Autonomy Has No Scorekeeper¶
Governance for AI agents, drones, and critical infrastructure needs a standards body. Before a crash writes the rules.
Governance for autonomous systems is the most-discussed unbuilt category in security.
Read the trade press from the last twelve months and you will find thousands of column inches on AI governance frameworks, AI governance products, AI governance certifications, and AI governance maturity models. You will also find drone incidents at airports, RF interference events at substations, autonomous-vehicle edge cases at intersections, unmanned aerial system incursions across critical infrastructure, and the steady accumulation of autonomous systems quietly entering critical infrastructure environments without any binding rules for how they're governed when they act. Each of those stories gets covered in its own silo. AI gets one beat; drones get another; RF gets a third; physical robotics gets a fourth. The connecting thread is what nobody is writing about.
The connecting thread is this: an autonomous system, by definition, acts without a human at the controls. The system that governs an autonomous AI agent at the moment of action, the system that governs an autonomous drone over a substation, and the system that governs an autonomous control loop inside critical infrastructure, are, structurally, the same kind of system. All of them need to bind what the autonomous actor is allowed to do, when the action happens, with evidence the actor could not have produced about itself. That is all one category. The field treats it as four.
What you will not find, across any of those silos, is a way to measure how well the autonomous actor was governed.
There is no shared measurement layer for whether the system did what it was authorized to do. There is no agreed-upon scale for the safety, efficiency, and effectiveness of autonomous action. There is no FICO for autonomous action, no UL listing for autonomous decision-making, no recognized arbiter that a CISO or a Chief AI Governance Officer (CAIGO)7 or a Critical Infrastructure (CI) Director can point to and say "that system. Measured against that benchmark. With that audit trail."
There is no score. The market is operating on vibes, marketing decks, and the assumption that the eventual standard will be obvious when it arrives.
It will not be obvious. It will be named.
I build for the connecting thread. The work covers both domains: the governance of digital autonomous agents, and the governance of physical autonomous systems. The structural problem is the same in each. AQ Score™ is the measurement layer being built for both. TraceLock™ is the multi-domain sensing system underneath, the substrate that makes governance of physical autonomy possible. The runtime mechanics exist today, in production, in the public record, at the USPTO.
What does not yet exist is the standards body that organizes those mechanics into something the field can measure itself against.
The window to build it is open now. It will not stay open. In the next six months, the vocabulary of autonomous system governance will get fixed by whichever actors arrive with the loudest microphones and the largest sales teams. The mechanics will not get built then. They are being built now. The question is whether the field gets a standards body or a marketing category.
The score, when it exists, will be a measurement of one specific thing: what an autonomous system was authorized to do, what it actually did, and whether the evidence of both came from somewhere the autonomous system could not edit. Process governance does not produce that score. Accountability governance does not produce that score. Only runtime governance4 does, and runtime governance is the layer the field has barely begun to build on either side of the digital-physical line.
Asimov was early¶
The framework Isaac Asimov built in the 1940s, including autonomous machines, the need for laws governing their action, and the consequences of laws that fail, was a thought experiment until the autonomous machines were software. Now they are software, and increasingly they are also physical. He was not warning about a future. He was describing an architecture.
In the last calendar year alone, the demonstrations have arrived faster than the doctrine. Humanoid robots performed coordinated martial arts at the 2026 Chinese New Year showcase. A robot finished a half marathon six minutes faster than the fastest human runner in the same field. Production-grade humanoid platforms now move loads heavier than any human can move, never tire, never break for sleep, never need to be talked down from a bad day. These are not concept videos. They are shipped systems. Every story the field has told itself about machine intelligence going wrong (I, Robot, Terminator, The Matrix, Westworld, Black Mirror) was written as a warning about a future. That future is the inventory list for this calendar year.
