The500Feed.Live

Everything going on in AI - updated daily from 500+ sources

← Back to The 500 Feed
Score: 48🌐 NewsJuly 5, 2026

Agentic AI Governance System Runtime Reference Architecture

A Runtime Reference Architecture for the Reasoning Layer and the Semantic Control Plane in Regulated Financial Institutions IN BRIEF Agentic AI is changing where operational authority is formed inside the firm. Autonomous systems no longer simply automate decisions; they resolve at runtime how a regulated term or policy applies to a specific action, before that action is taken. The governance question is no longer whether an institution can automate reasoning, but whether it can retain authoritative control over the operational interpretations under which its autonomous systems act. Existing governance disciplines, including model risk management, security, workflow orchestration, and input and output controls, each govern a defined surface. None governs the reasoning layer, where an authorized agent acting within its permissions can resolve a regulated term the institution never sanctioned and carry the firm into a decision it never intended. That gap produces a graded set of failures. Runtime Semantic Divergence is the single-decision condition in which an agent’s runtime operational interpretation departs from the institution’s authorized Reasoning Baseline. Its cumulative effect is Agentic Workflow Drift, the operating-state degradation that builds as unauthorized resolutions execute repeatedly without runtime governance. Its enterprise risk surface is Agentic Workflow Subversion, where that divergence propagates across workflows and functions or is deliberately exploited. The defining hazard is the one that leaves no adjacent control tripped at all. The Semantic Control Plane is the runtime governance architecture for that layer. An Ontology holds the authorized Reasoning Baseline, a Semantic Layer evaluates the agent’s runtime interpretation against it, and a Knowledge Graph governs propagation across multi-agent workflows, all operating through a Pre-Execution Assurance Protocol that decides whether execution authority may be emitted before the agent acts. It does not reach into the model’s cognition; it governs the operational interpretation the institution can be held to. The architecture complements existing controls without replacing them and integrates with model risk management under SR 11–7 and SR 26–2, the Three Lines of Defense, and maker-checker discipline. The full working paper specifies it at institutional depth: applicability, measurement, enforcement, evidence, propagation, containment, implementation, operating economics, regulatory alignment, and limitations. This brief makes that specification legible enough for supervisors, boards, CROs, CTOs, COOs, CISOs, and control owners to see why it matters. 1 The Governance Problem in a Single Decision A corporate client requests an expedited drawdown on an existing credit facility. The agentic system tasked with processing the request must determine whether the request satisfies the institution’s authorized definition of approved before execution authority is emitted. Three contributing systems each hold a definition of approved. The KYC platform defines approved as identity verified, the credit engine as risk-scored within tolerance, and the entitlement system as access provisioned. Each system returns an affirmative result. The agent synthesizes a runtime Operational Interpretation and proceeds under that interpretation. This is the Invisible Failure condition, named in the author’s broader reasoning-layer governance corpus. Every adjacent control can fire correctly, but the institution remains wrong because the controls evaluated against a definition that had already shifted from what was authorized. The drawdown exposes the Two Questions of Control. First, did the control fire? Yes. Second, did the control evaluate the agent’s reasoning against an authorized definition? No. The failure did not emerge from a broken control. It emerged from the operational interpretation against which the controls executed. The synthesized interpretation omitted the collateral-status validation required by the institution’s authoritative definition of approved. Inputs remained valid, tool calls remained authorized, and outputs remained structurally compliant. No surface evaluated the synthesized resolution itself, so the institution did not detect the failure until downstream reconciliation, audit review, or regulatory reporting identified the exposure misclassification. This was not a failure of model accuracy, input quality, protocol authorization, tool execution permissions, or output validation. It was a failure of resolution. An authorized agent, acting wholly within its permissions, carried the institution into a decision it never sanctioned. For agentic AI, the central governance challenge is therefore no longer whether institutions can automate reasoning. It is whether they can retain authoritative control over the operational interpretations under which autonomous systems act. 2 Why Existing Controls Do Not Reach This Layer A growing body of governance work addresses autonomous agents, and it falls into recognizable governance disciplines. Risk management and lifecycle governance applies the govern, map, measure, and manage discipline to models, data, and policy. Security governance treats the agent as an attack surface and defends against prompt injection, data exfiltration, and privilege escalation. Structural governance sets the container the agent runs in through tool access limits, runtime budgets, and sandboxed isolation. Operational and certification governance establishes auditable organizational readiness. Each discipline is necessary. None governs the reasoning layer itself, where an agent reconciles conflicting definitions and proceeds under a synthesized operational interpretation before it acts. Between policy and execution sits the resolution step. An agent can stay within every granted permission, invoke only authorized tools, carry no malicious payload, and still execute under an operational interpretation the institution never authorized. That is the gap the drawdown exposes, and it is the surface the Semantic Control Plane is built to govern. The point is structural, not superficial. Adjacent control surfaces evaluate artifacts. The SCP evaluates the resolution that drives them. Observability evaluates telemetry; tool governance evaluates structured tool calls; workflow orchestration evaluates execution sequencing; model governance evaluates model artifacts. None evaluates the Operational Interpretation itself as a governed runtime object before execution authority is emitted. Absorbing SCP functionality into those adjacent frameworks would require them to change their governing object, move their evaluation point upstream, maintain an institutionally