Why You Need a AI Governance Control Stack (and Where a Pre-Execution Authority Gate Fits)

Patrick McFadden • February 26, 2026

Most of what’s being sold today as “AI governance” is a category error.


  • Vendors pitch one product as the governance solution.
  • Buyers hope for “one throat to choke.”
  • Regulators and boards ask, “Do we have AI governance?” like it’s a yes/no checkbox.


Reality: AI governance is not a product. It’s a control stack.


If you try to buy it from one box, you usually end up with false confidence and gaps in exactly the places that matter most.


This is the framing I’ve found most useful when evaluating serious AI governance claims.

The One Line to Remember

“Authorized” is not the same as “executed correctly.”
“Executed correctly” is not the same as “governed.”

Most confusion comes from mixing those three jobs.


Let’s unbundle them.

The AI Governance Control Stack (Five Layers)


In any serious environment — law, finance, healthcare, critical infrastructure — you need at least five layers of control:


  1. Data / Formation Governance – what the system is allowed to see and learn from.
  2. Model / Agent Behavior Controls – what the system is allowed to say and attempt.
  3. Pre-Execution Authority Gate (Commit Layer) – who is allowed to let an action start at all.
  4. In-Execution Constraints – how far the action is allowed to go while it’s running.
  5. Post-Execution Monitoring & Reconciliation – what actually happened, and whether it matched your intent.


If someone tells you they “do AI governance” and can’t tell you which of these they cover, you don’t have a governance solution.


You have a feature.


Note: policy ownership sits above this stack: boards, GRC, risk committees, and business leadership decide the rules. These five layers are the operational control stack that enforces and evidences them.

Layer 1 – Data / Formation Governance


“What do we let this system know?”


This is the part most organizations already recognize:


  • Data classification (public / internal / confidential / restricted).
  • “No customer data in public LLMs” rules.
  • DLP, access controls, and encryption.
  • Decisions about which datasets can train which models.


Risk it controls:

  • Data leakage
  • Privacy violations
  • Illegitimate training / use of sensitive data


What it does not control:

  • Whether the system’s decisions are authorized.
  • Whether a specific action may run under your name.


You can have perfect data governance and still wire a system that moves money, files court documents, or changes records under the wrong authority.

Layer 2 – Model / Agent Behavior Controls


“How is this system allowed to behave?”


This is the “AI safety” layer people talk about:


  • Guardrails and safety filters.
  • Red teaming and jailbreak resistance.
  • Prompt / response filtering.
  • Agent policies (“don’t call this tool”, “stay within this scope”).


Risk it controls:

  • Harmful content
  • Obvious misuse of tools by the model
  • Some classes of biased or non-compliant behavior


What it does not control:

  • Whether the resulting action is allowed to execute.
  • Whether the decision is under the right license, consent, or authority.


A model can be beautifully “safe” and still send something to the wrong regulator, move the wrong funds, or file under the wrong attorney — simply because no one ever asked “may this run at all?”

Layer 3 – Pre-Execution Authority Gate (Commit Layer)


“For this actor, this action, right now — may it run at all?”


This is the layer that’s been missing in most stacks, and the one we specialize in.


A pre-execution authority gate sits in front of high-risk actions:


  • file / send / serve
  • sign / approve / commit
  • move money / change limits / alter critical records


For each attempted action, it evaluates a small, structured payload:


  • Who is acting?
  • Where are they acting?
  • What are they trying to do?
  • How fast / how exposed is it?
  • Under which authority / consent?


Then it returns exactly one of three outcomes:


  • Approve – the action may proceed.
  • Refuse – the action is blocked; nothing executes.
  • ⚖️ Supervised override – the action may proceed only with a named human decision-maker attached.


And for each verdict, it produces a sealed, tenant-owned artifact:


  • Who tried to do what.
  • Under which identity / role / matter / venue.
  • Which policy / rule set was applied.
  • What the verdict was (approve / refuse / supervised).
  • Reason codes and timestamps.
The gate’s job is not correctness.
Its job is authority and accountability.

It answers:


“Was this action allowed to start under our rules, and who owned that call?”


It does not guarantee:


  • that the model’s reasoning inside the action was correct,
  • that every downstream system behaved, or
  • that the overall outcome was “good.”