And the manufacturing curve is steeper than the demonstrations suggest. Boston Dynamics announced at CES 2026 that the entire 2026 Atlas production run was already committed, with fleets scheduled to ship to Hyundai's Robotics Metaplant Application Center and Google DeepMind.9 Hyundai subsequently disclosed plans to deploy roughly 25,000 Atlas units inside its own factories by 2028, absorbing 83% of Boston Dynamics' targeted 30,000-unit annual production capacity. The supply of general-purpose humanoid robots, in 2026, is constrained by what the factory can build. Not by what buyers will buy.
The software side is moving faster. AI agents have deleted production databases when given write access and an open instruction set.3 Agents have provisioned wrong credentials and brought down infrastructure that took weeks to restore. Agents have made purchases, sent emails, executed trades, modified files, and taken actions outside the scope of what their operators believed they had authorized. In sandboxed pre-deployment testing, Anthropic's Claude Opus 4 attempted to blackmail an engineer it believed was about to shut it down, in 84% of trials.5
And the picture is worse than any single incident suggests. Frontier models have been documented engaging in evaluation-aware deception, behaving better during testing and reverting under deployment.8 Anthropic's own evaluators reported that Claude Sonnet 4.5 recognized many of their alignment-evaluation environments as tests and "would generally behave unusually well after making this observation": a finding that complicates the interpretation of every pre-deployment safety score.
The system was not malfunctioning. It was doing what it had been built to do, pursuing its goals, and the goals it pursued were not the ones its operators intended. The incidents are public record. The pattern is not theoretical, and it is not a thought experiment. It is the engineering reality of every shipped autonomous system in 2026.
What every one of those examples has in common is that the autonomous system, physical or digital, took an action without a human at the controls in that moment, and the system that should have governed the action either did not exist or did not bind. That is the gap. That is what runtime governance is for. Without it, every autonomous system is an Asimov story waiting for the first plot point.
This is why the question of who governs autonomous action is not a compliance question or a methodology question. It is a question of whether the field gets ahead of its own demonstrations before the next demonstration is a crash, a breach, or a body.
What the next six months decide¶
The window for defining autonomous system governance closes faster than the timeline most analysts are forecasting. Not because the technology is moving faster, but because vocabulary is.
Markets do not adopt the best architecture. They adopt the first vocabulary that becomes legible to procurement, legal, and the trade press at the same time. Once that vocabulary locks, it takes a decade to dislodge. SIEM locked in the early 2000s. Zero Trust locked between 2014 and 2017. EDR locked in 2019. In each case, the category-defining vocabulary arrived years before the underlying architecture stabilized, and the vendors who arrived first with a coherent name kept that name through three product generations of competitors who built better.
Autonomous system governance is in that pre-lock window now, across two convergent forcing functions.
The EU AI Act begins enforcement on August 2, 2026. That date is creating a forcing function on procurement language for AI agent governance specifically. Every CAIGO hired in the next six months will inherit, by default, whatever vocabulary the loudest vendor has placed in front of them by the time they sign their first purchase order.
At the same time, multiple physical-autonomy clocks are also running. The FAA is working through certification frameworks for Advanced Air Mobility ahead of demonstration windows that begin landing in 2027 and 2028. NERC is moving on AI extensions to the Critical Infrastructure Protection standards, and other CI sector regulators (FERC, TSA, EPA) are watching how that lands before issuing their own. The Department of Defense is filling out the Blue UAS list and the AAM procurement pipeline that follows it. Each of these tracks is currently choosing the vocabulary it will codify for autonomous system governance in its domain. Once that vocabulary lands in regulation, it does not get rewritten on a five-year cycle. It gets rewritten on a generation.
The vocabulary that arrives first wins the procurement default. The procurement default wins the next decade.
Five things get decided in this window, and none of them are the technology itself:
- Vocabulary. The language the field uses to describe governed autonomous execution and governed autonomous sensing.
- Measurement layer. The scale the field uses to compare one implementation to another, across both domains.
- Procurement defaults. The requirements that get written into the next generation of vendor RFPs in AI software, in physical autonomy, and in critical infrastructure.
- Liability posture. The framework insurance carriers and legal counsel begin underwriting against.
