A widely-cited LangChain post on agentic architecture gives this advice: outsource your agentic infrastructure, own your cognitive architecture. It's good advice. It's also incomplete — and the gap it leaves is where most production governance failures originate.
The post describes two layers: infrastructure (execution, queues, persistence — outsource it) and cognitive architecture (how your agent reasons, what tools it has, how it plans — own it). What it doesn't describe is the third layer — because the governance plane wasn't a serious engineering problem when that piece was written. It is now.
This month, Microsoft released the Agent Governance Toolkit — an open-source framework that sits outside agent code entirely and enforces runtime policies against all ten OWASP Agentic AI Top 10 risks. It doesn't live in your agent's prompt. It doesn't live in your infrastructure. It's a third architectural layer. Does your system have one?
The governance plane is the architectural layer responsible for enforcing policies on agent behavior at runtime — controlling what tools agents can access, what data they can touch, what outputs they can produce, and what cost they can incur — without living inside the agent itself. Unlike observability infrastructure (which records what happened) or cognitive architecture (which determines what the agent tries to do), the governance plane determines what the agent is allowed to do, independent of its own reasoning. The defining architectural property: governance updates don't require agent code changes. Policies are infrastructure. Agents are tenants.
What the two-layer framing gets right
LangChain's framing correctly identifies a trap most teams fall into early: rebuilding infrastructure primitives from scratch. Persistent state management, fault-tolerant task queues, horizontal scaling — these are solved problems that don't differentiate your product. Outsourcing them lets your team focus on the hard part: reasoning architecture, tool selection logic, and workflow design. The two-layer model is a genuine improvement over the zero-layer model, where most teams start: one undifferentiated pile of code that handles reasoning, execution, and attempts at governance all at once.
The problem isn't that the framing is wrong. It stops one layer short.
Why governance built into the agent fails
The instinct, once teams recognize the governance gap, is to add it to the cognitive architecture layer — guardrails in the system prompt, conditional logic in tool calls, compliance checks in the agent's planning step. This is where the architecture breaks. Governance embedded in cognitive architecture has three structural problems.
It's brittle under policy change. When a data handling policy updates, or a compliance requirement changes, or you need to add a new tool restriction — all of that requires touching agent code. In teams running multiple agents across multiple frameworks, "update the governance policy" becomes "open a ticket for five separate PRs." Policy that lives in code deploys on code timelines.
It produces no audit evidence. Governance embedded in system prompts doesn't produce enforcement records. It produces outputs — and you have to infer from the output that the policy ran. When an auditor asks "show me that your agent evaluated whether this action was permitted before it ran," a system prompt can't produce that evidence. A governance plane can.
It's not actually enforced deterministically. An agent instructed not to access certain data can still access it if the LLM doesn't follow the instruction. This is a first-principles problem with prompt-based governance: instructions are inputs to a probabilistic reasoner. Policies at the enforcement layer aren't instructions — they're interceptors. The Stanford 2026 AI Index found that 62% of organizations name security and risk as the primary blocker for scaling agentic AI — a governance architecture problem, not a model capability problem.
What a separate governance plane looks like in practice
The control plane / data plane separation has a long history in infrastructure engineering — networking, Kubernetes, service meshes. The same principle applies to agentic systems. The governance plane doesn't execute agent logic. It intercepts it.
Specifically: the governance plane evaluates every action the agent intends to take — a tool call, an API request, an output about to be delivered — against a defined policy set before that action executes. If the action is permitted, it proceeds. If not, the plane blocks, routes for human review, or terminates the session. The agent's cognitive architecture is unchanged. The enforcement mechanism is external to it.
This separation has a concrete implication for policy updates. Because governance policies live outside agent code, you can update which tools a specific agent class is allowed to call, add a new PII handling rule, or tighten cost limits across your entire agent fleet — without a deployment. For organizations running dozens of agents, this is the difference between governance that scales and governance that stalls.
The Signal and Domain pattern takes the separation further by defining controlled interface points between agents and the production systems they interact with. Agents don't get direct access to databases, APIs, or file systems — they go through a governed interface. An agent with CRM access can be restricted to querying only the current user's account records; outbound emails can require human review for unapproved domains. Neither constraint lives in the agent. Both enforce reliably at the interface layer.
The architecture question to ask before you ship
Microsoft's toolkit, the EU AI Act's high-risk system requirements (deadline: August 2026), and organizations that have moved from prototype to governed production at scale are converging on the same model: governance is a third layer, not a feature of the other two.
Your cognitive architecture is the differentiating layer — which is precisely why governance shouldn't live there. Its value is the ability to iterate quickly on reasoning, tooling, and task design. Governance rules baked into it slow that iteration, create deployment dependencies, and make audit records impossible to produce cleanly. They belong in a layer purpose-built to enforce them.
