Governance

From Observation to Enforcement: Why AI Governance Plateaued, and What Comes Next

AI governance stalled at the dashboard. The next generation of tooling has to move from watching agents to enforcing what they are allowed to do.

Walk the exhibit floor of any AI risk and governance conference today and you'll see the same product, sold under thirty different names.

The product is a dashboard. It shows you what your AI agents did. It shows when they drifted. It throws alerts when behavior falls outside expected ranges, generates compliance documentation, and produces beautiful charts.

Now walk the exhibit floor of any security conference from 2014. You'd have seen the same product, sold under two hundred different names. The product was called SIEM. It showed you what your network did. It showed when it drifted. It generated compliance documentation. It produced beautiful charts.

That category didn't stand still. The market eventually figured out that observation wasn't enough, that the value wasn't in showing the CISO yesterday's compromises but in stopping today's. What emerged in response was Endpoint Detection and Response, and later Extended Detection and Response. Both had one defining property the SIEM era lacked: they enforced policy at decision time, not after the fact. They could block.

Modern AI governance sits about where SIEM sat in 2014. The dashboards are excellent. The enforcement layer is mostly missing. And the missing piece isn't a feature gap the existing platforms can ship in their next release. It's an architectural gap, because those platforms were never designed to run inline.

The shape of the gap

The current AI governance stack has three layers, and all three operate after the fact.

Observability platforms like Arize, Galileo, and Fiddler capture what happened. They tell you which agent calls succeeded, which drifted, which produced unsafe outputs. The data is rich and the visualizations are good. But they sit downstream of the decision. By the time the dashboard updates, the agent has already done whatever it was going to do.

Governance and risk platforms like Credo AI, Robust Intelligence, and IBM watsonx.governance capture what is supposed to happen. They document policies, map them to regulatory frameworks, generate audit reports. Their output is for the auditor, the legal team, the regulator. That's necessary work. It doesn't stop a runtime decision.

Tracing and debugging tools like LangSmith and LangFuse capture what will happen during development. They're excellent for the engineer building the agent. They go quiet once the agent ships to production.

None of these layers can step in at the moment a deployed agent is about to make a decision the organization doesn't want it to make. And the cost of that gap is climbing. Agentic systems are taking on work that used to be human: writing emails to customers, modifying production database rows, deploying code. When that's the workload, an unwanted action stops being a logging problem and becomes an operational one.

What "enforcement at decision time" actually requires

The reflexive industry response is to bolt enforcement onto the existing dashboards. Some platforms have announced exactly that on their roadmaps. Most will struggle to deliver it well, because four architectural properties have to be true at once, and they aren't properties dashboards were built for.

First, the enforcement layer has to run inline. Every agent decision passes through it before any external action is taken. The dashboards run on telemetry. They receive copies of events after the fact. Inverting that data flow isn't a UI change. It's a re-architecture.

Second, the latency budget has to be sub-second. A governance check that takes two seconds is a governance check nobody turns on. Real customer-facing agents won't tolerate a budget much above 500 milliseconds at the 99th percentile. That's achievable, but it takes engineering primitives the dashboard platforms have never had to build: caches, lexical-first matching, fail-closed timeouts.

Third, the rule format has to be operational, not advisory. "Don't reveal customer PII" is a policy. To enforce it, you need that policy expressed as something an evaluator can match against an incoming task in a few hundred microseconds. The expression has to be precise enough to fire correctly and broad enough to cover the cases it should cover. Existing governance platforms describe policies in human prose. An enforcement layer needs the rules in a language, with semantics, parsers, and a versioned schema.

Fourth, the system has to fail closed. Every uncertain decision returns "no decision" rather than "default approve." Every unreachable dependency returns "no decision" rather than "we'll let it through this time." This sounds obvious until you've sat through a vendor demo where the failure mode is "the rule check timed out, so we let the action proceed because the user was waiting." For any regulated buyer, that posture kills the deal.

Together, those four properties are what separate a governance dashboard from an enforcement layer. All four are achievable. They just don't add up to the same product.

The three reasonable futures

There are three plausible ways the gap closes over the next eighteen to thirty-six months. Reasonable people will pick different ones, and the buyer should understand the tradeoffs in each.

Path one: existing dashboards add enforcement. Some vendors will pull this off. The ones who do will be the ones who treat it as an architectural rebuild rather than a roadmap feature. They'll re-platform their data plane, hire a new engineering leader to own runtime SLOs, and probably lose 12-18 months of feature velocity getting there. The reward, if they land it, is owning both halves of the category.

Path two: a new category emerges. A separate class of vendors specializes in inline enforcement and integrates with the existing dashboards through clean APIs. The dashboards stay the system of record for what happened. The enforcement layer becomes the system of decision for what's allowed. That's roughly the relationship that grew up between SIEM and EDR after 2015, and it works because each layer can be best-of-breed.

Path three: the agent platforms absorb it. LangChain, LlamaIndex, agent runtimes from the cloud providers, any platform that owns the agent's runtime can in principle insert enforcement at the call site with no separate vendor. Some will. The risk for the buyer is concentration. Now your agent platform also owns your governance layer, and the failure modes correlate.

For the next several years all three paths run at once. The buyer's job is to figure out which path the vendor across the table is actually on, then price the deal accordingly. "We'll add enforcement next year" from a dashboard vendor is a very different risk profile than "we run inline today, here are our SLOs" from an enforcement specialist, even when the slide deck looks the same.

What CISOs and Chief AI Officers should actually ask

Five questions separate the vendors who can do this from the ones who can't.

  1. What is your p99 latency for a runtime decision? If the answer is more than a second, or if the answer is "we don't measure that," they aren't running inline.

  2. What happens when your service is unreachable? If the answer is "we fall back to allow," they're unsafe in any regulated environment. The right answer is "the calling agent receives a no-decision response and applies its configured default, which we recommend should be block until investigated."

  3. How do you express a rule? If the answer is "you describe it in plain English in our UI and we figure out enforcement," they aren't yet a real enforcement product. The right answer involves a documented rule format with semantics and versioning.

  4. How do you keep tenants isolated? If the answer is "we have role-based access control in the application layer," that isn't isolation. The right answer involves database-level enforcement that no application-layer bug can bypass.

  5. What is the audit log of every decision your system has made? If they can't show you a single row keyed by decision identifier, with hashed inputs, the active rule version, and the outcome, they haven't built the artifact regulators are about to start asking for.

None of these are gotchas. They're the questions buyers should already be asking, because the answers will sort the durable players from the dashboard repaints inside roughly twenty-four months.

The category will exist; only the names are uncertain

Here's what won't happen: AI governance staying where it is today. Too many high-stakes agentic deployments are coming online too fast for the post-hoc model to hold. Some trigger will force the category to mature, whether it's a public incident, a regulatory mandate, or a procurement officer who simply demands the answer. The architectures and the engineering primitives are clear right now. The vendors who match those primitives to the procurement reality of the next eighteen months will own the next phase of this market.

Observation built the AI governance category. Enforcement will define its next chapter.

← All Posts

Bring the Data Center to the Workload.

Talk to us about deploying Atlas for your mission.

Contact Us