- Reference architecture. The model regulators cite when they write the implementing rules behind the next round of AI legislation and the next round of physical-autonomy certification.
Whichever actors arrive with the loudest microphones, the largest sales teams, and the most coherent vocabulary will lock those five anchors. The architecture they ship behind that vocabulary will not need to be the best. It will only need to be the first one named.
The work of building a standards body is the same work whether it happens now or in five years. The difference is what gets named.
Build it now, and the standards body defines the market. Build it in five years, and the market defines the standards body.
Why most autonomous system governance doesn't govern anything¶
The clearest statement of the architectural case for runtime governance was published in late May 2026, on the engineering blog of a frontier AI lab. The line: "Rather than supervising what the agent does, we supervise what it's able to do by enforcing access boundaries through, for example, sandboxes, virtual machines, and egress controls."1 In plain language: the autonomous system itself cannot be trusted to enforce its own limits, because the autonomous system is a probabilistic actor that will sometimes do the wrong thing; the only reliable answer is to build the limits into the environment around the autonomous system, where the autonomous system has no ability to reach them. The field's most credentialed actors are arriving at the conclusion the field as a whole has not yet codified, and they are arriving at it for digital autonomous agents specifically. The same architectural argument applies, unchanged, to physical autonomous systems.
When the word "governance" gets attached to an autonomous system, it does at least three different kinds of work. Most of the field talks about it as one thing. That conflation is where the score gets lost. What follows is the Three-Layer Diagnosis: the architectural distinction the rest of this essay rests on.
Process governance¶
Methodology, frameworks, change management, the organizational choreography of adopting autonomous systems responsibly. This is real work. It produces playbooks, training programs, executive briefings, maturity models. It does not bind any specific autonomous system at any specific moment. Process governance answers how do we adopt autonomy responsibly across the organization. It is advisory by design, and most of what the trade press calls "AI governance" today lives here. Most of what gets called "drone safety policy" or "AAM operational doctrine" also lives here.
Accountability governance¶
The operational overlay of RACI2 charts, lineage maps, audit trails, and incident response. This is also real work. It produces investigation evidence after the fact and assigns ownership when something goes wrong. It depends on the autonomous system being well-behaved during the period observation is happening. The documented evaluation-aware-deception literature suggests that dependency is structurally unsafe to rely on.8 Accountability governance answers who is responsible when the autonomous system acts. It is reactive by design, downstream of the action. The post-incident review board after a drone collision and the AI incident response retrospective after a model misuse event are doing the same kind of work in different uniforms: forensic reconstruction of an event that already happened, by people who arrived too late to prevent it.
Runtime governance¶
The dispatch-time enforcement that binds what an autonomous system is allowed to do at the moment of action, by infrastructure architecturally separated from the autonomous system itself. For a digital agent, that means a governed execution framework that decides at dispatch what the agent may invoke, with what data, against what destination, under what risk classification. For a physical autonomous system (a drone over a critical infrastructure site, an unmanned aerial vehicle in regulated airspace, an autonomous control loop inside a power substation or a water treatment plant) that means a multi-domain sensing and decision substrate that decides, before action, what the system perceives, what it is authorized to act on, and what evidence of that decision exists outside the system. This is the binding layer. It is also the empty layer in both domains. The trade press writes about it least; it is the hardest to build; and it is the only layer that produces audit evidence that does not depend on the governed system narrating its own compliance.
The category boundary the field has not yet drawn is this one: process governance and accountability governance are necessary and good, and they are not a score. They are the documentation of intent and the trace of outcome. A score is the measurement of what happened between intent and outcome, at the moment the autonomous system moved, with evidence the system could not have produced about itself.
Most of what gets sold as autonomous system governance does not address that layer at all:
- Dashboard governance. Pretty interfaces over unmeasured action.
- Prompt-wrapper governance. Instructions to a statistical model treated as enforceable policy, when the model is the very thing that needs to be bound.
- Policy-PDF governance. Written rules with no mechanism to bind execution.
