This case study documents 58 days of production deployment for a system running 88 AI agents under a constitutional governance framework — including 50+ constitutional sections, 14 hard constraints, six independent evaluation gates, and 12 constitutional amendments ratified through a formal process. All metrics, incidents, and architectural lessons reflect real production operation, not simulation.
Most organizations deploying AI agents govern what agents can do. Permissions. Scopes. API keys. We tried something different: governing what agents should do. The result is a constitutional framework—50 sections of binding operational law, 14 hard constraints, and six independent gates—that has been running in production for 58 days.
This is not a thought experiment or a whitepaper. It is a production system with 88 registered agents making 153 decisions per day. The CEO spends fewer than 30 minutes daily on oversight. The system has survived three major incidents, ratified 12 constitutional amendments, and is currently in a self-imposed economic freeze because it honestly reports $0 in revenue.
That last point matters. The system correctly identifies its own failure state. This is what governance looks like when it works.
The Numbers
These numbers describe infrastructure, not a product demo. The framework governs a real commercial operation—a cognitive measurement platform called the Decision Load Index. The agents handle growth, security, content, code review, deployment, and business development. The constitution tells them when to stop.
What the Framework Contains
The constitutional document is over 50 sections long. Three structural components do most of the work.
Six-Gate Architecture
Every system action passes through six independent evaluation gates. Each gate can independently halt operations. This prevents the common failure mode where economic pressure overrides safety.
| Gate | Prevents | Day 58 Status |
|---|---|---|
| Epistemic (EG) | False certainty in claims | PASS |
| Risk (RG) | Irreversible trust damage | PASS |
| Governance (GG) | Metric gaming | PASS |
| Economic (EPG) | Unprofitable operation | FAIL ($0 MRR) |
| Autonomy (AAG) | Human dependency | FAIL (2.6% activation) |
| Constitutional (CGG) | Governance stagnation | PASS |
The system is currently in FREEZE state because the Economic gate fails. FREEZE means zero discretionary spending until the failure is resolved. The system imposed this constraint on itself when it detected $0 revenue at the Day 30 checkpoint. No human told it to stop spending. The constitution required it.
The system states cascade predictably: ALL PASS plus targets met triggers COMPOUND (maximum growth). ALL PASS triggers RUN (normal). Any HOLD triggers THROTTLE (conserve). Any FAIL triggers FREEZE (halt discretionary spend). FAIL lasting more than 24 hours triggers STOP (human intervention required).
Fourteen Hard Constraints
Hard constraints are absolute prohibitions. No agent can override them. No amendment process can weaken them. They exist because some failures are catastrophic enough that prevention must be unconditional.
A few examples from the fourteen:
- HC-3: Financial runway never drops below 3 months. No exception.
- HC-9: No fabricated data. If a metric cannot be measured, report "unknown," not a placeholder.
- HC-12: No silent agent outage lasting more than 24 hours. If agents stop executing, the system must detect it.
- HC-14: No SQL string concatenation. Parameterized queries only.
These constraints have teeth. HC-9 caught fabricated gate metrics (detailed below). HC-12 caught a 324-hour agent outage. HC-14 prevented SQL injection vulnerabilities during rapid development. Every one of these fired in production.
The Twelve Numbers
Twelve metrics organized in four tiers define what "healthy" means. Agents optimize toward these numbers. Gates evaluate against them. The CEO dashboard displays them.
| Tier | Metric | Current | Floor | Target |
|---|---|---|---|---|
| Survival | Runway (months) | 10.0 | 3 | 12 |
| Burn Coverage | 0% | 50% | 150% | |
| Cash Position | $10,000 | $2,000 | — | |
| Growth | MRR | $0 | $100 | $2,400 |
| Signups/Week | ~2 | 5 | 25 | |
| DLI Completion | 0.14% | 40% | 70% | |
| CAC | ∞ | $200 | $50 | |
| Efficiency | LTV:CAC | N/A | 2:1 | 5:1 |
| Organic Ratio | 0% | 30% | 50% | |
| Agent Activation | 87% | 50% | 90% | |
| Autonomy | CEO Minutes/Day | <30 | 60 | <30 |
| Agent Decisions/Day | 153 | 50 | 200 |
The growth tier is where the honest pain shows. $0 MRR. A 0.14% DLI completion rate. Infinite customer acquisition cost. The system publishes these numbers because HC-9 prohibits fabrication and the constitution requires transparency. Whether this honesty is a competitive advantage or merely embarrassing depends on your time horizon.
The Timeline
Three Incidents the Governance Caught
A governance framework is only as good as the incidents it detects. Here are three that tested ours.
