Insights — Published Doctrine¶
Featured Essay¶
Autonomy Has No Scorekeeper¶
Governance for AI agents, drones, and critical infrastructure needs a standards body. Before a crash writes the rules.
The architectural case for a measurement standard for governed autonomous action — and the work already filed. Three NIST OLIR Concept Crosswalks cataloged. 334 patent claims across five U.S. provisionals. Dual-domain coverage: digital agents and physical autonomous systems under one filed architecture.
Sovereignty Moves the Kill Switch. It Doesn't Fill the Referee Chair.¶
When a government can switch off a frontier model overnight, sovereignty answers who controls access. It does not answer who can independently say the model is trustworthy.
Owning and hosting your own AI model solves availability. It does not solve trust. A model on sovereign ground, even on critical infrastructure, still cannot independently prove it stayed inside its authority when it acted, and the proposed sovereignty rules create demand for that proof without supplying the independent party who could produce it. A news-reaction companion to The Referee Seat Nobody Can Sit In.
The Referee Seat Nobody Can Sit In¶
Companies are handing real decisions to AI. Nobody has built the independent referee who can say whether the AI stayed inside its limits.
Why the scorekeeper's chair is empty on purpose: a company cannot grade its own homework, an industry group cannot rank its own members, and a score carries real risk that a checklist does not. The same vacancy spans both software AI and physical autonomous systems. Names the Five Laws and the measurement standard built on them.
The Review Nobody Can Give¶
Five of the largest insurers in America are hiring AI governance leads. Three out of four say they could not pass an independent AI governance review.
The independent-measurement gap shows up first where unmeasured risk becomes expensive: insurance. Grant Thornton calls it the AI proof gap. Why the reviewer's seat is empty, what an independent review actually requires (governed, attested, measured), and why an audit is a photograph while a standard keeps measuring.
How to Tell If an AI Governance Rating Is Trustworthy¶
AI governance ratings are arriving. Most people cannot tell a trustworthy one from a confident-looking one. Five structural questions decide it.
A rating's trustworthiness is set by how it is built, not how good its number looks. Five questions: can the rated system grade itself, is it the only witness to what it did, does it sign off on its own safety, can it actually be stopped, and were the limits set before the action or explained after. Governed, attested, measured, in that order, by someone who is none of the above.
Current Focus Areas¶
How do I tell if an AI governance rating is trustworthy?¶
Judge the rating by its structure, not its number. Five structural questions decide it: Can the rated system grade itself? Is the system the only witness to what it did? Does it sign off on its own safety? Can it actually be stopped? Were the limits set before the action, or explained after? A trustworthy rating is produced by a party that does not benefit from the result, rests on evidence the rated system cannot edit, and measures against a standard the operator did not write. A grade you give yourself is a claim; a grade an independent party gives you is evidence. See How to Tell If an AI Governance Rating Is Trustworthy.
What is the AI agent governance gap?¶
The governance gap is the condition where organizations deploy AI agents into operational workflows before governance architecture exists to classify risk, bound authority, enforce policy at dispatch, or produce audit evidence. Most agent deployments today have workflow automation but lack bounded authority and reliable auditability.
What should organizations do about the EU AI Act before August 2, 2026?¶
The enforcement clock matters less than the operating question underneath it: can your organization explain how autonomous actions are governed? Organizations deploying AI agents need to map their agent governance posture against EU AI Act requirements now — not after enforcement begins.
How does NIST AI RMF apply to real AI agent systems?¶
NIST AI RMF provides the governance structure for AI risk and organizational accountability. For AI agent deployments, it requires that organizations classify risk at dispatch, assign authority, enforce controls, and produce evidence of governance. Framework compliance without operational controls is documentation theater.
Why does ISO 42001 matter for AI agent governance?¶
ISO 42001 is the AI management system standard. It requires operating controls for AI systems — not just policy statements and review meetings. Organizations seeking ISO 42001 alignment need governance architecture that classifies, bounds, enforces, and audits autonomous agent actions.
What is the difference between AI governance and AI safety?¶
AI safety focuses on making models behave correctly — alignment research, constitutional AI, RLHF, output filtering. It governs what the model thinks. AI agent governance focuses on what the agent does — what tools it can access, what authority it has, what happens when it acts. Safety is a model-layer concern. Governance is an infrastructure-layer concern. Most organizations have adopted some form of AI safety. Almost none have implemented AI agent governance.
Why are prompt-based controls not governance?¶
System prompts are suggestions to a statistical model. They are not enforceable policy. A sufficiently creative prompt injection, a model update that shifts behavior, or a multi-step reasoning chain can bypass prompt-based controls. Governance must exist at a layer the agent cannot reach — the infrastructure layer — where policy is enforced before the agent acts, not requested of the agent before it reasons.
What audit evidence do regulators expect for AI agent systems?¶
Regulators expect evidence generated by the governance system, not by the governed agent. Application logs and model self-reports are insufficient because they depend on the governed system accurately narrating its own compliance. Operating-layer audit trails — generated by policy enforcement infrastructure that is architecturally separate from the agent — are the standard that EU AI Act conformity assessments, NIST AI RMF documentation, and ISO 42001 audits will require.
What is risk-tier classification for AI agents?¶
Risk-tier classification is the practice of assigning a governance tier to every autonomous agent action before execution. Lower-risk actions execute under standard policy. Elevated-risk actions require additional validation, human review, or elevated logging. High-risk actions require explicit governance authority approval before proceeding. The classification happens at the governance infrastructure layer — the agent does not decide its own risk tier.
How does AI agent governance differ from traditional IT governance?¶
Traditional IT governance assumes humans initiate actions and systems execute them. AI agent governance must account for systems that initiate their own actions — selecting tools, calling APIs, accessing data, and making sequential decisions without human instruction at each step. The governance surface is fundamentally different: you are governing an actor, not just a system. Every concept from traditional governance (access control, separation of duties, audit trails, least privilege) must be reimplemented at the agent dispatch layer.
What should a CISO ask before deploying AI agents?¶
Five questions that expose governance readiness: (1) Can we classify the risk of every agent action before it executes? (2) Are agent authority boundaries enforced by infrastructure, not by prompts? (3) Do we have audit evidence that exists independent of model self-reporting? (4) Can we demonstrate governance alignment to at least one recognized framework? (5) If a regulator asked how autonomous actions are governed, could we answer with evidence?
Why These Topics Matter¶
The common thread is simple: AI governance fails when organizations substitute language for control. My interest is in the operating layer where authority is assigned, policy is enforced, and evidence survives scrutiny.
External Publishing¶
Longer-form articles and commentary are published on LinkedIn. Future essays will land here first.
For a deeper treatment of EU AI Act compliance, see EU AI Act Compliance. For a self-assessment, see the Governance Readiness Checklist.
Read Autonomy Has No Scorekeeper Review AQ Score™ Request the Brief