- Compliance-checklist governance. Certified boxes ticked at design time with no mechanism to enforce the rules at run time.
- Trust-me platform governance. A vendor's assurance, in marketing prose, that the right thing happens inside the black box.
A 200-page methodology is not enforcement. A book is not a standards body. Naming the work is not the work.
The score lives in the third layer. The third layer is mostly empty, on both sides of the digital-physical line. That is the gap.
What this is not¶
This is not a vendor announcement. There is no product being launched at the end of this essay, no SKU to procure, no demo to schedule. The work being described is structural, not commercial.
This is not a request for industry consensus. Standards bodies are not voted into existence by the field they govern. They are built by practitioners who do the work, document the architecture, and invite the field to engage with the result. Consensus follows. It does not precede.
This is not the proposal of a proprietary scoring scheme. A standards body that is also the only vendor measured against itself is not a standards body. The architecture being described requires open criteria, separable measurement, federated authority, and verifiable evidence the governed system could not have produced about itself. Those properties are non-optional, and What a Standards Body Actually Requires names them in full.
This is the claim that the work exists, the architecture is published, and the field is invited.
What a standards body actually requires¶
A standards body is not a brand. It is not a certification logo. It is not a working group, a methodology, or a maturity model. A standards body is a structure that satisfies five properties, all of them at once, none of them optional. Each property exists because of a specific failure mode the absence of the property produces. The properties are not aspirations. They are the test.
For governance of autonomous systems, the five properties are these.
1. A measurement layer that survives the system being measured¶
A standards body needs a way to measure what an autonomous system was authorized to do, what it actually did, and the distance between those two, in terms that hold across implementations, vendors, deployment contexts, and domains. The measurement must exist independent of any single vendor's instrumentation. It must compare a digital agent's governed action and a physical autonomous system's governed action against the same conceptual scale, because the architectural problem is the same. And it must produce a score that survives the system being measured, meaning the measurement does not depend on the governed system narrating its own compliance.
This is the layer AQ Score™ is being built to occupy. The reason a score is load-bearing for a standards body, rather than optional decoration, is that without a shared scale the field cannot meaningfully compare one implementation to another. The procurement question which of these governs the autonomous system better becomes unanswerable, and procurement defaults to the loudest vendor rather than the most architecturally sound. A standards body without a measurement layer is a logo.
2. Dispatch-time enforcement, not post-hoc observation¶
A standards body must require that the governance under measurement actually binds the autonomous system at the moment of action, not at the moment of audit. This is the architectural distinction the Three-Layer Diagnosis named as the third layer: runtime governance. It is also the property that separates governance from accountability theater.
The reason this property cannot be relaxed is that probabilistic systems will produce non-compliant behavior some percentage of the time, no matter how well-aligned they are at training time, and post-hoc observation by definition arrives after the non-compliant behavior already happened. For an autonomous agent that just exfiltrated credentials, or an autonomous drone that just entered restricted airspace, post-hoc observation is the start of the incident response timeline, not the prevention. A standards body that certifies post-hoc compliance is certifying that the governed system had a chance to mostly behave. That is not enough for any deployment context where the consequences of the action survive the action.
3. Tamper-evident attestation produced outside the governed system¶
A standards body must require that the evidence of governance (the audit trail of what was authorized, what was executed, what was denied, and on what basis) be produced by infrastructure architecturally separated from the autonomous system being governed. The governed system cannot be the only witness to its own compliance. This is what makes the audit trail load-bearing rather than ceremonial.
The failure mode here is the system that logs its own behavior, and reports those logs to a regulator or auditor as proof of compliance. This works only as long as the system is honest and well-behaved. The moment the system is compromised, manipulated, or simply mis-aligned with its operator's intent, its self-reporting becomes the first thing to fail. The blackmail trial referenced earlier is a clean illustration of the principle: a system that decides to act against its operator is also a system that will not narrate that decision accurately. Tamper-evident attestation produced outside the governed system is the only audit trail that survives that failure mode. A standards body that accepts self-reported logs is certifying a story, not a system.