Agents reason. Infrastructure executes. The governance plane enforces. Conflating any two of those doesn't simplify the system — it just makes governance invisible until something goes wrong.
How Waxell handles this: Waxell's governance plane is the third architectural layer — separate from agent code and separate from execution infrastructure. It intercepts every tool call and output before execution, evaluates it against a defined policy set, and enforces the result without agent code changes. Cost limits, tool access controls, content restrictions, and human-escalation triggers are defined once, deployed independently, and enforced across every governed agent. What the governance plane covers is explicit by design: agents reason, infrastructure executes, Waxell enforces. Get early access.
Frequently Asked Questions
What is the governance plane in agentic architecture?
The governance plane is an architectural layer that sits outside agent code and enforces runtime policies on agent behavior — what tools agents can access, what data they can touch, what they can output, and what they can spend — before those actions execute. It's distinct from observability infrastructure (which records what happened) and from cognitive architecture (which determines what the agent tries to do). The defining property: governance policies update independently of agent code, with a separate deployment lifecycle from either infrastructure or the agent itself.
What's the difference between agentic infrastructure and a governance plane?
Agentic infrastructure handles execution: task queues, persistent state, horizontal scaling, fault tolerance. A governance plane handles enforcement: policy evaluation, action interception, human escalation routing, audit trail generation. Infrastructure makes agents reliable; a governance plane makes them compliant. Both sit outside agent code, which is why they're often conflated — but they serve completely different functions with different update cadences and different owners.
Why shouldn't I build governance into my agent's system prompt?
System prompt governance has three structural problems: policy updates require code deployments; it produces no enforcement records (making audit evidence impossible to generate); and it's not deterministically enforced because LLMs can deviate from instructions under adversarial inputs, context drift, or edge cases. Governance built into a prompt is a best-effort instruction. Governance at the enforcement layer is a deterministic interceptor. For anything with compliance or security consequences, the distinction is not academic.
What is the Signal and Domain pattern?
Signal and Domain is a controlled interface design for agentic systems. Rather than giving agents direct access to production data systems, the pattern routes agent interactions through a defined interface layer that the governance plane controls. Agents request what they need; what they receive is governed by policy. This is the architectural equivalent of a network DMZ: the agent's reasoning is unconstrained, but what it can affect in production is bounded by the interface. You can expand or restrict agent access without changing agent code.
How does Microsoft's Agent Governance Toolkit relate to the governance plane concept?
The Agent Governance Toolkit (April 2026) is an open-source implementation of the governance plane pattern. It sits outside agent code as a framework-agnostic layer, intercepts actions before execution at sub-millisecond latency, and enforces policies against the OWASP Agentic AI Top 10 risk categories. Its architecture explicitly lives outside both cognitive architecture and execution infrastructure — validating the three-layer model. When Microsoft — creator of AutoGen and Azure AI Foundry, with deep integrations across the major agent framework ecosystem — builds governance as an external enforcement layer, it's the clearest industry signal that this is where production agentic architecture is heading.
Sources
- LangChain, Why you should outsource your agentic infrastructure, but own your cognitive architecture (2024) — https://blog.langchain.com/why-you-should-outsource-your-agentic-infrastructure-but-own-your-cognitive-architecture/
- Microsoft Open Source Blog, Introducing the Agent Governance Toolkit: Open-source runtime security for AI agents (April 2, 2026) — https://opensource.microsoft.com/blog/2026/04/02/introducing-the-agent-governance-toolkit-open-source-runtime-security-for-ai-agents/
- Microsoft GitHub, agent-governance-toolkit — https://github.com/microsoft/agent-governance-toolkit
- Microsoft Community Hub, Agent Governance Toolkit: Architecture Deep Dive (2026) — https://techcommunity.microsoft.com/blog/linuxandopensourceblog/agent-governance-toolkit-architecture-deep-dive-policy-engines-trust-and-sre-for/4510105
- Kiteworks, Stanford AI Index 2026: Why 62% Say Security Blocks Agentic AI Scaling — https://www.kiteworks.com/cybersecurity-risk-management/stanford-ai-index-2026-agentic-ai-security-governance/
- Stanford HAI, The 2026 AI Index Report — https://hai.stanford.edu/ai-index/2026-ai-index-report
- Cloud Security Alliance, Securing the Agentic Control Plane in 2026 (March 2026) — https://cloudsecurityalliance.org/blog/2026/03/20/2026-securing-the-agentic-control-plane
- OWASP, OWASP Top 10 for LLM Applications — Agentic AI 2025 — https://owasp.org/www-project-top-10-for-large-language-model-applications/
- European Commission, EU AI Act Implementation Timeline — https://ai-act-service-desk.ec.europa.eu/en/ai-act/timeline/timeline-implementation-eu-ai-act
Top comments (0)