authoritative Reasoning Baseline, and produce a new pre-execution evidence class. At that point, the adjacent framework has not merely expanded; it has acquired the capabilities the SCP specifies. Agentic systems break the Control Inheritance Assumption because operational interpretation is synthesized at the integration surface rather than preserved through a deterministic interface. The Semantic Control Plane partially restores that assumption at the reasoning layer. The supervisory consequence is an observability gap. Existing supervision sees inputs, tool calls, outputs, and outcomes, but not the resolution step in which the agent forms the operational interpretation that drives them. Figure 1 The Supervisory Observability Gap,Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus The observability gap is not specific to one control. It recurs across each major institutional AI governance discipline. Each discipline governs a real surface and stops short of the reasoning layer, where the agent resolves what a regulated term means. Table 1 sets the five disciplines against what each governs and where each stops. Table 1 The five institutional AI governance disciplines and where each stops. No existing governance discipline reaches the layer where an agent resolves what a regulated term means. That gap is now beginning to draw regulatory attention. 3 The Regulatory Inflection Agentic AI is moving into regulated financial workflows faster than the frameworks meant to oversee it. Financial services governance matured around adjacent control disciplines: model risk management anchored in Federal Reserve SR 11–7 and OCC 2011–12, and risk data aggregation and reporting expectations reflected in BCBS 239. Those disciplines are strongest once a calculation or decision artifact exists: the model can be governed, validation can be reviewed, outputs can be tested, and reporting can be reconstructed. They were built for a world in which the model calculated and a human decided. Agentic systems reason across platforms and execute within the same sequence, so the governance focus extends from whether the output is accurate to whether the operational interpretation the system resolved remains aligned with the institution’s authorized baseline. On April 17, 2026, the federal banking agencies issued revised interagency guidance on model risk management, Federal Reserve SR 26–2, OCC Bulletin 2026–13, and FDIC FIL-15–2026, replacing SR 11–7 for the first time in fifteen years. This revised guidance states that generative and agentic AI models are novel and rapidly evolving and are therefore not within its scope, while directing that an institution’s own risk management and governance practices should determine appropriate controls for systems the guidance does not cover. Across a fragmented set of state statutes, the European Union AI Act, NIST AI RMF, and financial services supervisory expectations, a consistent set of objectives recurs and transparency into how automated decisions are reached, auditability of those decisions after the fact, clear accountability for outcomes, and increasingly, assurance before execution rather than reconstruction after it. As binding federal legislation has stalled, voluntary frameworks and supervisory guidance are increasingly treated as evidence of reasonable governance practice, and procurement conditions reinforce the same pull. As voluntary frameworks become the scaffolding on which legal obligation is built, institutions will be expected to demonstrate governance at the reasoning layer. The Semantic Control Plane maps against the supervisory and governance frameworks institutions already operate, functioning as a complementary reasoning-layer evidence architecture, not a separate regime. The mapping spans model risk management under SR 11–7 and SR 26–2, the Three Lines of Defense, NIST AI RMF and TEVV concepts, EU AI Act high-risk-system obligations, DORA operational resilience, BCBS 239 risk-data and reporting discipline, and principles-based governance expectations. This mapping is conceptual and does not claim that the Semantic Control Plane itself satisfies any legal or supervisory obligation. Its purpose is to show how runtime evidence, semantic authorization, Human-in-the-Loop routing, Runtime Semantic State Record entries, and the Semantic Audit Trail support existing governance expectations where agentic systems resolve operational interpretation before acting. Table 2 Runtime Application of NIST TEVV Concepts to the Pre-Execution Assurance Protocol, The NIST TEVV mapping is proposed and is not endorsed by NIST. This TEVV mapping operates at the level of individual control activities. Supervisory examination proceeds framework by framework. Figure 2 maps each supervisory and governance framework to its regulatory anchor, the SCP artifact that addresses it, and the institutional alignment point. Its detail level is appropriate for institutional examination preparation and supervisory dialogue, where per-framework specificity matters. Figure 2 Regulatory Mapping Detail Matrix, US Supervisory Runtime Governance, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus Across the matrix, the same pattern holds. Each framework already expects evidence, authorization, or reconstruction, and the architecture produces those as runtime artifacts, not documentation assembled after the decision. The positioning is therefore a property of where the architecture sits, not an obligation retrofitted to satisfy any single framework. 4 The Failure Mode, Named and Distinguished Statistical model drift and Runtime Semantic Divergence are different failure modes. Statistical drift concerns changes in model output behavior over time, detected through model risk management discipline (SR 11–7, revised by SR 26–2, April 2026). Runtime Semantic Divergence concerns the operational interpretation under which an agentic workflow proceeds at the moment execution authority is evaluated. A model can perform as expected while the agent resolves a regulated term under an unauthorized operational interpretation. Runtime Semantic Divergence is the single-decision condition in which an agent’s runtime interpretation departs from the institution’s authorized Reasoning Baseline. Agentic Workflow Drift is what accumulates when that condition repeats without governance, until documented definitions remain formally intact while operational practice drifts away from them. The work names that condition Authority Decay: the weakening of institutional authority as repeated unauthorized resolutions become operational practice. Agentic Workflow Subversion is the enterprise risk surface that opens when drift propagates across functions, workflows, and control boundaries, including under adversarial conditions. These terms are not interchangeable. Divergence is the measurable condition, drift is the accumulation, and subversion is the