
Key facts.
- Greshake's indirect prompt injection shows an agent obeys instructions hidden in data it reads, an exposure every new tool or source can reopen.source
- ISO/IEC 42001:2023 builds continual improvement and periodic review into the AI management system. That makes evolving governance standing requirement.source
- The Cloud Security Alliance updates its agentic AI threat and identity guidance as the attack surface shifts, treating agent governance as something that has to be revised, not fixed at deployment.source
Why does governance written once go stale?
Governance written once stops describing the system it governs and the gap hides the next failure; a model upgrade widens it as the agent stays exposed. (arXiv:2302.12173)
Three things keep moving underneath fixed governance. The agent gains capabilities: a new tool, a new data source, a new permission. Each changes what it can do and what it needs to be governed against. The model updates: new behavior, sometimes in ways the old boundaries didn't anticipate. The rules shift: a regulation tightens, a new obligation lands. Last year's governance doesn't satisfy this year's bar. The gap is silent. Nothing announces that the policy and the system have diverged. You find out at the incident.
Greshake is the clearest example. An agent reading documents can be hijacked by instructions hidden inside them. The moment you add a new inbox, a new knowledge base, a new partner feed, you reopen that exposure on a surface the original governance never covered. A better model doesn't close it. The exposure is about what the agent reads, not how well it reasons. ISO/IEC 42001 builds periodic review into the AI management system. The Cloud Security Alliance keeps revising its agentic threat guidance. Both for the same reason: the system evolves and governance has to evolve with it.

What triggers a governance review?
Three events plus a clock. Capability change: new tool, source, or permission, review the boundaries and exposures it introduces. Model update: re-check that existing controls still hold against the new behavior. Regulatory change: verify governance still meets the current bar. Scheduled cycle: catches slow drift that no single event flags. The agents whose governance stays useful are the ones where these reviews are routine, owned, and acted on. The policy keeps describing the live system, not the one that launched.
| Trigger | What the review checks |
|---|---|
| New tool, source or permission | New boundaries and exposures introduced |
| Model update | Existing controls still hold against new behavior |
| Regulatory change | Governance still meets the current bar |
| Scheduled cycle | Slow drift no single event flagged |
The Pattern Intelligence Layer is where governance evolves with the agent. Each new tool, model update or rule change is reflected in the controls at the pattern level rather than leaving a frozen policy behind. Boundaries, oversight and audit requirements are revisited where the agent's behavior is governed. Is what keeps the policy matched to the system. Reliability at the pattern level is maintained as the agent grows, not assumed from the version that launched.
Frequently asked questions
Why revisit governance if nothing broke?
Because the agent, the model and the rules keep changing silently. The gap between frozen governance and an evolved agent does not announce itself; it surfaces at the next incident.
What's the most common drift?
A new data source or tool. It reopens exposures like indirect injection against a surface the original governance never covered, no matter how strong the model is.
How often should we review?
On every capability, model or regulatory change, plus a scheduled cycle to catch the slow drift that no single event flags. Standards like ISO 42001 build this in.

