Runtime Agent Controls Tested

An artificial intelligence agent is a model that can take actions, not just answer questions, and that has pushed developers toward controls that can stop or confine it while it runs. A new line of testing argues those controls can be added without shutting agents down entirely. (arxiv.org) Researchers at the University of Southern California wrote in April 2026 that deployed agent systems often cannot answer basic post-incident questions because logs are partial, approvals are missing, and records can be altered. Their paper reported 617 security findings across six prominent open-source agent projects and measured 8.3 milliseconds of median overhead for pre-execution mediation with tamper-evident records. (arxiv.org) That mediation works like a checkpoint before an agent acts: a policy layer inspects the request, decides whether it is allowed, and records what happened in a way that is hard to rewrite later. Microsoft said on April 2, 2026 that its open-source Agent Governance Toolkit intercepts agent actions before execution with sub-millisecond policy enforcement and is designed to address all 10 risks in the OWASP Top 10 for Agentic Applications for 2026. (opensource.microsoft.com, genai.owasp.org) The push for runtime controls comes as agents move from chat windows into systems that can book travel, execute trades, write code, and manage infrastructure. Microsoft compared the problem to older computing layers such as operating-system kernels, process isolation, service-mesh identity, and circuit breakers in site reliability engineering. (opensource.microsoft.com) The compliance calendar is also getting closer. Microsoft said the European Union Artificial Intelligence Act’s high-risk obligations take effect in August 2026, and Colorado’s artificial intelligence law is scheduled to become enforceable on June 30, 2026 after a delay from February. (opensource.microsoft.com, natlawreview.com) Vendors and open-source teams are converging on the same architecture: one control plane for many agents, one telemetry stream for their actions, and one place to change policy without redeploying every workflow. Agent Control, an open-source project, describes its product as a centralized agent control plane that applies runtime guardrails across agents and can block prompt injection and personal-data leakage through configurable rules. (github.com) Another branch of the field is trying to turn ordinary logs into evidence that outside auditors can verify. ProvnAI says it converts agent actions and state transitions into cryptographically verifiable artifacts, with Merkle-hashed records, hardware-rooted signatures, and audit trails meant to survive disputes over what an agent actually did. (provnai.com) The argument running through these systems is narrower than a promise to make agents “safe.” It is that if an agent can send messages, delete files, or cross permission boundaries, then the operator needs a kill switch, isolation boundaries, and records that can show who approved what and when. (arxiv.org, opensource.microsoft.com) That has shifted the debate from model behavior alone to runtime evidence. The next test for agent deployments is no longer only whether they can complete tasks, but whether a company can stop them mid-run and prove, afterward, exactly what happened. (arxiv.org, github.com, provnai.com)