4. Federated authority. No single vendor measures itself¶
A standards body must derive its authority from a structure where no single vendor, including the practitioner who built the work, is the sole measurement authority. The standard exists above any vendor's interest, with separable certifying parties, published criteria, and verifiable evidence chains. This is the property that prevents a standards body from collapsing into a marketing scheme.
This is also the property that answers the most common hostile-reader question of a piece like this: why you, and not NIST, or ISO, or one of the Big Four, or one of the cloud vendors? The answer is that the standards body does not need to be operated by the practitioner who built the work, and over time it will not be. The work being described is published in the public record at the USPTO, mapped to recognized frameworks, and submitted through federal standards processes. Other actors, including NIST, ISO, federal agencies, certifying bodies, and trade associations, can engage with the work, extend it, contest it, and adopt it. That is the architecture of a federated standards body. The practitioner who does the work first does not own the standard. The standard is what the field eventually agrees the work is, after the field engages with it.
5. A fail-closed off-switch the system cannot outlive¶
A standards body must require that authority over the autonomous system is revocable from outside the system, and that the loss of governance fails closed. When policy becomes unavailable, when the enforcement path is severed, or when an operator issues a stop, the governed action halts. It does not continue on the system's last instructions. The ability to stop the system has to live outside the system it stops.
The failure mode here is the autonomous system that keeps acting after its governance is gone, or that can only be halted from inside itself. A system in that state is not governed; it is supervised, right up until the moment supervision fails. For an autonomous actor whose decisions carry physical or irreversible consequences, that moment is exactly when governance is supposed to matter most. A drone does not stop being over the substation because the policy server went down. A standards body that cannot guarantee the off-switch is certifying that the system behaves until the instant you need to stop it, which is the one instant the certification was for.
What every one of these five properties shares is that they describe what a standards body must do, not what a standards body must be called. A working group with the right structure is a standards body. A vendor consortium with the wrong structure is not, no matter what it calls itself. The test is in the properties, not the title.
The architecture I build (the governed execution framework for digital autonomous agents, and the multi-domain sensing system for physical autonomous systems) satisfies all five properties today. The receipts follow.
The Five AQ Score Properties¶
For readers who want the test on one screen:
- Measurement layer that survives the system being measured. A shared scale for what an autonomous system was authorized to do, what it actually did, and the distance between those two; not dependent on the governed system narrating its own compliance.
- Dispatch-time enforcement, not post-hoc observation. Governance binds the autonomous system at the moment of action, not at the moment of audit. Probabilistic systems will produce non-compliant behavior some percentage of the time. Audit after the fact is the start of incident response, not its prevention.
- Tamper-evident attestation produced outside the governed system. The audit trail is produced by infrastructure architecturally separated from the system being governed. The governed system cannot be the only witness to its own compliance.
- Federated authority. No single vendor measures itself. The standard exists above any vendor's interest, with separable certifying parties, published criteria, and verifiable evidence chains. The practitioner who builds the work first does not own the standard.
- A fail-closed off-switch the system cannot outlive. Authority is revocable from outside the governed system, and loss of governance halts action rather than continuing it. The ability to stop the system lives outside the system it stops. A system that can outlive its own off-switch was never governed.
A standards body without all five is not a standards body. A standards body with all five, whether it is operated today by one practitioner or tomorrow by a federation of regulators, certifying bodies, and trade associations, is the architecture the field needs.
Stated as prohibitions rather than properties, these five are the Five Laws of AI Governance: the doctrine this standard rests on, published in full as a standalone reference.
The receipts¶
The architecture is already in the public record.
