gap before other industries?

Because their entire business is putting a number on risk. A risk that cannot be independently measured is a risk nobody can price with confidence. Insurance is simply the first place an unmeasured-governance gap shows up as a hard number, because that is where unmeasured risk becomes expensive.

What penalties make AI governance a near-term financial risk?

The EU AI Act carries penalties up to €35M (about $38M) or 7% of global annual revenue, whichever is larger, with high-risk obligations set to take hold in 2026. In the United States, Colorado passed the first comprehensive state AI law and a dozen states are piloting AI evaluation tools. The regulatory reviews are arriving whether or not organizations can pass them.

Physical autonomous systems¶

Why does AI agent governance now span both digital and physical domains?

Autonomous agents no longer act only on software. They hold airspace, drive vehicles, and act on sensor data, where an out-of-bounds action causes a physical event that cannot be rolled back. An independent scorekeeper has to measure conformance across both domains, because increasingly they are the same deployment.

How is an independent standard different from an AI governance audit?

An audit is a photograph: it reports that governance held on the day a consultant looked, and says nothing about the day after they leave. A standard is a system that keeps measuring, the same way, against the same bar, continuously. The difference matters most when something goes wrong long after the audit closed.

Still have a question? Get in touch.