enterprise exposure. Figure 3 Semantic Failure Propagation, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus The significance of this failure mode is not that agentic systems uniquely introduce unauthorized interpretation. Human operational systems already experience semantic inconsistency through fragmented authority, outdated definitions, and manual variance. Agentic systems change the speed, the scale, and the propagation characteristics of those failures, which is why the institution requires a runtime architecture that reasserts the authorized baseline at every in-scope decision instead of reconstructing it after the fact. 5 The Agentic Governance Model and the Semantic Control Plane The Agentic Governance Model (AGM) is the institutional governance framework for autonomous reasoning systems. It organizes governance across four pillars. Foundation establishes the conditions under which autonomous reasoning becomes governable. Core specifies the runtime governance architecture. Integrity protects the reasoning layer from manipulation and adversarial action. Oversight governs reviewability, accountability, evidentiary assurance, and supervisory reconstructability. The four pillars operate together as a unified system, and the Semantic Control Plane is the Core through which the remaining pillars become operationally enforceable. The Integrity pillar matters because formalizing a runtime governance surface also creates a corresponding runtime attack surface. That cybersecurity-adjacent surface is named the Semantic Layer Integrity Attack (SLIA) in the full paper, a candidate cross-system threat class operating at the reasoning-layer control surface. SLIA is not defined by the compromise mechanism, which may be prompt injection, retrieval poisoning, identity compromise, policy manipulation, insider abuse, or supply-chain compromise; it is the condition in which an adversary manipulates the relationships between the Semantic Layer and adjacent components such as the Ontology, Knowledge Graph, persistence layer, input retrieval surface, or policy-evaluation surface, so that the governance architecture authorizes execution under a corrupted semantic interpretation while the underlying model may continue to operate nominally. Together, the four pillars operate as a unified governance system for autonomous reasoning in regulated environments. The Semantic Control Plane is the Core pillar, the runtime governance mechanism through which the remaining pillars become operationally enforceable. Figure 4 The Agentic Governance Model (AGM), Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus At runtime, the Semantic Control Plane preserves institutional authority during autonomous reasoning. It operationalizes the Agentic 3 C’s Framework at orchestration speed through three components. The Context principle is operationalized in the Ontology, which supplies the authoritative definitions that constitute the institution’s Reasoning Baseline. The Control principle is operationalized in the Semantic Layer, which evaluates the agent’s Runtime Semantic State against the baseline, computes the Semantic Deviation Index, and enforces tolerance through the Deterministic Gate before execution authority is emitted. The Coordination principle is operationalized in the Knowledge Graph, which governs propagation across multi-agent workflows and defines the Agentic Blast Radius it contains. These three components operate through defined interfaces and divide responsibility by what each must retain. The Ontology and the Knowledge Graph hold persistent state, the authorized definitions and relationship structures together with their version history. The Semantic Layer holds only transient state, the evaluation of a single agentic decision, and retains no evaluation evidence once the Gate decision is made. Evidence persistence is the separate responsibility of the Runtime Semantic State Record and the Semantic Audit Trail. Keeping transient evaluation apart from persistent evidence is what allows the architecture to operate at orchestration speed without accumulating state in the evaluation path. These are not three new enterprise-wide infrastructure replacement initiatives. They are three architectural surfaces over capabilities the institution typically already maintains under different names: core banking and treasury platforms, plus suitability, KYC and AML, and policy management systems that increasingly expose authoritative definitions through interfaces that can federate at runtime. Activation depends on whether the deployment exposes governable runtime representations sufficient for institutional adjudication. The Runtime Governance Applicability Test determines that boundary. Figure 5 Runtime Governance Architecture: The Semantic Control Plane, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus The architecture governs a single object: the operational interpretation an agent resolves against an institutionally authorized Reasoning Baseline, checked before execution authority is emitted. It reaches that object only through governable runtime representations. A representation is governable when it satisfies three conditions: it is produced during runtime agentic decisioning at the orchestration boundary, it is exposed to institutional governance functions through interfaces sufficient to support adjudication, and it carries the operational interpretation against which alignment to the authorized Reasoning Baseline can be evaluated. The Semantic Control Plane evaluates the governable runtime representations the deployment exposes: orchestration artifacts, tool-selection and tool-sequencing records, policy-evaluation records, and the compiled operational interpretation the agent carries forward. Where those representations are sufficient for institutional adjudication, the deployment is governable. Where they are not, RGAT classifies the deployment as Governance-Constrained or outside enforceable scope. Evaluation operates on the governable runtime representations the deployment exposes at orchestration time, not on the model internals behind them. Figure 6 How the SCP Evaluates Governable Runtime Representations, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus The reasoning layer introduces an adjacent threat surface. While adjacent attacks may originate through model, retrieval, identity, or policy surfaces, SLIA’s defining characteristic is that its impact manifests at the runtime governance surface, the point at which governance is evaluated, against the Runtime Semantic State artifacts through which the reasoning-layer governance architecture infers the operational interpretation. SLIA is distinct from the attack classes institutions already defend. It operates above the model layer and below the institutional governance review layer. Prompt injection manipulates the input; SLIA manipulates the artifacts from which the