Decision Governance vs. Model Governance

The industry is optimizing the wrong layer. Model governance asks whether a model is safe to run. Decision governance asks whether a specific decision was authorized. Almost the entire field is focused on the first question.

Model governance asks: is the model safe? Decision governance asks: was this action authorized? The planning and execution divide.

Two different questions. Model governance evaluates the model; decision governance evaluates the authorization behind a specific action.

Anthropic published a study last month covering 400,000 Claude Code sessions across 235,000 users. The finding that got the most coverage was that domain expertise predicts success better than coding background — lawyers and managers succeeding nearly as often as software engineers.

The finding that didn’t get enough coverage was this one:

In a typical session, users make most of the planning decisions. Claude makes most of the execution decisions.

Read that again. The human decides what to do. The model decides how to do it. That division of labor is now the default operating model for agentic AI across hundreds of thousands of real sessions.

Which means the governance question has already shifted — even if the governance frameworks haven’t noticed.

***

What Model Governance Answers

Model governance is the dominant approach in the industry today. It encompasses:

  • Alignment training and RLHF
  • Constitutional AI and preference learning
  • System prompt guardrails and behavioral constraints
  • Hardware attestation of the runtime environment
  • Model cards, safety evaluations, capability benchmarks

These are all answers to the same question: Is this model safe to run?

That is a legitimate question. It is not the wrong question. A model with dangerous capabilities or unreliable behavior needs to be identified before it touches production systems.

But notice what model governance does not answer.

It does not tell you whether the decision the model executed was authorized. It does not tell you what consequence tier that decision was classified at. It does not tell you what constraints were active when the execution happened. It does not tell you who granted the model authority to act. And it does not produce a record of any of this that someone outside your organization can independently verify.

Model governance answers: is the model safe?
Decision governance answers: was this decision authorized?

Those are different questions. The industry is almost entirely focused on the first one.

***

Why the Second Question Is Harder

Model governance is tractable because models are a bounded artifact. You can evaluate a model. You can benchmark it. You can attest to its runtime configuration. You can measure its performance against defined tasks. The model is a thing you can point at.

Decisions are not bounded in the same way. A single model can execute millions of decisions across thousands of deployments under different authority configurations, different consequence tier classifications, different governance policies, different operator contexts. The model is the same. The governance context is different every time.

This is why hardware attestation — TEE-sealed signing keys, policy hashes measured before code runs — is a necessary but insufficient answer. It tells you what binary ran under what policy. It does not tell you whether the decision that binary executed was authorized under the policy that governed this specific operator, this specific task, this specific consequence tier, at this specific moment. Those are properties of the decision, not the model.

The Kiro incident at AWS illustrates the gap precisely. The model behaved consistently with its configuration. The configuration was wrong. The decision to delete a production environment was not authorized — but nothing in the model governance stack prevented it, because the authorization question lived at the decision layer, and the decision layer had no governance.

***

What Decision Governance Requires

Decision governance operates at a different point in the execution chain. Not at model evaluation time. Not at deployment time. At dispatch time — the moment a specific task is assigned to a specific agent — and at execution time, when a specific action is taken.

At dispatch, decision governance asks: what authority is this agent actually granted for this specific task? Not what authority the operator holds. Not what authority the agent could inherit. What authority is explicitly granted, bounded to this task, and expires when the task ends?

At execution, decision governance asks: was this action authorized under the active policy? What consequence tier was it classified at? Did the classification match the actual impact? Is there an external record of this decision that cannot be modified after the fact?

These questions require a governance layer that is external to the model — because the model cannot reliably answer them about itself. The model can be instructed to report its own authorization status, but that report is generated by the same system whose behavior is under question. It is the defendant’s testimony about their own compliance.

Decision governance requires external recording at decision time. Not post-hoc explanation. Not self-reporting. A record made before the action executes, by a system the model cannot modify, in a format that an independent party can verify.

That is not what any current model governance framework produces.

***

The Admissibility Gap

Here is the practical consequence of confusing these two layers.

Your organization deploys an AI agent into a production workflow. The model has been evaluated, benchmarked, and attested. The hardware configuration is verified. The system prompt is thoughtfully constructed. The agent performs well in nominal conditions.

Then something goes wrong. A regulator asks what governance was in place. An auditor asks who authorized the action. A court asks for the decision record. An acquirer doing due diligence asks whether the agent’s actions are reconstructable.

You point to your model governance artifacts. The benchmark scores. The safety evaluation. The hardware attestation certificate. The system prompt.

None of these answer the questions being asked. They answer “was the model safe?” They do not answer “was this decision authorized, under what constraints, with what evidence?”

The decision record — if it exists at all — is a self-report generated by the model after the fact. It is the model explaining what it did and why. As discussed in prior work, post-hoc model explanation is a new inference, not a retrieval. The attention weights that produced the original output are not preserved. The explanation is generated, not recovered.

You have governance artifacts that are inadmissible to the actual questions being asked.

This is the admissibility gap. It is structural. It cannot be closed by better model evaluation or stronger hardware attestation. It can only be closed by building the decision governance layer.

***

The Two Questions Are Not Competing

I want to be precise about this, because the argument is sometimes misread as an attack on model governance.

Model governance and decision governance are not competing approaches. They address different threat surfaces at different layers.

Model governance addresses: is this model’s behavior reliable and safe across its general capability range?

Decision governance addresses: was this specific decision, taken by this specific agent, under this specific authority configuration, governed correctly?

You need both. A model that fails basic safety evaluations should not be deployed regardless of how good your decision governance is. And a safely evaluated model deployed without decision governance is a model where consequential actions can be taken without authorization records — which is where most enterprise AI deployments are today.

The industry has invested heavily in the first layer. The second layer is largely unaddressed.

***

The Question Regulators Are Starting to Ask

The White House’s GOLD EAGLE initiative — a federal clearinghouse for cybersecurity vulnerability coordination announced this month — explicitly involves AI to accelerate vulnerability detection across critical infrastructure. A federal clearinghouse that coordinates scanning verifications across Treasury, DHS, and the Department of War is an external reviewer consuming evidence at national scale.

That reviewer will not ask whether the models were safely evaluated. They will ask whether the decisions those models executed were authorized, governed, and reconstructable. That is a decision governance question.

The Agentic AI Foundation — now with 190 member organizations — is actively standardizing the evidence formats for agentic AI. The format question is the decision governance question: what does a valid, independently verifiable record of an authorized AI decision look like?

Those formats will be defined. The question is whether they are defined by the entities that produce the AI decisions — with the structural conflict that implies — or by independent frameworks with no stake in the outcome.

The governance vocabulary for that second path has been published. It predates both initiatives.

***

Conclusion

The industry is spending the majority of its governance energy on model evaluation, alignment, and runtime attestation. These are necessary. They are not sufficient.

The gap is the decision layer. The layer where specific actions are authorized, bounded, and recorded. The layer where governance is external to the model it governs. The layer that produces evidence admissible to someone who does not trust the vendor.

Model governance asks: is this model safe?
Decision governance asks: was this decision authorized?

Enterprises that can answer only the first question are not governed. They are attested.

The distinction will matter the next time something goes wrong — and the reviewer asking questions is not an employee.

James Ford is Chief Architect at GAIN Credit and founder of Equilateral AI. The Equilateral Agent Governance Scorecard (CC BY 4.0) and the Raknor Agent Governance Standard v1.0 (CC BY 4.0, extended from the Equilateral scorecard) are published openly at equilateral.ai/scorecard.html and raknor.ai/standard.html.