Last week, a team of researchers did something governance vendors have avoided for years: they tested whether AI agents could actually follow governance policies.
The answer is clarifying.
The Agent Behavioral Contracts paper, published February 24 on Zenodo, introduces a formal framework for encoding preconditions, invariants, and recovery logic as runtime-enforceable contracts for autonomous AI agents. The researchers embedded these contracts directly in the agent execution path and measured what happened.
The results: agents operating under formal contracts still violated governance boundaries — but the contract framework caught those violations and bounded the behavioral drift. Agents operating without contracts drifted silently. No detection. No recovery. No record.
This is the empirical version of a problem practitioners already feel. Your governance policies exist as documents. Your agents interact with those documents the way a junior developer interacts with a style guide: they read it once, pattern-match against what they remember, and improvise the rest.
We call this grep 'n guess — and it is provably insufficient.
The prose policy problem
Most enterprise AI governance programs store policies as prose. A PDF in SharePoint. A section in Confluence. A rich-text field in a Governance, Risk, and Compliance (GRC) record. The policy says something like: "AI-generated recommendations in clinical settings must be reviewed by a licensed practitioner before action."
That sentence is unambiguous to a human reader. It is meaningless to an agent at execution time.
An agent consuming this policy has no formal precondition to check, no invariant to maintain, no gate to pass through before acting. It has text. And text is not a constraint — it is a suggestion.
The ABC framework demonstrates what happens when you replace suggestions with constraints. Preconditions define what must be true before an agent acts. Invariants define what must remain true while it acts. Recovery logic defines what happens when a violation occurs. All of this evaluates at runtime, in the execution path, not in a review meeting three weeks later.
What the research actually showed
The paper is worth reading for the failure taxonomy alone. Agent violations fell into categories practitioners will recognize:
Precondition failures. Agents attempted actions without required context, permissions, or data quality thresholds.
Invariant drift. Agents began within policy bounds and gradually moved outside them across multi-step operations — with no single step triggering an obvious violation.
Silent deviation. Without contracts, violations produced no signal. The agent completed its task. The output looked reasonable. The governance breach was invisible.
That last category is the one keeping CISOs awake. You cannot manage risk you cannot see. And prose policies, by definition, produce no signal when an agent ignores them — because ignoring a document looks identical to never having read it.
From Clinejection to contracts
The Clinejection attack last month made the same point from the opposite direction. A prompt injection exploit mass-deployed malware through the Cline AI coding assistant — not because Cline lacked governance policies, but because nothing in the runtime could enforce them. The gap between what governance said and what the execution path enforced was the entire attack surface.
The ABC paper addresses the same structural gap. Clinejection showed what happens when agents operate without runtime constraints. Agent Behavioral Contracts show what happens when you add them: violations still occur, but they are detected, bounded, and logged.
This is not a theoretical improvement. It is the difference between a governance program producing evidence and one producing comfort.
The implication for practitioners
If you are responsible for AI governance in your organization, the ABC paper hands you a useful question for your next vendor evaluation or architecture review:
When an agent violates a policy, what happens?
Not "what should happen according to the policy document." Not "what would happen if someone noticed." What actually happens, at runtime, in the execution path, at the moment of violation?
If the answer involves a human reading a log after the fact, you do not have governance. You have documentation.
What to watch
The ABC framework is academic — it is a formal specification, not a product. But the pattern it validates is already appearing in commercial offerings. VAST, Lasso Security, and AccuKnox are all building inline enforcement layers for agent interactions. Holistic AI now markets enforcement across models and agents, not just assessments. ServiceNow's Autonomous Workforce embeds governance policies in agent runtime.
The market is converging on a simple premise: if governance cannot execute, it does not exist.
Thursday, we map who is building enforcement and where the gaps remain.
Sources
Agent Behavioral Contracts: Formal Specification and Runtime Enforcement for Reliable Autonomous AI Agents — Zenodo
Clinejection attack coverage — Tech Buzz, ITCPE Academy
VAST PolicyEngine analysis — Hyperframe Research
AI Runtime Security — Lasso Security
Runtime AI Governance Security Platforms — AccuKnox
Govern Every AI Model and Agent Automatically — Holistic AI
ServiceNow AI Governance for Autonomous Workforce — TechTarget