operational interpretation is inferred, which can occur even when the input is benign. Retrieval poisoning manipulates retrieved context; SLIA manipulates the runtime evaluation point itself. A jailbreak circumvents model alignment to produce an unauthorized output; SLIA produces a governance authorization for an unauthorized resolution while the model behaves nominally. Figure 7 The Semantic Layer Integrity Attack: Adversarial Architecture, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus For institutional cybersecurity functions, this is familiar dependency-chain reasoning: the integrity of a governance layer is bounded by the integrity of the surfaces it depends on. Reasoning-layer governance relies on the Runtime Semantic State artifacts the deployment environment supplies, and that environment is itself subject to adversarial manipulation. The architecture surfaces that dependency explicitly instead of absorbing it silently. Integrity is therefore a named pillar, not an assumed property. The architecture and the adversarial surface it must withstand are now defined. What follows is the mechanism itself: how the Semantic Control Plane evaluates a single decision before execution authority is emitted. 6 How the Architecture Operates: Pre-Execution Assurance Every in-scope agentic decision crosses a five-step sequence once, in the orchestration window between resolution and the emission of execution authority. The Pre-Execution Assurance Protocol establishes the Reasoning Baseline for the decision class, extracts the Runtime Semantic State from the governable artifacts the deployment exposes, computes the Semantic Deviation Index against the baseline, enforces the Deterministic Gate threshold, and generates the per-execution evidence record. Evaluation precedes authorization, authorization precedes emission, and emission precedes execution. For every in-scope governed decision, execution authority is emitted only after semantic authorization assurance is satisfied. The protocol is more than a workflow. It binds four things into one runtime control sequence: the authoritative definition supplied by the Ontology, the agent’s resolved Operational Interpretation inferred by the Semantic Layer, the deterministic authorization decision issued by the Gate, and the evidence object preserved through the RSSR and Semantic Audit Trail. That is what makes the SCP an architecture, not a monitoring layer. It does not merely observe what happened. It determines whether execution authority may be emitted. The Semantic Deviation Index combines three component scores: Intent Mismatch, Path Deviation, and Control Bypass Probability. Composite SDI score is normalized to a 0 to 100 scale and classified against four threshold zones. Thresholds are calibrated by decision class and institutional risk tolerance. The Deterministic Gate converts the classified score into one of four deterministic decisions. The Gate logic is deterministic. Given the same score and configuration, it produces the same enforcement action. The Gate itself does not learn. Validation, monitoring, and periodic recalibration still apply to the measurement pipeline, baselines, and extraction layer, which keeps the enforcement decision auditable and defensible under supervisory review. The SDI is a pre-execution runtime measurement of whether the Operational Interpretation the agent is about to act on remains aligned with the institution’s authorized Reasoning Baseline. That measurement cannot be reliably reconstructed from post-execution monitoring, because the governance question exists at the point of semantic resolution, before the workflow proceeds. The SDI gives the Deterministic Gate the measurable object it requires: a bounded, reproducible divergence score that can be evaluated against institutional tolerance before execution authority is emitted. Table 3 Semantic Deviation Index threshold zones and the Deterministic Gate decision each produces. Applied to the opening drawdown, the protocol produces the outcome the institution intended. The Semantic Layer infers the agent’s interpretation and detects the omitted collateral validation. Because the composite index places this high-consequence credit decision beyond its authorized tolerance, the Deterministic Gate issues a mandatory hold and execution does not proceed. The Human-in-the-Loop Protocol is invoked with the authoritative definition of approved, the agent’s resolved Operational Interpretation, and the precise omission, and the per-execution evidence is preserved in the RSSR and the Semantic Audit Trail. When the workflow re-executes, collateral status must be validated before approved can be resolved, so the request no longer resolves as approved, and the drawdown does not execute. That is the control outcome the existing maker-checker pattern is meant to produce, delivered at runtime, not in a review queue. Figure 8 The Pre-Execution Assurance Protocol traced through the drawdown decision, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus This protocol decides whether execution proceeds. It also leaves a record of that decision, which raises two further questions: what that record must contain, and how far a flawed resolution can travel before it is contained. 7 Evidence, Propagation, and Containment Governance evidence appears at three distinct tiers. Verification of Runtime Semantic Resolution is the verification activity the Semantic Layer executes at the orchestration moment. The Runtime Semantic State Record is the structured per-execution artifact that captures the active Reasoning Baseline, the agent’s resolved interpretation, the index, the Gate decision, and the operational context. The Semantic Audit Trail aggregates those records into the institutional history that supports supervisory review and reconstruction. The Gate is designed not to fail open. Where a record cannot be written, execution authority is withheld, because an institution that cannot record the runtime resolution cannot govern the execution that would follow. The evidence hierarchy also closes the Reconciliation Gap. The Reconciliation Gap is the institutional condition in which what the institution authorized and what the agent executed cannot be reconciled per-execution because the evidence required was never captured at the moment execution authority was emitted. Without the Runtime Semantic State Record, post-hoc review reconstructs the decision from downstream artifacts. With the RSSR, the authorized Baseline, resolved interpretation, SDI result, Gate decision, and operational context are preserved as a single per-execution governance object. Figure 9 The Governance Evidence Hierarchy, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus The three governance evidence tiers correspond to verification at the point of decision, the per-execution record, and the institutional longitudinal record that supports