All posts
6 min readAaron Lamb
Why We Wrote Our Own AI Governance Framework
Most AI vendors will not tell you what their agents can and cannot do. We wrote it down: authorization, behavior, and change control. Here is what is in it and why we built it instead of buying one off the shelf.
Ask most AI vendors what their agents are allowed to do, and you get a marketing answer. They will tell you what the agent does well. They will not tell you what it is allowed to do at all, how it is supposed to behave while it does it, or what happens when it changes.
We wrote that down. Three frameworks, before we shipped a single agent into a client's business. This is what is in them, and why building our own beat buying one off the shelf.
The problem with off-the-shelf AI safety
There is no shortage of AI safety frameworks on the public internet. Most of them are non-operational. They describe principles. They tell you to be transparent, to keep a human in the loop, to respect privacy. All true. None of it tells your agent what to do at three in the morning when something is going sideways.
A principle is not a control. "Keep a human in the loop" is a value. "This action requires human confirmation above this confidence threshold, and here is the escalation path when confidence is below it" is a control. The first one sounds good in a deck. The second one is what actually stops an agent from doing something it should not.
We needed controls, not values. So we built three frameworks that are executable rather than aspirational. Every rule in them earns its place by killing a specific failure we have seen in production AI systems.
AGF: what agents can and cannot do
The Agent Governance Framework is the constitution. It defines the limits of agent action across six domains:
- Authorization. Who can deploy which agent, what scope it operates in, how permissions are granted and revoked, and the rules for cross-agent communication.
- Safety. Prohibited actions, confidence thresholds before anything runs automatically, human-in-the-loop gates, and the circuit breakers that stop an agent doing something it was never meant to.
- Audit. Every action logged, every decision carrying its reasoning, structured incident documentation, explicit responsibility chains.
- Compliance. Ethics standards, regulatory posture, client rights, data handling, and the places where the agent stops because the law says so.
- Lifecycle. Versioning, deploying, rolling back, deprecating. The boring operational discipline that keeps the system stable.
- Escalation. What happens when the agent hits something it cannot handle, where it goes, and the post-incident review that actually changes something.
The thing prompt injection exploits is the absence of authorization. If an agent has no defined scope, a clever input can talk it into anything. AGF closes that door before the agent ever reads untrusted text.
APF: how agents behave
The Agentic Protocol Framework is the operational reliability layer between a foundation model and a production deployment. It is ten protocols, each one addressing a documented failure mode that ungoverned agents reliably hit:
- Temporal grounding, so the agent knows what day it is and does not reason from a stale sense of time.
- Session context, so it does not start every conversation with amnesia.
- Epistemic honesty, so it separates what it verified from what it assumed.
- Self-fix, so errors get caught and corrected instead of compounding.
- Persistent task tracking, permission discipline, subagent delegation, and more.
These are not nice-to-haves. Each one exists because we watched an ungoverned agent fail in exactly that way. Date drift, retrieval misuse, confidently wrong claims, silently dropped skills. APF makes the behavior unable to leave the protocols without surfacing.
ASIP: how agents change, without drift
The third failure mode is the slow one. Agents that improve over time also drift over time, and drift is what happens when changes accumulate without anyone reviewing them.
The Agent Self-Improvement Protocol is the amendment process. The agent notices friction during normal work and writes a structured proposal: the observation, the current behavior, the proposed change, the expected impact, and a category. A human reviews it on their own clock. Approved changes land in the right surface, a memory file, a skill, a behavioral rule, a code change. Rejected ones get a reason. Every evolution leaves a trail.
The agent is explicitly told not to push for immediate approval. Drift is what happens when that review step gets skipped. ASIP makes skipping it impossible by design.
Constitution, institution, amendment
The three fit together cleanly. AGF and APF are the constitution: what is allowed and how the system behaves. The agents running against them every day are the institution. ASIP is the amendment process that lets the constitution change deliberately, under human review, without anyone quietly rewriting it overnight.
Three frameworks, one boardroom, no silent updates.
Why they stay proprietary
We keep the frameworks internal because the substance is the intellectual property. We invested in writing them, refining them against real engagements, and keeping them sharp. That work is the value.
Internal does not mean hidden from the people who need them. Clients who engage with us see the actual documents during onboarding, cite them in their own security and compliance posture, and inspect any specific policy that matters to their team. The substance is real even when it is not posted on the open internet.
Why this beats buying one
You could buy a governance framework. Most of what you would buy is a policy template: a document that describes good intentions and leaves the operational work to you. The hard part is not writing down that agents should be safe. The hard part is wiring safety into a numbered, enforceable path that an agent follows at runtime when no human is watching.
A policy without a numbered enforcement path is a wish. A protocol without a failure mode it prevents is decoration. We built the frameworks because we needed both layers to be executable, and we needed them to be ours so we could change them as fast as the technology changes.
This is the substrate behind Hextant and behind every engagement we run. It is the reason we can put autonomous agents into a business and tell the people running that business, in writing, exactly what those agents are allowed to do.
Operators first. The governance is not the product. It is the integrity of how the product operates.
ai-governanceai-agentsagfapfasip
Written by Aaron Lamb
Co-founder of Hexaxia. Builds the AI products this practice ships and runs the Fractional CAIO engagements. Operator first, AI second.
Hexaxia AI · v2 · 2026Blog / Applied AI thinkingBuilt by operators