Runtime governance rising

A few months ago, “observability” for artificial intelligence agents mostly meant a replay button. You could inspect logs after an agent booked the wrong flight, exposed the wrong file, or called the wrong tool, but the damage had already happened. (opensource.microsoft.com) That is starting to change into something closer to a live referee. The new goal is not just to record what an agent did, but to intercept the action before it executes and decide whether it should be allowed at all. (infoworld.com) (opensource.microsoft.com) The shift is happening because agents are no longer confined to chat windows. Microsoft’s own description says they are now booking flights, executing trades, writing code, and managing infrastructure, which turns a bad answer into a bad action. (opensource.microsoft.com) That difference matters because ordinary software usually follows a fixed script, while an agent chooses its path as it goes. It can read a prompt, decide which tool to call, pass data to another system, and keep looping through steps that were not individually hard-coded by a developer. (genai.owasp.org) (developers.redhat.com) Once software behaves that way, the old security model starts to look thin. A log file can tell you that an agent touched payroll data at 2:14 p.m., but it cannot stop the next tool call that sends the same data somewhere it does not belong. (infoworld.com) (opensource.microsoft.com) The industry now has a clearer vocabulary for these failures. The Open Web Application Security Project published its Top 10 for Agentic Applications for 2026 in December 2025, describing risks such as goal hijacking, tool misuse, identity abuse, memory poisoning, cascading failures, and rogue agents. (genai.owasp.org) (opensource.microsoft.com) Microsoft’s Agent Governance Toolkit is one of the clearest signs that vendors think this has become an infrastructure problem. The company released the toolkit on April 2, 2026 as an open-source project under the Massachusetts Institute of Technology license, and says it maps to all 10 of those Open Web Application Security Project agent risks. (opensource.microsoft.com) (github.com) Microsoft is framing the product less like a dashboard and more like an operating system layer. In its launch post, it describes “Agent OS” as a stateless policy engine that intercepts every agent action before execution with sub-millisecond latency, using policy languages such as YAML, Open Policy Agent Rego, and Cedar. (opensource.microsoft.com) The company also pairs enforcement with identity. Its “Agent Mesh” component uses decentralized identifiers with Ed25519 cryptography, an Inter-Agent Trust Protocol for agent-to-agent communication, and a dynamic trust score on a 0-to-1000 scale with five behavioral tiers. (opensource.microsoft.com) That design tells you where the market is heading. If agents are becoming digital workers that can authenticate, access systems, and trigger workflows, then companies want the same controls they already expect for employees, servers, and application traffic: identity, least privilege, isolation, and a kill switch. (opensource.microsoft.com) (helpnetsecurity.com) Security vendors are moving in the same direction from the opposite side of the stack. Exabeam said on April 1, 2026 that it expanded Agent Behavior Analytics to detect behavior in OpenAI ChatGPT and Microsoft Copilot, adding those systems to its existing visibility into Google Gemini. (itwire.com) (financialcontent.com) Exabeam’s pitch is that artificial intelligence services should now be treated as telemetry sources, not just productivity tools. Its announcement says usage data from ChatGPT, Copilot, and Gemini can feed directly into threat detection, investigation, and response workflows so a security team can see how users and agents interact across the enterprise. (financialcontent.com) (itwire.com) That matters because insider risk changes shape when the “insider” might be partly automated. A suspicious pattern is no longer only a human employee downloading too many records; it can also be an agent repeatedly invoking tools, touching unusual data stores, or acting outside its normal role. (securityinfowatch.com) (itwire.com) A third piece of the story is appearing in orchestration software, where observability is being built into the way multi-agent systems are assembled. Paperclip, an open-source platform for running teams of agents, advertises “full tool-call tracing and audit log,” says every conversation is traced and every decision explained, and lets operators pause or terminate any agent at any time. (paperclipai.net) (github.com) Paperclip also ties observability to budgets and hierarchy, which is a clue to how governance is broadening beyond classic security. Its product pages say each agent can have a monthly budget, hard spending limits, a boss, a title, and a reporting line, so the system can track who did what and stop runaway costs automatically. (paperclipai.net) (geeky-gadgets.com)