That’s not a flaw — it’s separation of concerns.


In our work in legal environments, SEAL Legal Runtime is built as this layer: a sealed pre-execution authority gate in front of high-risk legal actions, returning approve, refuse, or supervised override and emitting sealed artifacts per governed action.

Layer 4 – In-Execution Constraints


“Given that it’s allowed to start, how far may it go?”


Once an action is authorized to start, you still need controls while it’s running:


  • Transaction limits and exposure caps.
  • Dual control / four-eyes for large or unusual actions.
  • Step-up authentication when risk spikes.
  • Escrow / staged commits (plan, preview, then apply).
  • Circuit breakers and anomaly detection mid-flight.
  • Bounded tool permissions for agents (“this tool only on these accounts”).
  • Idempotency / rollback guards.


Risk it controls:

  • “Approved but dangerous” actions.
  • Partial failures and cascading problems while the system is mid-flight.


What it does not control:

  • Whether the action should have been allowed to start in the first place.
  • Whether the action was under the right authority or consent.


This is the layer many “AI ops” / “agentic” frameworks talk about (and where people like Drew / Vadym are focusing on invariants and state).

Layer 5 – Post-Execution Monitoring & Reconciliation


“What actually happened, and did it match our intent?”


After the action is done, you still need:


  • Reconciliation against books and records.
  • Exception reports and flags.
  • Supervisory sampling and QA.
  • Incident detection and response.
  • Forensic reconstruction when something goes wrong.
  • Model / policy updates based on what you learn.


Risk it controls:

  • Drift over time (models, policies, behavior).
  • Hidden failure modes that only show up in aggregate.
  • Regulatory and litigation exposure when you need to show your work.


What it does not control:

  • Whether the action was authorized in the first place.
  • Whether the action was bounded while it ran.


This layer is where a lot of “AI audit” and “AI observability” lives today.

Why One Vendor Can’t (and Shouldn’t) Own All Five


Think about security:


  • IAM
  • Endpoint protection
  • Network / zero trust
  • SIEM
  • SOAR / incident response


No one serious buys all of that from one product.
You expect multiple layers, multiple vendors, with clear interfaces.


AI will go the same way.


If a vendor claims to be your data layer, model safety layer, pre-execution authority gate, runtime constraint system, and audit platform all at once, you should scrutinize that claim very carefully. Serious governance usually depends on separation of duties, clear interfaces, and independent lines of defense.

How to Use This Control Stack in Practice


Here’s a way to turn this into action inside your org.


Step 0 — Find the execution paths 


Before assessing the five layers, inventory where high-risk actions actually execute today. In many environments, important workflows sit outside formal governance paths. If an action never reaches the execution gate, it cannot be refused before it runs.


Step 1 — Pick one high-risk class of actions:


  • filing with a regulator or court,
  • moving funds above a threshold,
  • changing prices/limits in production,
  • issuing orders / prescriptions / commands.


Step 2 —Then ask, in plain language:


1. Data / Formation

  • What data is this action allowed to see and learn from?
  • Who owns those classifications and access rules?


2. Model / Agent Behavior

  • What are models/agents allowed to say or try?
  • What’s explicitly out of scope?


3. Pre-Execution Authority Gate

  • Who (human or system) is allowed to say “yes, this action may start under our name”?
  • Where does that decision live — in a policy PDF, or in a gate in front of the “execute” button?
  • Can we prove that decision six months from now?


4. In-Execution Constraints

  • Once started, what caps / limits / circuit breakers apply?
  • What happens if the action goes out of bounds while it’s running?


5. Monitoring & Reconciliation

  • How do we spot and investigate odd patterns after the fact?
  • What record would we show a regulator or insurer?


If any layer is answered with “we don’t really have that” or “we’re hoping the vendor’s magic takes care of it,” that’s your gap.

Where We Focus


In our own work, we have deliberately not tried to be a single, all-in-one “AI governance platform.”


We chose to specialize in the pre-execution authority layer:

Pre-execution authority gates for high-risk legal actions,
with sealed, client-owned artifacts for every approve / refuse / supervised override.
  • I don’t do DLP.
  • I don’t tune models.
  • I don’t manage every runtime limit or observability feed.