supervisory reconstruction. Table 4 sets each tier against its role. These three tiers operate sequentially: every in-scope execution is verified at the decision point, recorded as a per-execution object, and retained in the longitudinal record a supervisor later draws on. Pre-execution assurance depends on the first tier; supervisory reconstruction depends on the third. Table 4 The three-tier governance evidence hierarchy. Propagation is governed separately from individual decisions. Agentic deployments in regulated finance are increasingly multi-agent. Onboarding and trading workflows now chain into servicing and reporting, so an unauthorized Operational Interpretation at one step can propagate downstream until something stops it. The Knowledge Graph maps the relationships across which that resolution would travel and bounds the Agentic Blast Radius, so containment becomes a governed property, not an accident. A held or mandatory hold decision triggers containment for the dependent decisions and entities the relationship model identifies. As a result, the institution can answer, during review or examination, exactly what it authorized at the moment of decision, which provides the observability and reconstructability supervisory review requires. Figure 10 Agentic Blast Radius and Semantic Failure Cascade, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus Evidence and containment describe what the architecture produces. Adoption then turns on how it fits the controls already in place, who owns each component, and what it costs to operate. 8 Institutional Integration and Governance Economics The SCP is complementary to model risk management under SR 11–7 and SR 26–2. The two disciplines operate on different surfaces and produce different evidentiary artifacts, and the Semantic Control Plane is proposed as a candidate runtime architecture for the institutional judgment space that remains where agentic reasoning systems are not fully governed by model risk management alone. The evidence it produces sits naturally across the Three Lines of Defense, where the First Line produces the artifacts, the Second Line validates them, and the Third Line independently verifies their integrity, and it extends the maker-checker pattern into the reasoning layer. That same design also addresses a structural ceiling on agentic adoption. Today, governance discipline at the reasoning layer is sustained primarily through pervasive human-in-the-loop supervision, which is safe but bounds the institutional benefit of agentic AI by the review capacity required to sustain coverage at every decision. The Human-in-the-Loop Protocol preserves human authority for held and escalated decisions, but the reviewer is no longer the default authorization point for every calibrated in-scope decision. Human review becomes selectively concentrated on the decisions that warrant institutional adjudication rather than uniformly applied across every decision the system executes. Human authority remains central, but it moves from universal pre-approval to targeted adjudication of the decisions the Gate cannot authorize autonomously. Inference economics impose a parallel constraint. Inference cost rises quickly when planning, retrieval, tool use, verification, retries, and multi-agent coordination compound inside the same workflow. By resolving authority before the agent acts, the Deterministic Gate contains the downstream reasoning and remediation cost that an unauthorized Operational Interpretation would otherwise accumulate as it propagates, the same cascade the drawdown traces to reconciliation, audit, and reporting. It provides a governance basis for reserving heavyweight semantic reasoning for high-consequence workflows and halting divergent ones before their cost accrues. The SCP is not a productivity metric and does not measure whether reasoning expenditure yields business outcomes. It addresses the narrower governance question: which workflows warrant runtime semantic verification before execution authority is emitted, and which can remain on deterministic rails or asynchronous advisory review. If an unauthorized Operational Interpretation is allowed to proceed, those costs compound through a workflow the institution may later have to unwind. The SCP contains that exposure before execution authority is emitted. Withholding execution authority before divergent workflows propagate can therefore reduce downstream reasoning, tool, review, and remediation cost. 9 Implementation Pathway: From Observability to Enforcement Implementation is part of the architecture, not an appendix to it. The paper specifies how the SCP is introduced, calibrated, staffed, and bounded in production: observability first, enforcement second, expansion only after empirical distribution and institutional capacity are understood. Its design premise is that runtime semantic governance must be operationally deployable, not merely conceptually correct. The Semantic Control Plane is not an enterprise-wide switch turned on at once. Implementation is staged by workflow class, authority level, governance maturity, deployment governability, and Reasoning Baseline readiness. The institution does not run every agentic decision through SCP enforcement. It starts with in-scope decision classes where unauthorized operational interpretation carries supervisory, fiduciary, customer, regulatory-reporting, or capital consequence. Implementation begins with observability. In ghost mode, the Semantic Layer activates, computes the Semantic Deviation Index, generates Runtime Semantic State Records, and populates the Semantic Audit Trail, while the Deterministic Gate remains in observation-only configuration. The Gate does not yet produce holds. Deployment teams observe the runtime distribution before activating enforcement. Threshold calibration follows. The Gate threshold is the institution’s calibrated divergence tolerance for a specific decision class. Below the threshold, the Gate emits a permit decision and the workflow proceeds. Above the threshold, the Gate holds and the Human-in-the-Loop Protocol activates. The threshold is institution-defined, not architecturally fixed. Different decision classes receive different thresholds: tighter for fiduciary allocation, credit drawdown, sanctions, and regulatory reporting, and broader for lower-risk operational execution or non-transactional discovery. Deployment is segmented. Initial production deployments typically begin with one to three high-consequence regulated-execution classes, such as credit drawdown, fiduciary allocation, or regulatory reporting. Each is isolated as a deployment surface with its own Reasoning Baseline scope, threshold calibration, and Human-in-the-Loop Protocol. Coverage expands as institutional learning accumulates. Table 5 SCP Tier Categories The tier categories above set where SCP governance applies, the Gate threshold each