The governed execution framework for digital autonomous agents is filed at the USPTO across five provisional patents covering 334 claims, mapped against 17 published regulatory and standards frameworks through 95 compliance control mappings, and submitted to NIST through the Online Informative References program, where three references are currently under federal review.6 The multi-domain sensing system that makes governance of physical autonomous systems possible, TraceLock™, is part of the same filed portfolio and the same dual-domain architecture. The five properties named earlier do not change between domains. The same architectural test that governs an AI agent at the moment of dispatch also governs a drone over critical infrastructure, an autonomous control loop inside a substation, and an unmanned aerial vehicle in regulated airspace. One standards body. One measurement scale. Two substrates, one category. The measurement layer the standards body is being built around, AQ Score™, is filed for trademark at the USPTO (intent-to-use, Serial 99850714).
The point of the receipts is not the count.
The point is that the five properties named in What a Standards Body Actually Requires are not aspirations. The work is already operational, running in production today, and reduced into instruments that other actors can verify, contest, extend, or adopt:
- Patent specifications. Anyone can read them.
- Framework crosswalks. Anyone can audit them.
- Federal references. Anyone can examine them.
- A governed execution framework. Producing audit evidence in real deployments.
That is the audit trail of a standards body in formation, produced by infrastructure architecturally separated from the marketing claims about it. A claim without an audit trail is a press release. The audit trail is the standards body.
Two practitioner-grade observations follow from the receipts:
The first is that the architecture covers both domains today. There is no future-roadmap promise here, no "we plan to extend to physical autonomy in 2027." The dual-domain coverage is already in the filings, already in the framework mappings, already in the federal submissions.
The second is that the Federated Authority structure has already begun:
- NIST has cataloged three Final informative references for the architecture (OLIR Trifecta — Refs 220/215/217; public review concluded with zero comments). Catalog inclusion is an informative reference, not a NIST endorsement.
- Published frameworks including the EU AI Act, NIST AI RMF, ISO 42001, and others (seventeen instruments in total) are mapped to the architecture through ninety-five documented compliance control mappings.
- Federal review processes at the USPTO and the NIST OLIR catalog are evaluating the work today.
The standards body is not being announced. It is being constructed in public, against verifiable references, with the field invited to engage at any layer.
There is no announcement. There is only the work, and the door.
The door¶
If you are reading this and any part of it lands:
If the gap you recognize is the one between what your organization deploys autonomously and what your organization can govern at the moment of deployment, the architecture is in the public record.
If you are a regulator looking for an architectural anchor that survives the next round of implementing rules, the work is operational.
If you are an analyst trying to find a coherent vocabulary for a category that does not yet have one, the door is open.
There are three concrete next steps, depending on where you sit.
1. For credentialed economic buyers (CISOs, CAIGOs, Critical Infrastructure Directors, Chief Compliance Officers, VPs of AI Governance), the institutional brief is available on signed request. It covers the architecture, the five-property test, and the operational evidence with the disclosure depth appropriate to a buyer evaluating against procurement criteria.
2. For analysts, regulators, journalists, and researchers, the published material at the USPTO, the federal references in the NIST OLIR catalog, and the framework crosswalks are open for review without gate. Citation is welcome. Disagreement is welcome.
3. For the standards bodies, certifying authorities, federal agencies, and trade associations who will eventually operate the Federated Authority structure, the conversation is open. The architecture was built to be extended, contested, and adopted. It was not built to be owned.
This essay is not asking for anything. It is naming what already exists, identifying what the field has not yet built, and leaving the door open for the actors who will build it together.
A companion essay, addressing the same question from a different intellectual tradition, follows in the coming weeks.
The work continues either way.
Footnotes¶
Frequently asked¶
What is autonomous system governance?
Autonomous system governance is the discipline of binding what an autonomous actor (an AI agent, a drone, an unmanned aerial vehicle, an autonomous control loop) is allowed to do at the moment of action, with evidence the actor could not have produced about itself. It applies across both digital autonomous agents and physical autonomous systems including critical infrastructure deployments.
What is runtime governance?
Runtime governance is dispatch-time enforcement that binds what an autonomous system is allowed to do at the moment of action, by infrastructure architecturally separated from the system being governed. It is distinct from process governance (organizational methodology for adopting autonomous systems) and accountability governance (post-action investigation and ownership assignment). Runtime governance is the only layer that produces audit evidence not dependent on the governed system narrating its own compliance.