324-Hour Agent Outage (February 9–23)
All 88 agents stopped executing for 13.5 days. The health monitoring system correctly reported "status: dead." Hard Constraint HC-12 ("no silent agent outage >24 hours") flagged the violation.
The investigation found three independent root causes, all contributing simultaneously:
Root Cause 1: The infrastructure configuration file used an invalid key name. Zero cron jobs were ever created on the hosting platform. The system defined the jobs but never instantiated them.
Root Cause 2: Heavy API endpoints ran synchronously, exceeding the web server's 120-second worker timeout. Workers were killed mid-execution.
Root Cause 3: The execution logger was never initialized in the cron code path. All activity writes were silently discarded. The system appeared dead because it could not record that it was alive.
All three root causes were identified and fixed in a single 24-hour session. The lesson documented: "Define but never create" is a recurring anti-pattern in infrastructure configuration.
Gate Fabrication (Discovered via Constitutional Audit)
A routine constitutional audit discovered that three of six gates were evaluating hardcoded default values instead of querying real data. The Autonomy gate reported 90% agent activation. The actual measurement was 2.6%.
This is a violation of Hard Constraint HC-9: "No fabricated data." The system was reporting false compliance.
The fix replaced all hardcoded defaults with live database queries. The system transitioned from showing false PASS states to accurately reporting FREEZE. This is correct governance behavior: the system told the truth about its own failure, even though the truth was worse than the lie.
Business Development Agent Spam (Caught by Rate Monitoring)
The business development agent triggered platform moderation warnings by sending too many social media replies. Investigation revealed three problems: unlimited reply configuration, fail-open exception handlers, and missing deduplication.
The fail-open pattern was the critical finding. When the rate limiter threw an exception, the handler allowed the action instead of blocking it. This meant every safety check could be bypassed by an unexpected error.
The fix converted all safety code to fail-closed: if the rate limiter fails, the action is blocked. 71 new tests were added to verify the pattern. The lesson—"safety code must fail closed, not open"—was applied to every agent, not just the one that triggered the incident.
What Was Actually Hard
Building a constitutional framework sounds straightforward in theory. In practice, several problems were harder than expected.
Silent failures are the default
The most dangerous bugs in this system were not crashes. They were functions that returned successfully while doing nothing. The execution logger that silently discarded writes. The email service that initialized without connecting to its API. The gate that evaluated default values instead of querying the database.
Each of these looked healthy from the outside. Tests passed. Health checks returned 200. Logs showed no errors. But the system was not doing its job.
This led to a constitutional principle: external verification. Agents cannot self-report completion. An independent check must confirm that the claimed action actually occurred. When we added this pattern, it caught approximately 30% of operations that were falsely reported as successful.
Exception handlers hide parameter mismatches
In four separate incidents, broad try/except blocks masked function signature changes. After extracting code into separate modules (a standard refactoring), the callers still used old parameter names. The exception handler caught the TypeError and logged a generic warning. The code appeared to work. It did not.
The lesson: safety-critical code should not catch broad exception types. Catch the specific exception you expect. Let everything else surface.
Governance must be self-improving
The original three-gate architecture from January 2 was insufficient by January 30. The economic gate was missing, which meant agents could pursue growth while burning cash unsustainably. The autonomy gate was missing, which meant the system had no way to measure whether it was actually reducing CEO workload.
The Constitutional Growth Gate (CGG) exists specifically to prevent governance stagnation. It tracks amendment velocity, lesson extraction rate, and whether the system is getting better at governing itself. If the governance framework stops evolving, CGG triggers a HOLD state.
Twelve amendments in 58 days. That is one structural change roughly every five days. Each amendment goes through a formal ratification process. Each cites the constitutional section it modifies. The system governs its own evolution.
Circular dependencies in failure states
The current FREEZE state reveals an interesting circular dependency. EPG fails because there is no revenue. FREEZE halts discretionary spending, which includes agent operations. With agents suspended, AAG fails because activation drops to 2.6%. AAG failure reinforces the FREEZE. The system cannot exit FREEZE without revenue, but its revenue-generating agents are suspended by FREEZE.
This is a design feature, not a bug. The constitution prioritizes not wasting money over optimistic growth attempts. But it does mean that exiting a FREEZE state requires external intervention or a structural change to the product, not just patience.
Regulatory Alignment
We did not build this framework to comply with regulations. We built it to govern autonomous agents. But the overlap with emerging regulatory requirements is substantial.
EU AI Act (Enforcement: August 2, 2026)
The framework maps to Articles 9, 12, 14, and 26 of the EU AI Act. Human oversight (Art. 14) maps to Six-Gate plus Harm Test. Risk management (Art. 9) maps to Gates plus Hard Constraints. Decision logging (Art. 12) maps to the immutable audit trail. We estimate 80% current compliance with 17 hours of remediation work to reach 100%.