decision class carries, and its default classification before review. Deployment then proceeds in phases over time. Advisory operation, Ghost Mode, synchronous enforcement, and calibrated enforcement move the institution from observation to calibrated control, with each phase calibrating the Gate threshold against the empirical distribution observed in the phase before it. Table 6 SCP Phased Deployment Modes The Control Plane can operate as a sidecar relative to the production agentic workflow. The Semantic Layer is a logically separate runtime component called by the orchestration layer at the orchestration moment. This keeps the SCP independently scalable, deployable, and upgradeable. The principal scaling constraint is institutional governance ownership, not infrastructure alone: ontology stewardship, threshold calibration, audit retention, reviewer capacity, and pilot-period review activity. The integration architecture shows how the Semantic Layer sits beside the orchestration layer at the point where execution authority is requested, so that governance is exercised at the orchestration moment without redesigning the production workflow. Figure 11 SCP Integration Architecture, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus Integration also makes ownership visible. Definitional authority remains with the functions that own regulated meaning. The orchestration layer calls the Semantic Layer at the runtime evaluation point. Capability management routes Gate-held decisions based on the configured outcome. HITL routing sends held decisions to the appropriate human authority. Audit and supervisory reporting preserve end-to-end evidence. The SCP therefore does not replace existing institutional systems; it connects them at the point where operational interpretation must be authorized. Table 7 Governance Ownership Model The SCP is not blanket runtime governance across the institution’s entire agentic surface. It is calibrated pre-execution semantic authorization for the decision classes where the cost of unauthorized interpretation justifies runtime assurance. Readiness for deployment depends on whether the governance owners named in the ownership model are in place with the evidence each function requires. Readiness matrix sets out the pre-deployment conditions across ontology stewardship, threshold calibration, audit retention, and reviewer capacity. Table 8 SCP Pre-Deployment Readiness Matrix The Semantic Control Plane operates against human-governance latency rather than deterministic machine latency, inside the orchestration window between resolution and execution authority emission. It is not specified for universal application; it is calibrated to the in-scope decision classes where the cost of unauthorized interpretation justifies runtime assurance. Governance applies selectively, concentrating where unauthorized operational interpretation carries supervisory consequence, so governance latency is incurred only where it is warranted. The objection that runtime governance adds unacceptable latency is inverted for the in-scope decision classes. Those decisions already pass through maker-checker review, escalation chains, and supervisory adjudication, which operate at human-coordination latency of minutes to hours. The Deterministic Gate executes the institution’s calibrated threshold in milliseconds, so the architecture converts human-coordination latency into runtime-evaluation latency for the same governance discipline on the same decision class. Across operating models, this places the Semantic Control Plane between deterministic systems, which are fast but ungoverned, and full human review, which is governed but slow: it delivers institutional governance intensity at the speed of orchestration rather than the speed of review. Figure 12 The Governance Latency Curve, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus Governance latency is incurred only where it is warranted. The decisions that warrant it are precisely those escalated to human authority, and the form that authority takes is the subject that follows. 10 The Human-in-the-Loop Protocol and Calibrated Human Authority Human review becomes selectively concentrated on institutionally escalated decisions rather than uniformly applied across every in-scope runtime decision. Standard path is autonomous: decision, semantic evaluation, Gate, authorization, and execution, where semantic authorization falls within institutional tolerance. The Human-in-the-Loop Protocol is the exception path invoked when the Deterministic Gate issues a hold or mandatory hold, or when a protocol-level failure requires institutional resolution. When the Human-in-the-Loop Protocol is triggered, the reviewer is not asked to reconstruct the event from downstream logs. Decision state is preserved at the moment of hold: the resolved Operational Interpretation, the active Reasoning Baseline, the Semantic Deviation Index computation, the Gate decision, the Knowledge Graph relationship context, the workflow identifier, the decision class, and the temporal context. The reviewer exercises institutional judgment; the SCP supplies the evidence and the resolution pathway. That authority is not symbolic. Resolution pathways for held decisions are specified in the full paper: authorize execution, authorize execution with constraints, terminate the agentic pathway, or escalate to secondary authority such as Credit Committee, AML Governance Committee, Legal Review, or another designated institutional authority. A Gate hold is therefore not a delay queue. It is a governed pause pending institutional resolution. Figure 13 Human Blanket vs Calibrated Governance, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus This is the operational distinction between blanket review and calibrated review. The reviewer is engaged where the institution’s governed divergence tolerance is exceeded, not where the institutional risk function lacks confidence. That is one of the core differentiators. The SCP preserves human authority without making human review the default operating model. The Gate handles in-tolerance runtime authorization, while the Human-in-the-Loop Protocol preserves institutional human authority for the bounded exception set the Gate cannot authorize autonomously. This supports straight-through transformation instead of returning agentic execution to maker-checker review on every action. Table 9 Human-in-the-Loop Protocol Architecture The protocol defines the standard exception path for held decisions. Table 10 is narrower: it specifies when institutional override authority exists, who may exercise it, and what audit evidence must be preserved. Override authority is reserved for defined institutional roles and is itself logged, so that any departure from the standard exception path leaves a reconstructable record. This separation preserves the maker-checker discipline the institution