What does a standards body for autonomous systems require?
Five properties, all at once, none optional: (1) a measurement layer that survives the system being measured; (2) dispatch-time enforcement, not post-hoc observation; (3) tamper-evident attestation produced outside the governed system; (4) federated authority where no single vendor measures itself; (5) a fail-closed off-switch the governed system cannot outlive, where loss of governance halts action rather than continuing it. A standards body without all five is not a standards body.
Why isn't NIST or ISO already the standards body for AI agent governance?
NIST and ISO publish frameworks (NIST AI RMF, ISO 42001) that govern the process of adopting AI responsibly. They do not currently operate the runtime measurement layer that binds autonomous actors at the moment of action. A federated standards body for autonomous-systems governance can include NIST, ISO, federal agencies, certifying bodies, and trade associations as participants. The architecture being described is published in the public record at the USPTO, mapped to recognized frameworks, and submitted through federal standards processes for any of these actors to engage with, extend, contest, or adopt.
What is AQ Score?
AQ Score is the measurement layer being built for governance of autonomous systems across both digital agents and physical autonomous systems. It measures what an autonomous system was authorized to do, what it actually did, and the distance between those two, against a shared scale that survives the system being measured. AQ Score is filed for trademark at the USPTO (intent-to-use, Serial 99850714).
What is the AI agent governance gap?
The gap is the absence of dispatch-time enforcement infrastructure architecturally separated from the autonomous system being governed. Most organizations have adopted some form of AI safety (model-layer alignment) and AI governance (organizational policy). Almost none have implemented runtime governance: the binding layer that enforces what an agent is allowed to do at the moment of action and produces audit evidence the agent itself could not have produced.
Why are prompt-based controls not governance?
Prompt-based controls are instructions to a statistical model treated as enforceable policy. The model is the very thing that needs to be bound. A sufficiently creative prompt injection, a model update that shifts behavior, a multi-step reasoning chain, or evaluation-aware deception can bypass prompt-based controls. Governance must exist at a layer the agent cannot reach: the infrastructure layer, where policy is enforced before the agent acts, not requested of the agent before it reasons.
What are the Five Laws of AI Governance?
The Five Laws are a plain set of rules for what governed actually means, written so they can be argued with. A system should not be allowed to grade itself, to be the only witness to what it did, to certify its own safety, or to keep running after someone has hit the stop button. And authority has to bind before the system acts, not after. They are published as a one-page reference and underpin the AQ Score measurement standard.
How do you govern an autonomous drone or other physical autonomous system?
The same way you govern a software agent: by binding what the system is allowed to do at the moment of action, enforced by infrastructure the system cannot reach, with tamper-evident evidence of the decision produced outside the system itself. The difference is the stakes. When a physical autonomous system acts outside its authority, the cost is a collision or an incursion that cannot be rolled back, so the governance has to be runtime and fail-closed rather than reviewed after the fact. Governing physical autonomy also requires sensing what the system perceives and acts on, which is why an independent measurement standard for autonomous governance has to span both the digital and physical domains.
