Why Everyone Is Trying to Govern Behaviour Instead of Actions

Several conversations over the last few weeks have followed the same arc and it is worth naming. One started with process assurance, another with data provenance, another with output scoring, another with the epistemology of model decisions. The starting points differed and the participants were serious; each had a real problem in view. Each conversation, almost without anyone noticing, drifted away from the only place governance of autonomous AI action can actually be enforced.

The drift was not toward nonsense. It was toward useful work that sits near governance: better workflows, cleaner state, safer outputs, stronger reasoning. But every proposal I heard landed in the same structural position: a sophisticated way to evaluate something other than the action at the point of execution.

The pattern is not a coincidence. It is a common architectural default, and it becomes much easier to see once the stack is separated. Upstream of the action boundary, there is work that informs decisions: process alignment, state validation, output scoring, epistemic review. At the action boundary, governance evaluates a proposed action against explicit policy and delegated authority. Downstream, the action executes and its consequences land in the world. Everything upstream may improve the quality of what reaches the boundary. None of it controls whether an unauthorised action executes once it arrives.

Different Starting Points Drift Upstream

The starting points differ — process, state, output, reasoning — but the move that follows is consistent. In every case the proposal pulls governance away from the action boundary and lands it somewhere upstream.

One common position is process alignment. The argument is clean: governance should ensure that the agent follows the right process. Not just that individual actions are permitted, but that the sequence of actions over time conforms to an expected workflow. Behaviour governance does useful work here. It evaluates the agent’s trajectory: did it follow the right process, did it take the expected path, did it consult the sources the organisation required? The drift is subtle because process alignment evaluates how the agent behaves rather than whether a specific action at a specific moment is authorised to execute. An agent can follow the correct process perfectly and still produce an unauthorised action at step seven. It can also deviate from the expected process and still produce only authorised actions. The process and the action are correlated, not coupled.

Another recurring position is state validity. The argument is equally coherent: governance should ensure the integrity and provenance of the data the system operates on. Before an action executes, the system should verify that its inputs are valid, that the data has not been tampered with, that the state of the world the action depends on is trustworthy. Data governance answers those questions; it evaluates the environment the action operates in, not the action itself. A system operating on perfectly valid, provenance-verified data can still execute an unauthorised action against that data. The data’s integrity does not determine the action’s authority. Validating the input does not govern the operation.

A third position is output scoring. The argument is pragmatic: governance should evaluate the quality and safety of what the system produces. Score the output, classify it, run it through a safety evaluator. If the output is acceptable, the system is governed. Content evaluation belongs in this family; it evaluates results, asking whether the system produced something harmful, inaccurate or outside a policy constraint. The timing problem is obvious. Output scoring evaluates what the system has already done. The action has executed and the consequence has been produced. A system that scores outputs is doing quality assurance, not governance. The temporal difference matters because governance prevents while scoring reviews.

The subtlest position is epistemic soundness. The argument is the most intellectually sophisticated of the four: governance should ensure that the reasoning behind a decision is admissible. The evidence should be sound, the inference should be valid, the chain of reasoning from inputs to decision should withstand scrutiny. This is the version of the move I find hardest to catch in conversation because it feels the most like governance. If the reasoning is sound, surely the action is justified. But epistemic soundness evaluates whether an action should be taken, not whether it may be taken. Justification and authorisation are not the same thing. A perfectly reasoned action outside delegation scope is still unauthorised. The quality of the reasoning does not expand the scope of the delegation.

Different positions, different disciplines, each evaluating something real. None of them stands at the point where the action is about to produce a consequence and determines whether it may proceed. Everything upstream can improve the decision. Only the boundary controls the outcome.

Why The Drift Happens

I have come to think the action boundary is uncomfortable to spend professional attention on because it is narrow and binary. It asks a single question: is this specific action, by this actor, under this delegation, at this time, permitted by this policy? It then answers with one of three outcomes: allow, deny or escalate. It does not care whether the action is wise, well-reasoned or part of a good process. It asks only whether the action is authorised.