already operates. Table 10 Governance Exception and Override Authority Matrix The exception path defines how human authority is exercised within scope. The scope itself is bounded, and where the Semantic Control Plane applies, and where it does not, is the question taken up next. 11 Applicability and Boundaries The Semantic Control Plane is not universally deployable. It governs the governable runtime representations a deployment exposes, the orchestration plans, tool-selection rationales, policy-evaluation traces, and state-transition records from which the Runtime Semantic State is derived. It makes no claim of access to model cognition, internal neural state, or chain-of-thought reasoning. Latent cognition is excluded by design, because supervisory adjudication requires artifacts that can be evaluated, reconstructed, and contested, and internal model reasoning does not satisfy that condition. Figure 14 Runtime Governance Applicability, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus Applicability is deployment-dependent and is determined by the Runtime Governance Applicability Test, which evaluates whether a deployment exposes the representations institutional adjudication requires and classifies it as Governable, Governance-Constrained, or Non-Governable. It applies to in-scope regulated workflows where semantic ambiguity is material and execution authority is non-trivial. It does not apply to high-frequency deterministic execution, non-regulated decisions, consumer-facing interactions without commitment authority, or exploratory analytical workflows. Nor does it determine universal semantic truth. Where institutions disagree on a regulated term, the institution adjudicates the disagreement through the same authoritative functions that produce its other policies, and the evaluation operates against whatever authorized baseline the institution then maintains. The Adjacent Governance Surface (AGS) formalization names the reasoning layer as a governable runtime surface, and RGAT classifies whether a given deployment is governable. Figure 15 RGAT Decision Tree, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus The SCP does not claim to govern every agentic deployment, every AI workflow, or eliminate all semantic failure modes. It governs the subset of deployments where semantic ambiguity is material, execution authority is non-trivial, the institution already operates governance structures whose latency constrains agentic adoption, and the deployment exposes governable runtime representations sufficient for institutional adjudication. Where those conditions are absent, the SCP does not apply; RGAT classifies the deployment accordingly. Table 11 Governance Fidelity and Deployment Calibration Matrix Applicability is settled one deployment at a time. The exposure changes character when the same reasoning-layer dependency is shared across many institutions at once. 12 The Systemic Dimension The systemic dimension is the supervisory implication that emerges once the same reasoning-layer dependency is shared across regulated institutions. Beyond the single institution, the work identifies two candidate macroprudential directions for supervisory consideration. Systemic Semantic Contagion is the cross-institutional condition under which an unauthorized operational interpretation arises simultaneously across multiple regulated institutions through shared semantic infrastructure. Semantic Concentration Risk is the exposure to that shared infrastructure across the regulated population, architecturally analogous to counterparty concentration risk, but measured against common foundation models, orchestration platforms, and policy-translation services. These concepts are included to show the supervisory significance of reasoning-layer governance, not to claim that the present work establishes a validated macroprudential measurement regime. Institutional architecture comes first. The SCP governs the per-institution runtime object. The systemic question is adjacent. It is whether common models, orchestration platforms, vendor ontologies, or regulatory-interpretation services could produce correlated semantic deviation across the regulated population. Drift in a shared runtime resolution surface can propagate simultaneously across institutions where it occurs, invisibly relative to any single institutional governance function, and with institutional coherence: each affected institution’s agentic systems would converge on the drifted interpretation rather than diverging from one another. Figure 16 Systemic Semantic Propagation and Correlated Exposure, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus Systemic exposure is a supervisory implication, not a validated measurement. What the architecture has not yet established, and what would establish it, is set out next. 13 Limitations and the Evaluation Agenda The paper is a conceptual architecture specification, not an empirical study. It does not claim validation of performance, threshold efficacy, or supervisory acceptance, and it is specified at the resolution required for institutional deployment and supervisory engagement rather than that of a validated production system. No runtime control layer can compensate for institution-wide semantic incoherence or contested authority over regulated terms. The SCP extends institutional discipline into the reasoning layer; it does not substitute for that discipline. Extraction fidelity is deployment-dependent, threshold calibration is technically demanding, and a baseline that is authorized but substantively incorrect will produce enforcement consistent with that baseline. These limitations constrain the claim. The empirical agenda is explicit. It asks whether the index can predict semantic divergence before execution across decision classes, whether Blast Radius containment measurably reduces downstream propagation, whether the evidence record supports supervisory reconstruction under examination conditions, whether cross-institutional index distributions can indicate systemic contagion, and whether the applicability test reliably classifies governable deployments. Methods begin with controlled pilots and parallel-run ghost-mode deployment against current practice. They then extend to longitudinal calibration, cross-institution comparison, and supervisory simulation using the audit trail. That is the validation environment established here. These limitations are also claim boundaries. The brief does not ask readers to accept universal applicability, inspection of model cognition, removal of human authority, elimination of all semantic failure modes, or validated supervisory acceptance. It specifies where the SCP applies, what evidence it can evaluate, what remains outside scope, and where empirical validation is required. Table 12 summarizes the limitations most likely to become deployment-constraining in institutional implementation, the condition under which each becomes material, and the institutional response supported. Table 12 SCP Limitations Matrix These limitations narrow where the architecture applies without altering how it behaves where it does apply. At the level of a single decision, that behavior is what the closing figure contrasts. Without the Semantic Control Plane, the orchestration sequence resolves an operational interpretation from the contributing systems’ signal patterns. With it, the Ontology supplies the Reasoning Baseline and the Semantic Layer verifies that interpretation before execution authority is emitted. Figure 17 Runtime Semantic Divergence: Without SCP vs With SCP, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus Without the architecture, divergence becomes visible only after the loss. With it, the institution governs the resolution before execution authority is emitted. That contrast frames the closing argument. 