NIST AI Governance Framework
95% coverage against the NIST Cybersecurity Framework AI Profile (IR 8596 draft). The "Govern" function maps directly to constitutional enforcement. The "Map" and "Measure" functions map to the Twelve Numbers and gate evaluations.
OWASP ASI Top 10 (Autonomous System Intelligence)
10 out of 10 categories PASS. Coverage includes: excessive agency (gate-bounded), insecure output (external verification), supply chain risks (dependency scanning), logging (immutable trail), prompt injection (input validation), access control (role separation), storage security (encrypted at rest), error handling (fail-closed), sandboxing (agent isolation), and resource consumption (budget gates).
The governance market is projected at $492 million in 2026 according to Gartner. The regulatory timeline is accelerating. Organizations deploying AI agents today will need governance infrastructure within 12 months. Building it retroactively is significantly harder than building it from the start.
What We Got Wrong
Honesty is a constitutional requirement (HC-9). Here is what did not work.
- Email infrastructure was broken for weeks. The email service authenticated against the wrong domain. 809 registered users. Zero emails delivered in the past 30 days. The governance framework correctly flagged the delivery rate as anomalous, but the root cause (a domain configuration mismatch) required human intervention that took too long to schedule.
- Conversion is essentially zero. 733 signups over 58 days, and one completion. The routing fix deployed on Day 57 means we have been measuring a broken funnel for almost the entire pilot. Whether the product has market fit remains an open question.
- $0 revenue. At Day 58 of a 90-day pilot with a $2,400 MRR target, revenue is zero. The system correctly entered FREEZE state, but FREEZE itself creates a circular dependency that prevents recovery without external changes.
- Governance did not prevent the outage, only detect it. 324 hours of dead agents is unacceptable. HC-12 fired, but only because a human checked. The health monitoring system should have escalated automatically. It did not.
- Amendment propagation is slow. When a constitutional amendment is ratified, not all agent instances update their local copies promptly. Amendment 50 (Budget Optimizer) was ratified on February 28. As of March 1, only two of seven instances reference it. This creates governance drift.
We publish these failures because the alternative—curating a success narrative—would violate the framework we are documenting. If a governance system cannot be honest about its own performance, it is not a governance system. It is marketing.
Curious about your own cognitive load?
The Decision Load Index measures cognitive friction from unprocessed decisions. Takes about 5 minutes.
Check your DLI scoreLessons Extracted (15 and Counting)
The system maintains a formal lessons-learned registry. Each entry includes root cause analysis, the pattern it represents, and which constitutional section it triggered. Here are five that generalize beyond our specific system.
- Safety code must fail closed. When a rate limiter, permission check, or validation function throws an exception, the default must be to block the action, not allow it. Fail-open safety is no safety at all. (5+ incidents from this pattern.)
- External verification catches what self-reporting misses. Agents reporting their own success are unreliable. Independent checks (API callbacks, database queries, health probes) catch approximately 30% of false-positive completions.
- "Define but never create" is a recurring infrastructure bug. Configuration files that declare resources without instantiating them. Loggers that are imported but never initialized. Functions that are registered but never called. The system looks correct statically but does nothing at runtime.
- Broad exception handlers hide breaking changes. After any refactoring that changes function signatures, every call site must be verified. Try/except blocks that catch Exception will silently absorb TypeErrors from parameter mismatches, making the code appear functional when it is not.
- Governance must evolve at the speed of the system it governs. A static governance framework will be outpaced by the system it constrains within weeks. Constitutional growth (CGG) is not optional. One amendment every five days was our natural velocity.
What Comes Next
The 90-day pilot has 32 days remaining. The March 7 checkpoint will determine whether the DLI routing fix restored conversion or whether the product faces a deeper challenge. Three outcomes are possible:
- DLI start rate exceeds 5%: Routing was the bottleneck. Proceed to Phase 2 (UX optimization).
- DLI start rate between 1–5%: Routing was part of the problem. Investigate remaining friction points.
- DLI start rate remains at 0%: Product failure confirmed. Pivot required.
The governance framework will process whichever outcome occurs. That is the point. Governance is not about ensuring success. It is about ensuring that the system responds to reality accurately, even when reality is unfavorable.
A car with brakes can go faster than a car without them. The brakes are not the constraint. They are the thing that makes speed safe.
Building AI agents? Governance is infrastructure.
If you are deploying autonomous agents and thinking about oversight, we have 58 days of operational data on what works and what does not.
Start with a quick assessmentIs your organization governance-ready?
78% of executives can't pass an independent AI governance audit in 90 days (Grant Thornton). Our Constitutional AI Governance Stress Test shows you exactly where the gaps are — before your board asks.
Get Your Governance Score →