Governance you write once and never revisit is governance for an agent you no longer have

The agent gains tools, the model changes, the regulation tightens. Governance frozen at launch slowly stops matching the system it governs, and the gap between them is where the next incident lives.

B

Balagei G Nagarajan

3 MIN READ


An evolving agent gaining tools and a frozen governance document, with the gap between them widening over time
ISO/IEC 42001 builds periodic review into the AI management system.
— from “Governance you write once and never revisit is governance for an agent you no longer have”

Key facts.

  • Greshake's indirect prompt injection shows an agent obeys instructions hidden in data it reads, an exposure every new tool or source can reopen.source
  • ISO/IEC 42001:2023 builds continual improvement and periodic review into the AI management system. That makes evolving governance standing requirement.source
  • The Cloud Security Alliance updates its agentic AI threat and identity guidance as the attack surface shifts, treating agent governance as something that has to be revised, not fixed at deployment.source

Why does governance written once go stale?

Governance written once stops describing the system it governs and the gap hides the next failure; a model upgrade widens it as the agent stays exposed. (arXiv:2302.12173)

Three things keep moving underneath fixed governance. The agent gains capabilities: a new tool, a new data source, a new permission. Each changes what it can do and what it needs to be governed against. The model updates: new behavior, sometimes in ways the old boundaries didn't anticipate. The rules shift: a regulation tightens, a new obligation lands. Last year's governance doesn't satisfy this year's bar. The gap is silent. Nothing announces that the policy and the system have diverged. You find out at the incident.

Greshake is the clearest example. An agent reading documents can be hijacked by instructions hidden inside them. The moment you add a new inbox, a new knowledge base, a new partner feed, you reopen that exposure on a surface the original governance never covered. A better model doesn't close it. The exposure is about what the agent reads, not how well it reasons. ISO/IEC 42001 builds periodic review into the AI management system. The Cloud Security Alliance keeps revising its agentic threat guidance. Both for the same reason: the system evolves and governance has to evolve with it.

A timeline with review cycles, each revisiting governance as the agent gains tools, the model updates, and regulations change

What triggers a governance review?

Three events plus a clock. Capability change: new tool, source, or permission, review the boundaries and exposures it introduces. Model update: re-check that existing controls still hold against the new behavior. Regulatory change: verify governance still meets the current bar. Scheduled cycle: catches slow drift that no single event flags. The agents whose governance stays useful are the ones where these reviews are routine, owned, and acted on. The policy keeps describing the live system, not the one that launched.

TriggerWhat the review checks
New tool, source or permissionNew boundaries and exposures introduced
Model updateExisting controls still hold against new behavior
Regulatory changeGovernance still meets the current bar
Scheduled cycleSlow drift no single event flagged

The Pattern Intelligence Layer is where governance evolves with the agent. Each new tool, model update or rule change is reflected in the controls at the pattern level rather than leaving a frozen policy behind. Boundaries, oversight and audit requirements are revisited where the agent's behavior is governed. Is what keeps the policy matched to the system. Reliability at the pattern level is maintained as the agent grows, not assumed from the version that launched.

Frequently asked questions

Why revisit governance if nothing broke?
Because the agent, the model and the rules keep changing silently. The gap between frozen governance and an evolved agent does not announce itself; it surfaces at the next incident.

What's the most common drift?
A new data source or tool. It reopens exposures like indirect injection against a surface the original governance never covered, no matter how strong the model is.

How often should we review?
On every capability, model or regulatory change, plus a scheduled cycle to catch the slow drift that no single event flags. Standards like ISO 42001 build this in.


Share this post

Join the discussion

Have a take, a war story, or a question? Sign in with GitHub to comment and react. Comments are powered by GitHub Discussions, ad-free and yours to moderate.

Continue Reading

Find where your agent breaks, before you build it

Faultmap maps where your agent will fail from the goal and your data, then hands you the first test suite it has to pass.