Why infrastructure-layer governance is the only durable answer.
The governance mechanism and the entity being governed cannot share the same trust boundary. This is not a product opinion. It is an architectural principle the security community has relied on for decades.
Governance and the entity being governed cannot share the same trust boundary.
“Many current agent governance approaches are implemented as middleware within the agent's own runtime. This means a sufficiently capable agent, a compromised dependency, or a malicious actor with access to the agent's process can bypass governance entirely. The governance mechanism and the entity being governed share the same trust boundary. This is analogous to relying on an application to enforce its own access controls without an external authentication service, a pattern that the security community abandoned decades ago.”
This passage is from a formal comment submitted by Panoptic Systems to the National Institute of Standards and Technology on Security Considerations for Artificial Intelligence Agents (Docket NIST-2025-0035, 91 FR 698), February 2026. It is the single clearest articulation of why in-process governance fails and why infrastructure-layer governance is the architectural answer.
Read the full NIST comment →Deterministic governance requires architectural separation.
AI systems cannot reliably govern themselves. Self-reporting by the entity under review is structurally insufficient. When the thing generating evidence is the same thing being evaluated, the evidence is compromised by design.
Deterministic enforcement requires an external, out-of-process control point in a separate trust boundary. This is the difference between monitoring and governance: monitoring tells you what happened; governance decides whether it should happen.
The word "deterministic" alone is no longer differentiating. Microsoft's Agent Governance Toolkit and other framework-layer approaches also describe themselves as deterministic. The conceptual moat is three properties together: deterministic enforcement at the network layer, in a separate trust boundary from the agent, producing offline-verifiable evidence.
“deterministic infrastructure-level governance that provided audit-grade evidence”
How the approaches differ.
A factual comparison. Both in-process and infrastructure-layer approaches are useful; they answer different questions.
Scroll to compare →
| Dimension | Microsoft Agent Governance Toolkit | App-layer / framework approaches | Panopticore |
|---|---|---|---|
| Deployment | SDK middleware in agent framework | SDK middleware in agent framework | Network sidecar, no framework integration |
| Trust boundary | Same as agent (per their README) | Same as agent or framework | Separate from agent |
| Framework coupling | Requires adapter (LangChain, CrewAI, etc.) | Requires adapter (LangGraph, ADK, Strands) | Vendor and framework neutral |
| Audit evidence | OpenTelemetry spans in App Insights | Trajectory logs, vendor dashboards | Self-contained, offline-verifiable Evidence Binder |
| Regulator-facing artifact | Not native to toolkit | Not native | Evidence Binder |
| MCP / A2A | Integrations evolving | Varies | MCP-aware today, A2A near-term |
Microsoft Toolkit claims cite Microsoft's own GitHub README ("Known Limitations & Design Boundaries" section). Table accurate as of April 2026. Subject to quarterly review.
Microsoft Agent 365.
Microsoft Agent 365 is a separate Microsoft enterprise SKU for managing and auditing Copilot agents within M365 tenants. It is a distinct product from the open-source Agent Governance Toolkit compared above.
Agent 365 governs agents inside the Microsoft 365 trust boundary using M365's own audit log infrastructure. Panopticore governs at the network layer regardless of platform, including agents that cross M365 boundaries to external systems.
Agent 365 covers what Microsoft can see inside its own platform. Panopticore covers what crosses trust boundaries between systems. Different scope, complementary use.
What Panopticore does not govern.
Actions that remain entirely within a vendor's closed infrastructure are outside Panopticore's interception surface. An Agentforce action that executes entirely inside Salesforce, a Copilot action that stays within the M365 boundary, an agent that never makes an outbound network call: these are architecturally outside the scope of network-layer governance.
This is a deliberate architectural boundary, not a roadmap gap. Stating it clearly is more valuable than overclaiming. Infrastructure-layer governance governs the boundary. Platform vendors govern the interior.
First to combine three properties.
Panopticore is the first system to combine three properties:
Not "first agent governance." Not "first audit log." Not "first deterministic enforcement." The precision of the claim is the credibility.