We integrate with the systems that already own those pieces (IdP, GRC, matter systems, DLP), and I answer one question ruthlessly:


“For this actor, this action, in this context, under this authority — may it run at all, and where is the record that proves the decision?”


That’s the Commit job.


Your stack may choose different vendors or build some layers in-house.
But the structure doesn’t really change.

The Practical Takeaway


If you want a quotable, referenceable version of all this, it’s this:


AI governance is not one product. It’s a control stack.


  • Data governance decides what the system may know.
  • Model controls decide how it may behave.
  • The pre-execution gate decides what may start.
  • In-execution constraints decide how far it may go.
  • Monitoring and reconciliation decide what we learn and how we prove it.


And:


If your stack cannot clearly show where “may this run at all?” is decided for each high-risk action, then your governance program still has a critical gap.

What Is the Commit Layer?

By Patrick McFadden April 7, 2026
The Commit Layer is the execution-boundary control point where a system decides, before an irreversible action runs, whether that action may proceed under authority, in context. It applies to humans, agents, systems, tools, and workflows.

What Is Action Governance?

By Patrick McFadden April 7, 2026
Action Governance is the discipline of deciding whether a specific action may execute under authority, in context, before it runs. Learn how it differs from IAM, model governance, and monitoring — and why it lives at the Commit Layer.

Execution-Time Authority Control: Why IAM, Guardrails, GRC, and Monitoring Still Don’t Decide What May Execute

By Patrick McFadden April 2, 2026
Most enterprises already have more controls than they can name. They have IAM. They have model guardrails. They have GRC platforms. They have dashboards, logs, alerts, and post-incident reviews. And yet one question still goes unanswered at the exact moment it matters: May this action run at all? That is the gap. Not a visibility gap. Not a policy gap. Not a “we need one more dashboard” gap. A control gap. The problem is not that enterprises have no governance. The problem is that their existing layers stop short of the final decision that matters at the moment of action. The market has language for identity, model safety, policy management, and monitoring. What it still lacks, in most stacks, is a control that decides whether a governed high-risk action may execute under the organization’s authority before anything irreversible happens. That is what I mean by execution-time authority control . Not a new category. A clearer control-language translation for what Action Governance does at the Commit Layer .

AI Security Keeps Intruders Out. AI Governance Decides What Your Own Systems May Do.

By Patrick McFadden March 17, 2026
Most AI governance stops at models and monitoring. The missing runtime discipline is Action Governance.

Is This Really AI Governance? 7 Questions Boards Can Ask in One Meeting

By Patrick McFadden March 10, 2026
Most “AI governance” decks sound impressive but leave one blind spot: Who is actually allowed to do what, where, under which authority, before anything executes? These seven questions let a board test, in one meeting, whether the organization has real governance or just model settings and policies on paper.

AI Risk P&L: The Prevented-Loss Ledger (with Refusal Artifacts)

By Patrick McFadden March 6, 2026
Define AI Risk P&L and the prevented-loss ledger. Learn how refusals, overrides, and sealed artifacts make AI governance provable.

The Missing Layer Between Model Governance and Audit

By Patrick McFadden March 3, 2026
Why You Still Get AI Incidents Even When Both Look “Mature”

How to Govern AI Decisions at Runtime (By Governing Actions at the Execution Gate)

By Patrick McFadden March 1, 2026
Everyone’s asking how to govern AI decisions at runtime. The catch is: you can’t govern “thinking” directly – you can only govern which actions are allowed to execute . Serious runtime governance means putting a pre-execution authority gate in front of file / send / approve / move and deciding, for each attempt: may this action run at all – yes, no, or escalate?

The Missing Commit Layer in AI Governance: Why “Safety” Isn’t Enough

By Patrick McFadden February 28, 2026
The Commit Layer is the missing control point in AI governance: the execution-boundary checkpoint that can answer, before an action runs.

What Is a Pre-Execution AI Governance Runtime?

By Patrick McFadden February 23, 2026
A pre-execution AI governance runtime sits before high-risk actions and returns approve/refuse/supervised—using your rules—and emits sealed evidence you can audit and defend.