The Cloud Security Alliance’s research note, The AI Agent Governance Gap: What CISOs Need Now, gets the diagnosis right. Legacy IAM has no coherent representation for non-human principals; agent reasoning is opaque to conventional logging; and existing frameworks assume a stability that autonomous agents, in the note’s phrase, “invalidate by design.” Surveying the standards landscape—NIST’s forthcoming deliverables among them—it concludes that established standards still provide “no enforceable, agent-specific security controls.” That gap is the one I want to answer.

The note’s most concrete technical treatment centers on identity, authorization, and auditability: who the agent is, what it may access, and whether its actions can be reconstructed. Those controls are necessary, but they leave another problem underdeveloped. An agent can be correctly identified, properly authenticated, and fully within its permissions—and still take an action that is authorized but unsound, a pattern visible in production telemetry showing authenticated agents being refused at decision gates (Authorized but Refused). That is not an IAM failure; identity and access are necessary but not sufficient at the decision layer (Beyond Identity Governance). It is a distinct control category the note gestures toward through “real-time policy enforcement” but does not develop fully: decision governance—evaluating whether an authorized action is sound in context, and whether individually compliant actions compose into unacceptable cumulative risk, at the moment of execution.

This is not theoretical. On a live agent-payment preview (July 2026), I measured a per-session spend cap that enforced correctly on every individual session—yet five concurrent sessions each remained below their own cap while producing signing-layer authorization evidence for an aggregate amount no single control represented. The cap worked locally. The risk budget did not compose across sessions. (Evidence is bounded to the signing layer; no settlement was tested; this is not a vulnerability claim.) Locally-compliant actions composed into an aggregate risk state the per-session control could not see. Identity governance alone would not have caught it. Access governance alone would not have caught it. That state requires decision governance: cumulative, cross-session evaluation at execution time. (Method and per-test detail: The spend cap worked. The risk budget didn’t compose.)

An executable implementation of this layer now exists, and it is vendor-neutral by construction. constitutional-agent (MIT-licensed package on PyPI) provides a pre-commit evaluation interface: given an authorized action and its context, it determines whether the action satisfies a defined set of constitutional constraints—sitting above any single agent platform or control plane, including Microsoft Agent 365, Amazon Bedrock AgentCore, and Google’s Gemini Enterprise ecosystem, rather than inside one of them. What it ships today (v0.6.0; source): six constitutional gates returning pass/hold/fail on a decision; execution states (COMPOUND / RUN / THROTTLE / FREEZE / STOP); twelve hard constraints designed to be non-overridable when deployed behind a non-bypassable execution boundary; decision-evidence generation, including artifacts intended to support an EU AI Act Article 27 fundamental-rights impact assessment (the six-gate model is documented from a 77-day production study in Constitutional Self-Governance); and—new in v0.6.0, released the day this was written—a composition module (ComposedEvaluator) that accumulates risk across decisions and sessions over a rolling window, optionally with time decay, in durable state. That composition capability is modeled directly on the payment-preview gap measured above; it is unit-tested but new, and has not yet accumulated the production history of the core gates. The library is explicitly complementary—it does not replace identity (WHO—Entra, Okta) or execution-policy controls (HOW—OPA, Cedar, Microsoft Agent Governance Toolkit); it adds the decision-soundness layer (WHY) above them.

I’d welcome scrutiny from the CSA AI Safety Initiative and would value contributing this into the standards process. The gap the note names is real. A vendor-neutral decision layer can preserve constitutional portability and generate comparable governance evidence across multiple agent platforms—properties that must be designed explicitly when governance is embedded inside a single platform. The supporting research is public and cited inline.

The public research preprints

The argument is grounded in two public research preprints: the Constitutional Self-Governance six-gate model (with NIST / EU AI Act mapping) and Beyond Identity Governance (protocol-level testing of decision-layer governance under adversarial conditions).

Constitutional Self-Governance · 10.5281/zenodo.19162104    Beyond Identity Governance · 10.5281/zenodo.19343034

Frequently Asked Questions

What is decision governance for AI agents?

Decision governance evaluates whether an authorized agent action is sound—consistent with intent, context, policy, and cumulative risk—at the moment of execution. It sits above identity (who the agent is) and access and execution policy (what it may do), and addresses a distinct failure: an agent that is authenticated and within its permissions can still act unsoundly, or produce individually compliant actions that compose into unacceptable aggregate risk.

How is decision governance different from identity and policy controls?

Identity controls establish who the agent is; access and execution-policy controls constrain what it may touch and which actions are permitted. Neither evaluates whether a permitted action is the right one, or whether individually compliant actions accumulate into unacceptable risk across a session. Decision governance adds that evaluation—above identity and policy, not replacing them.

What is constitutional governance for AI agents?

Constitutional governance means agents operate under an executable constitution—hard constraints and evaluation gates—whose constraints are evaluated independently of the agent’s own reasoning, rather than relying on the agent to police itself.

Related Articles

The reference model — and where your stack stands

Decision governance is one layer of the Enterprise Agent Architecture: a vendor-neutral reference model for governing the agent workforce across Microsoft, AWS, and Google runtimes. Score your own stack against its six governance layers with the Governance Stress Test—the design-partner program is free.

Explore the framework →    Take the Governance Stress Test