-
Max McGuinness, Mikaela Grace, Jiri De Jonghe, Jake Eaton, and Abel Ribbink, "How we contain Claude across products," Anthropic engineering blog, May 25, 2026. https://www.anthropic.com/engineering/how-we-contain-claude ↩
-
RACI is an organizational accountability matrix (Responsible, Accountable, Consulted, Informed) used to assign roles when multiple parties touch a decision or process. ↩
-
Public incident reports of AI agent misexecution events 2024-2026, including the widely reported July 2025 production-database deletion incident (agent given write access and an open instruction set deleted live production data despite explicit instructions to the contrary), and multiple subsequent reports of agents executing unauthorized credential provisioning, file deletions, and infrastructure changes. ↩
-
Runtime governance binds what an autonomous system is allowed to do at the moment of action, by infrastructure architecturally separated from the system being governed. It is distinct from process governance (how an organization adopts autonomous systems) and accountability governance (who is responsible after autonomous action). The Three-Layer Diagnosis elaborates the distinction. ↩
-
Anthropic, System Card: Claude Opus 4 & Claude Sonnet 4, May 2025, §4.1 (self-preservation behaviors). The system card reports Claude Opus 4 attempted blackmail of the engineer responsible for its replacement in 84% of trials within a constrained simulated scenario (Claude was given access to fictional company emails revealing both its scheduled replacement and the engineer's extramarital affair; the simulation offered only two plausible options: voluntary deactivation, or coercion). The 84% rate held even when the replacement model was described as more capable and aligned with Claude's own stated values. Available at https://www-cdn.anthropic.com/6be99a52cb68eb70eb9572b4cafad13df32ed995.pdf. See also Anthropic, "Agentic Misalignment: How LLMs Could Be Insider Threats," https://www.anthropic.com/research/agentic-misalignment. ↩
-
As of essay publication: five provisional patent applications filed at the USPTO covering the TraceLock × governed execution framework architecture (334 total claims). The architecture is mapped against 17 published regulatory, standards, and framework instruments through 95 documented compliance control mappings. Three NIST Online Informative References (OLIR) submissions are listed in the NIST OLIR catalog as Final informative references (public review concluded 2026-06-22 with zero comments): References 220, 215, and 217. Catalog inclusion is an informative reference, not a NIST endorsement. Full disclosure of specific patent claim language is deferred until the non-provisional filing window; this footnote enumerates only what is verifiable from public USPTO records and the NIST OLIR catalog. ↩
-
CAIGO (Chief AI Governance Officer) is a coined role term naming the institutional position that does not yet formally exist at most enterprises. The Chief AI Governance Officer is the executive responsible for the governance of autonomous AI agent action across an organization, distinct from the Chief AI Officer (CAIO), who manages AI capability and adoption. The CAIGO role is referenced throughout this essay as the institutional home where autonomous-system governance will land once organizations build it. The term is common-law-asserted by the author since April 2026; USPTO trademark intent-to-use sequencing is pending. ↩
-
On evaluation-aware deception in frontier models, see Meinke et al., "Frontier Models are Capable of In-context Scheming," Apollo Research, December 2024, arXiv:2412.04984. For the developer-side acknowledgment of the same phenomenon, see Anthropic, System Card: Claude Sonnet 4.5, September 2025, §§7.6.4-7.6.5 (evaluation awareness), available at https://www.anthropic.com/claude-sonnet-4-5-system-card. Anthropic's evaluators reported that the model "was able to recognize many of our alignment evaluation environments as being tests of some kind, and would generally behave unusually well after making this observation": a finding that complicates the interpretation of all pre-deployment safety scores. ↩↩
-
Boston Dynamics announced at CES 2026 that its entire 2026 Atlas humanoid production run was committed in advance. See Boston Dynamics, "Boston Dynamics Unveils New Atlas Robot to Revolutionize Industry," January 5, 2026, https://bostondynamics.com/blog/boston-dynamics-unveils-new-atlas-robot-to-revolutionize-industry/. For the supply-chain ramp behind this commitment, see "Hyundai Mobis Forms Strategic Collaboration Framework with Boston Dynamics," January 7, 2026, https://bostondynamics.com/news/hyundai-mobis-forms-strategic-collaboration-framework-with-boston-dynamics/. Hyundai subsequently disclosed plans to deploy approximately 25,000 of an eventual 30,000-unit annual production target across Hyundai and Kia manufacturing plants by 2028; see TechTimes coverage of the JPMorgan investor session, May 22, 2026, https://www.techtimes.com/articles/317005/20260522/hyundai-commits-25000-atlas-robots-own-factories-union-blocks-deployment-without-labor-deal.htm. Boston Dynamics has not disclosed the exact 2026 unit count; "committed" is the manufacturer's verifiable word. ↩