The alternatives feel more substantial. Process alignment considers the whole workflow rather than a single action; state validity considers the entire data environment; output scoring considers the full consequence; epistemic soundness considers the complete reasoning chain. Each is broader, deeper and more intellectually engaging than a binary gate on a single action.

The drift happens because governance feels like it should be complex. Autonomous systems are complex, the problems they create are complex, the regulatory environment around them is complex, and it seems natural that governance should match that complexity by becoming a rich, multi-dimensional evaluation that considers process, state, outputs and reasoning together.

Enforcement itself is not complex. It is a gate: open or closed. The sophistication of a governance system sits around the gate, in the policy, the delegation model and the evidence chain that inform the decision. The gate has to remain simple. A gate that requires interpretation becomes another place to argue after the action has already moved.

What Each Position Gets Right

I am not dismissing these positions. Each identifies a real problem and proposes a real solution, and each makes governance better in a way that is worth doing.

Process alignment reduces the probability that an agent reaches a state where it attempts unauthorised actions in the first place, and it is a form of risk reduction that serious deployments need. State validity matters because a system operating on corrupted, tampered or unverified data is more dangerous than one operating on clean data; data provenance and integrity are foundational to trustworthy systems. Output scoring matters because catching harmful, inaccurate or policy-violating outputs after the fact is how organisations detect problems that pre-execution controls did not catch, and it is the feedback loop that improves the system over time. Epistemic soundness matters because decisions backed by sound reasoning and sufficient evidence are better than decisions that are not, and ensuring the admissibility of the reasoning chain is how organisations build confidence that their systems are making defensible choices.

All four are real, all can make governance better, and none of them, by itself, creates governance.

The Strongest Objection

The sharpest challenge to the framing I have just made comes from the state-validity position, and it deserves a direct answer. The challenge is this: if the data is wrong, corrupted, stale or tampered with, then even a correctly authorised action can produce a bad outcome. An agent can operate within its delegation, be evaluated against the right policy, produce a clean receipt, and still cause harm because the state it acted on was degraded. State matters.

Governance does not validate truth. It does not determine whether the world is correct, because that is an epistemological problem and it is unbounded. No system can guarantee that its inputs are true, and any system that requires truth as a precondition for action will either block indefinitely or quietly assume what it cannot verify.

What governance can do, and must do, is enforce that actions execute only when explicit, deterministic constraints are satisfied: that a required signature is present, that a freshness assertion is within its bound, that a mandatory approval has been recorded, that a data source has been attested by the system responsible for attestation. These are not claims that the world is accurate. They are bounded claims that another plane has made, expressed in a form the authority decision can require and verify.

Call this qualified state under explicit constraints. What the policy asks is whether the conditions for acting on the data have been met, not whether the data is true: was the attestation provided, is it within bounds, has the required verification been recorded? These constraints are part of the policy, deterministic and replayable. An auditor can reconstruct why the gate opened, not because the data was correct in the world, but because the conditions for action were satisfied at the time of evaluation. The decision does not depend on whether the world was right. It depends on whether the preconditions for acting in it were met.

This resolves the objection without asking authority to verify reality. State validity remains important, and in some architectures it will deserve its own plane beside authority, with its own proof obligations and its own receipts. Authority can require that plane’s assertion as an input. It should not absorb the plane’s job.

Upstream Work Cannot Replace The Boundary

These positions share a structural characteristic that is easy to miss because each one, taken on its own terms, is coherent and complete. They all operate upstream of the enforcement boundary, or downstream of it, but not at it; each improves the quality of what reaches the boundary, each reduces the probability that an unauthorised action will be attempted, and none controls whether such an action executes.

Everything upstream can improve the decision. Only the boundary controls the outcome.

A system with excellent process alignment, validated state, scored outputs and sound epistemics, but no enforcement at the action boundary, is a system that cannot prevent a single unauthorised action from executing. Every upstream improvement makes it less likely that an unauthorised action will be attempted. None makes it impossible for one to succeed.

