Field notes from the runtime layer.
Writing on agentic AI governance, audit substrates, regulatory cadence, and the eighteen-month window between today and the next examination cycle.
Drift Detection Is Not Governance
A detector reports that behavior moved. A governor decides what the agent was allowed to do once it did.
Drift detection is shipping across the agentic-AI stack. It reports that behavior moved. It does not decide what the agent was permitted to do once it moved, and it does not leave a record an examiner can read. A detector is a sensor. A governor is a control loop that sits in the decision path, sets the authority of the action before it executes, and signs what it decided. The examiner does not ask whether you noticed the drift. The examiner asks what you did and where the record is.
If the Corpus Is Private
A claim that cannot be replayed on a public benchmark is not a claim a counterparty can use.
Vendor demos cite numbers. Hit rate, latency, detection lift. The numbers are precise. The corpus they were measured on is internal, the pipeline is opaque, and the trace is gone. A number measured on private telemetry cannot fail in public. The discipline that makes a claim usable to a counterparty is unglamorous and old. Stand the pipeline on a corpus the counterparty can download. The number either survives or it doesn't.
Field notes, week of June 7, 2026
Three standing objections to a signed runtime record. Latency, contract, identity. One week, three answers.
Three pieces this week, each answering an objection to a signed runtime record. It is too slow to sit in the decision path. No one made us produce it. A signature proves nothing. Sixty-one microseconds answers the first. The contract answers the second. A verifiable identity answers the third. The record only counts as evidence when all three hold.
Who Signs the Run
A signature on the trajectory is only evidence if a stranger can verify which agent stood behind it.
Every piece in this series ends at the same place. The record gets signed. A signature attests to an identity, and the identity is the part nobody has specified. Identity-governance for agents is shipping, but it answers whether the agent may act, not which agent did. A trajectory signed with one shared platform key proves the platform emitted bytes. It does not prove which agent, which version, under which policy. The examiner asks the agent what it asks an employee. Who were you, and prove it.
The Procurement Clause
Why the agent contract, not the audit, is where the record gets won or lost.
SR 26-2 carved agentic AI out of scope and pointed institutions back at their own risk practices. Those practices were written for a model you buy once. An agent run is a service you rent, and the record lives wherever the vendor decides. The control just moved to the contract, and the buyer has leverage exactly once. Before signature.
Sixty-One Microseconds
What it costs to put governance in the decision path, measured across thirty thousand decisions.
In-flight governance has one standing objection. A governor that fires before the next inference sits in the decision path, and every decision waits for it. We built the runtime and measured it. Sixty-one microseconds at the mean, eighty-three at the ninety-fifth percentile, across thirty thousand governed decisions. The same governor, reimplemented in a second language, signs a byte-identical record. That is what makes the audit object verifiable by a party who trusts neither build.
Field notes, week of May 31, 2026
Who owns the record, who prices it, who writes it into the contract. Three pieces, three answers.
Three pieces this week. Each names a party who needs the agent record and a moment it has to be secured. The second line decides where it lives. The carrier cannot price what it cannot replay. The buyer has leverage exactly once, before signature. The record does not arrive on its own. Someone specifies it, or no one does.
The Underwriting Surface
Why an AI E&O line cannot price what it cannot replay.
An insurance market for adaptive-AI errors is forming. The product needs an underwriting surface. The agent run does not present one today. Carriers writing AI E&O are pricing without loss triangles. Reinsurers are quoting without a forensics path. Both are positions the market will not hold.
Where Model Risk Ends
What model risk management keeps owning, and where agent assurance starts.
Model risk management was built for an artifact that does not move. An agent run is an artifact that does. The methodology that worked for the first does not extend to the second. SR 26-2 carved agentic AI out of MRM scope, and the agent run still has to live somewhere.
Field notes, week of May 24, 2026
The vendor enforcement layer shipped this week. The audit-grade record did not.
Three pieces this week. One through-line. Enforcement is shipping. Observability is shipping. A signed audit chain that survives a vendor switch is not. The NAIC examination tool is mid-pilot, and SR 26-2 still carves agentic AI out of scope pending the interagency RFI. The runway is finite.
Nothing to Freeze
Why replaying the model weights does not reconstruct an agent that learned inside the run.
Static-model audit rests on one move. Freeze the weights, replay the input, reproduce the output. An agent that learns inside a single run breaks that move. The weights never changed, but the behavior did, and there is nothing to freeze and replay against. The reconstruction window is the run itself.
Portability Is the Leverage
Why the audit record has to outlive the agent vendor that produced it.
Retention is measured in years. Vendor tenure is measured in quarters. The audit record cannot live where the vendor lives. The third procurement question from the last piece was where the record goes when the agent vendor is replaced. That question is the one with leverage attached.
The Tool-Call Boundary
Why the agent governance launches of the last thirty days enforce, but do not sign.
Thirty days. Three control planes. One missing artifact. Three governance toolkits shipped between April 2 and May 5, each enforcing tool-call policy at sub-millisecond latency. None of them produces the signed record of which calls were allowed, which were blocked, and what the agent did next.
The Multi-Step Record Format
What the trajectory has to contain, told as one loan denial.
A bank denies a credit-card application in 2.3 seconds. Three weeks later, the applicant's attorney asks how. The bank logged the input, the output, and the timestamp. The bank did not record the decision graph the agent walked between them. Five primitives are what the record has to contain.
The Accountability Gap
What the responsible party hands the examiner in 2029.
Most agency AI deployments today log the input and the output and call it a record. An agent run isn't an input and an output. It's a sequence of tool calls, branches, and intermediate state. Almost nobody is capturing it. Without that record, accountability is a position you take. Not something you can prove.
The Trajectory Is the Audit Object
What two agentic-AI governance launches in eight days did not solve.
Eight days. Two launches. One missing artifact. On May 6, IBM launched Sovereign Core. Eight days earlier, Atos launched Sovereign Agentic Studios. Two of the world's largest IT firms shipped agentic AI governance offerings inside a single week. Neither produces the evidence object an auditor is about to ask for.
New writing arrives as the work moves.
Write directly if you'd like to be added to the early-read list for forthcoming pieces.