The industry spent two years governing what AI systems say. That problem is not solved, but it is at least understood. The frontier has moved: AI systems now act. They plan, choose tools, call APIs, write to databases, send messages, and chain dozens of steps toward a goal — with a human checking in occasionally, if at all. Governing an agent with an output filter is like securing a warehouse by proofreading the shipping labels. This article lays out a working model for governing agentic AI: five layers, each answering a question that output-level controls cannot.
Why agents break answer-era governance
Three properties make agentic systems categorically harder to govern than chat systems:
- Actions, not tokens. The unit of risk is no longer a paragraph a human reads before acting. It is a tool call that executes immediately — a transfer, a deletion, a disclosure. There is no human between the model and the consequence.
- Composition. Each step can look harmless while the sequence is not. Reading a customer record is fine; reading ten thousand of them into a summarization tool that posts externally is an exfiltration pipeline built from individually reasonable steps.
- Self-direction. Agents generate their own next steps. The plan you reviewed at step one is not the plan executing at step forty. Any control applied only at task start governs a plan that no longer exists.
An agent's risk is not in its final answer. It is in every step it took while you were not looking.
The five-layer model
A governance model for agents has to wrap the agent loop itself — perceive, plan, act, observe — not just its endpoints. Five layers, from the outside in:
Layer 1 — Authority: what this agent may ever do
Before an agent runs, it needs an explicit, machine-readable grant of authority: which tools it may invoke, which data domains it may touch, which spend or blast-radius limits apply, and which actions are categorically off the table. Authority must be assigned to the agent's identity, not inferred from its prompt — a prompt is a suggestion, and authority is not a prompt. If you cannot enumerate what an agent is allowed to do, you cannot detect when it exceeds it.
Layer 2 — Intent gate: is this task acceptable at all?
When a task enters the system, the stated goal is evaluated once against policy: is this category of work permitted for this agent, this requester, this data classification, this jurisdiction? This is the cheapest place to say no. A blocked task costs nothing; a blocked step forty costs a partially completed run and a cleanup problem.
Layer 3 — Per-step action gate: is this step allowed now?
The heart of the model. Every proposed action — each tool call, each API request, each state change — is submitted to a decision engine before it executes and receives a verdict: allow, modify, block, or escalate to a human. The gate evaluates the step in context: what the agent has already done this run, cumulative effects (five $9,000 transfers are a $45,000 decision), and the policy pack for the domain it is touching. Critically, the evaluation must be deterministic — the same step in the same context gets the same verdict every time. A governance layer that is itself a probabilistic model just moves the unpredictability one level up.
Layer 4 — Tool-call governance: constraining the hands
Tools are where agents touch the world, and tools deserve their own controls: allowlists per agent identity, argument-level constraints (this agent may call send_email, but only to internal domains), rate and volume budgets, and escalation rules for when a permitted tool becomes dangerous in combination. Tool governance is enforced at the boundary — in the gateway the tool call passes through — not by asking the model to behave.
Layer 5 — Evidence chain: proving what happened
Every verdict from layers 2–4 produces a signed, tamper-evident record: what was proposed, what policy said, what executed, in what order. Chained together, these records make the run replayable — an auditor can walk the agent's entire decision path and verify each gate fired, offline, without trusting the operator. This is the layer that turns "our agent is well-behaved" from a claim into evidence a regulator can check.
The test for an agentic governance model: pick any single step from any past run and answer three questions from records alone — was it authorized, who authorized it, and can a third party verify both? If any answer requires trusting a log the agent's operator could edit, the model fails.
What this looks like at runtime
Concretely, a governed agent loop inserts one call per step: the agent proposes an action, the decision engine evaluates it against the policy pack and returns a disposition with a signed record, and only an allowed (or modified) action reaches the tool. Blocked steps return to the planner with the reason; escalated steps pause for human approval. The agent framework does not need to be rewritten — the gate sits between the framework and its tools, which is why the same model governs LangChain agents, custom loops, and everything in between.
Where EVE AI Core fits in
EVE AI Core implements this model as infrastructure. EVE CoreGuard is the per-step decision engine: agent frameworks submit each proposed action to a single evaluation endpoint and receive a deterministic ALLOWED / BLOCKED / MODIFIED disposition evaluated against versioned policy packs — before the action executes. EVE Agent Infrastructure provides the authority and tool-governance layers, so an agent's permissions are declared, not prompted. And every verdict emits a cryptographically signed decision record through EVE Proof, so the full run is independently verifiable after the fact.
Because the gate is framework-agnostic — a governed HTTP call between the agent and its tools — teams keep their existing agent stack and add the governance model around it.
The bottom line
Agentic AI collapses the distance between model output and real-world consequence to zero. Governance has to move to where the consequences are: authority declared before the run, every step gated before it executes, tools constrained at the boundary, and a signed evidence chain that makes the whole run provable. Teams that adopt a per-step governance model can hand agents real work. Teams that govern agents like chatbots are trusting a planner they did not review, running actions nobody approved.