· Amadalis Team

Governance by Architecture, Not by Policy

Why governance layers fail for AI agents — and what happens when governance is the architecture, not a layer on top of it.

governance security ai-agents architecture

Every AI governance product on the market makes the same assumption: governance is a layer you add on top of execution. A policy engine that inspects requests, a monitoring tool that reviews outputs, a dashboard that reports on costs.

This assumption is wrong. And it’s why your CISO keeps blocking deployments.

The governance layer problem

A governance layer sits between components. It can inspect what passes through it. But it can only govern the traffic it sees.

Here’s what it doesn’t see:

Direct API calls inside agent code

Your developers call openai.chat() directly inside application logic. The governance layer never intercepts it. Token costs are untracked. Model choices are uncontrolled. The audit trail has a gap the size of your entire reasoning layer.

Data flowing between co-located services

When your agent framework and your vector database run in the same process, data flows between them without hitting any governance checkpoint. Sensitive data can enter the prompt without review.

Runtime decisions inside sandboxes

An agent decides to call an external API. If egress control is a separate service, there’s a window between the decision and the enforcement. In a high-throughput system, that window is a gap.

Key insight

The governance layer pattern worked for traditional software where the interesting behavior happened at service boundaries. AI agents are different — the dangerous behavior happens inside the execution context. A governance layer outside the execution context is looking in the wrong place.

What “governance by architecture” means

Instead of adding governance around execution, you embed it in execution. The governance isn’t a separate system that inspects agent behavior. It’s the same system that enables agent behavior.

Three concrete mechanisms make this real:

1. Remove the bypass

In most platforms, agent code has access to an AI SDK. The developer can call openai.chat() or anthropic.messages.create() anywhere in their code. Governance tools then try to intercept, audit, and control these calls after the fact.

The alternative: don’t provide the function. The only path to AI reasoning is a governed delegation mechanism. The agent calls agent.delegate, which routes through centralized model management that:

  • Checks the tenant’s model allowlist
  • Applies the per-execution budget cap
  • Logs the interaction to an immutable audit ledger
  • Routes through ProviderMux for intelligent model selection

There is no openai.chat() in agent code. Not disabled. Not blocked. Not intercepted. It doesn’t exist. The bypass doesn’t exist because the capability was never provided.

2. Enforce at the runtime level

Network egress control in a governance layer means a proxy or firewall that inspects outbound requests. It works until it doesn’t — when the agent uses a different protocol, when the proxy has higher latency than the timeout, when the allowlist is stale.

The alternative: enforce egress at the sandbox level. The agent runtime controls network access as a runtime capability. The agent’s outbound call checks the egress allowlist before making the request, in the same process. There’s no proxy latency. There’s no protocol gap. If the URL isn’t on the allowlist, the call never leaves the sandbox.

3. Budget before execution

Most cost management for AI is backward-looking. You run the agent, it makes model calls, you see the costs in a dashboard, you adjust. If the agent runs away, you find out after the money is spent.

The alternative: check the budget before the model call executes. Before routing a request to a model provider, the system checks if the projected cost would exceed the cap. If it would, the call is rejected before it’s made. Not reported after. Rejected before.

Why this changes the conversation with your CISO

The CISO doesn’t care about your monitoring dashboard. They care about guarantees.

The difference in answers

“Can an agent call an unauthorized API?” — Governance layer: Maybe, under certain conditions. Governance by architecture: No, the runtime doesn’t provide the capability.

“Can an agent exceed its budget?” — Governance layer: Yes, and you’ll see it in the dashboard. Governance by architecture: No, the call is rejected before execution.

“Can you halt an agent mid-execution?” — Governance layer: You can send a signal and hope it’s received. Governance by architecture: The approval gate halts the runtime. Execution stops until a human approves.

These aren’t improvements. They’re different categories of answer. One is “we try to prevent it.” The other is “the architecture doesn’t permit it.”

1 in 5

companies have mature governance for autonomous AI agents

— Gartner/Deloitte

The enterprises deploying AI agents at scale will be the ones that can give their security teams the second type of answer. Not “we have guardrails.” Not “we have policies.” But: the architecture doesn’t permit ungoverned behavior.

Hand your CISO that answer. They’ll stop blocking.

Next in the series: Three Ways to Build an AI Agent — why there should be more than one path from idea to production agent.

Stay ahead of the curve.

Join the waitlist for Forge and get early access to enterprise AI infrastructure that's built right.

No spam. Unsubscribe anytime.
← Back to all posts