14 Conclusion The control fired. The workflow executed. The bank was still wrong. That drawdown opened this brief because it exposed the precise governance failure the Semantic Control Plane is designed to address. Adjacent control surfaces govern artifacts. They do not govern the Runtime Semantic State through which operational meaning is formed before execution authority is emitted. The Semantic Control Plane is the governance architecture for that surface: the reasoning layer at which agentic systems resolve the Operational Interpretation of regulated terms before execution authority is emitted. The architecture resolves into a single governance transition, traced end to end in the authority formation pipeline. Figure 18 The Authority Formation Pipeline, Source: Doyle-Spare (2026), underlying Zenodo working paper and supporting SSRN corpus Institutions have always governed execution authority. Agentic systems change where execution authorization is operationalized. The agent’s resolution now happens at runtime, inside orchestration sequences operating at orchestration speed. Governance therefore shifts from validating only whether systems are authorized to act toward validating whether the resolution under which they act remained authorized before execution. The Semantic Control Plane does not ask whether the agent can act. It asks whether the institution authorized the meaning under which the agent is about to act. The architecture does not determine what the meaning should be. It determines whether execution proceeds under the meaning the institution authorized. The architecture is new. The governance functions are not. Credit committees, compliance adjudication, supervisory override, maker-checker review, model risk management, the Three Lines of Defense, internal audit, and board accountability all remain. The addition is the runtime governance layer at which Operational Interpretation is verified before autonomous execution authority is emitted. The contribution is the specification of the runtime object, evaluation point, enforcement mechanism, evidence record, propagation boundary, Human-in-the-Loop exception path, implementation pathway, and supervisory limits required to make that verification governable. The reasoning layer has now become a governance surface. The institutional question is whether it will also become a governed one. Framework Reference The full paper provides the complete specification behind the constructs summarized below. This Framework Reference is a compact guide to the submitted SCP capstone and supporting working papers. It surfaces the architecture, evidence, implementation, boundaries, and terminology needed to orient the reader to the full specification; it is not a new specification. The constructs are organized into seven governance categories, spanning foundational architecture, runtime governance mechanics, evidentiary objects, failure conditions, propagation conditions, systemic conditions, and threat conditions. Table 13 Construct Classification INTELLECTUAL PROPERTY & CITATION NOTICE The constructs, frameworks, terminology, figures, and tables in this brief are the original work of the author, developed and staked across the author’s published research. They are presented here for institutional and supervisory engagement. Their formal specifications reside in the underlying SSRN and Zenodo working papers. This brief can be downloaded at (PDF) Executive Brief Agentic AI Governance System Runtime Reference Architecture © 2026 Maureen Doyle-Spare. All rights reserved. No part of this executive brief, including its text, figures, tables, and images, may be reproduced, distributed, or used to train commercial artificial intelligence or machine learning models in any form without the author’s prior written permission. How to Cite This Work : (APA 7th Edition): Doyle-Spare, M. (2026). Agentic AI Systems Governance: A Runtime Reference Architecture for the Reasoning Layer and the Semantic Control Plane in Regulated Financial Institutions. Zenodo. Concept DOI: https://doi.org/10.5281/zenodo.20749050 The executive brief is a 30 page summary of the full reference architecture. Download it on ResearchGate: https://researchgate.net/publication/407444360_Executive_Brief_Agentic_AI_Governance_System_Runtime_Reference_Architecture About the Author Maueen Doyle-Spare Independent Practitioner and Researcher in AI Governance Doyle-Spare Research Maureen Doyle-Spare is an independent practitioner and researcher in AI governance and banking controls. She is the originator of Agentic Workflow Drift and Agentic Workflow Subversion, a reasoning-layer risk taxonomy for agentic AI systems, and of the broader runtime governance architecture organized within the Agentic Governance Model. Her working papers include the Semantic Control Plane reference architecture, the Semantic Deviation Index, the Agentic 3 C’s Framework, and the Semantic Layer Integrity Attack work. Related research: SSRN №6459612 (Agentic Workflow Drift and Agentic Workflow Subversion, March 2026), SSRN №6531238 (The Semantic Deviation Index, April 2026), SSRN №6674761 (The Agentic 3 C’s Framework, May 2026), SSRN №6926219 (Agentic AI Cyber Subversion: The Semantic Layer Integrity Attack, 2026), and Agentic AI Systems Governance: A Runtime Reference Architecture for the Reasoning Layer and the Semantic Control Plane (Zenodo, 2026), https://doi.org/10.5281/zenodo.20749050 . ORCID: https://orcid.org/0009-0009-6655-1394 OSF: osf.io/zuacj Correspondence: linkedin.com/in/maureendoylespare Originally published at https://maureendoylespare.substack.com . Agentic AI Governance System Runtime Reference Architecture was originally published in Towards AI on Medium, where people are continuing the conversation by highlighting and responding to this story.

Read Original Article →

Source

https://pub.towardsai.net/agentic-ai-governance-system-runtime-reference-architecture-274b715b587b?source=rss----98111c9905da---4