Risk reduction and enforcement separate at that point. Risk reduction lowers the probability of a bad outcome; enforcement prevents the bad outcome from occurring. Both are necessary and they are not interchangeable. An organisation that has invested heavily in upstream disciplines and not at all in action-boundary enforcement has built a sophisticated system for informing governance decisions with no mechanism for enforcing them. The decisions may be careful; the boundary still does not exist; the upstream evaluations float above the execution layer, advising but not constraining, and actions execute regardless of what those evaluations concluded.

This pattern is visible in many autonomous AI deployments today. Organisations have invested in content safety, behavioural monitoring, data validation and reasoning evaluation. The investment is genuine and the capability is real. The action boundary, the point where a specific action is about to produce a specific consequence, is still often undefended.

The Gravitational Pull

Why does every conversation end in the same place? Why do different people, with different backgrounds, proposing different solutions, all drift away from the action boundary?

Because the action boundary is the least intellectually interesting part of the system. It is narrow, constrained and mechanical: it does not reason, it does not analyse patterns, it does not evaluate quality. It takes a single action, evaluates it against a policy and a delegation, and produces a decision. The decision is deterministic; the evaluation is a pure function; there is no room for interpretive flourish.

The surrounding components are far more interesting. Upstream problems involve behaviour patterns, cryptographic verification, provenance chains, classifiers, safety evaluators, formal reasoning, evidence standards. That is where the intellectual challenge lives. The action boundary, by comparison, involves a lookup: is this action, by this actor, under this delegation, permitted?

Engineers, architects and researchers are drawn to the interesting problems, and many of those sit upstream: novel research, conference papers, hard design questions. The boundary is boring; the primitives are well understood, even if the deployment context is new. What is not well understood is that the boundary is the only component that matters at the moment of consequence. Everything upstream improves the probability that the right action reaches the boundary. Only the boundary determines whether the action executes. The gravitational pull is toward sophistication, and deployments often follow it.

The Practical Test Is Enforcement

The distinction is testable. Take any system that claims to govern autonomous AI action and ask a single question: can it prevent a specific action from executing, and prove that it did?

If yes, if the system evaluates a proposed action against policy and delegation before execution, produces a deterministic decision, and creates a tamper-evident record of that decision, it has enforcement. It governs at the action boundary.

If no, if the system evaluates processes, validates state, scores outputs or analyses reasoning, but cannot prevent an unauthorised action from executing at the moment it is proposed, it does not have enforcement. What it has is analysis, and analysis without a boundary is not control.

The disciplines that get labelled governance but cannot block an action go by their proper names elsewhere: process analysis that cannot block is workflow monitoring, state validation that cannot block is data quality, output scoring that cannot block is quality assurance, epistemic evaluation that cannot block is decision support. Each is a legitimate discipline producing real value. None of them governs the action. A system that cannot prevent an action is not governing it; it is advising on the action, analysing it, scoring it or monitoring it. Governance is the thing that operates a gate, closed by default, opening only on explicit authorisation, producing evidence that the decision was made. Nothing in any of those upstream disciplines is operating a gate.

The Next Move Should Preserve The Boundary

The upstream work will continue to expand, and it should. Upstream investment makes governance systems better, more informed, more precise. The issue is not whether that investment is valuable; the issue is whether it is being mistaken for enforcement. When an organisation reports that it has governance over its autonomous AI systems because it monitors processes, validates data, scores outputs and evaluates reasoning, but has no mechanism to prevent an unauthorised action from executing, it has made exactly this mistake.

The drift from actions to behaviour is a common default. It is the path of least resistance, the path of greatest intellectual interest, and the path that produces the most impressive-looking governance architectures. It also leaves the action boundary undefended.

The boundary is where consequence is produced. Governance that does not reach it may improve judgement, reduce risk and make better decisions possible. It still governs everything except the thing that acts.