The Three Papers at a Glance
Before walking through each paper in detail, here they are side by side.
| Paper 1 | Paper 2 | Paper 3 | |
|---|---|---|---|
| Title | Runtime Governance for AI Agents: Policies on Paths | Cryptographic Runtime Governance (Aegis) | Harnessing Embodied Agents |
| Authors | Kaptein, Khan, Podstavnychy | Mazzocchetti | Qin, Luan, See, Yang, Li |
| Affiliation | Eindhoven University of Technology + Kyvvu B.V. | SPQR Technologies Inc. | Harbin Institute of Technology + Heriot-Watt Malaysia + Soochow University |
| Date | March 17, 2026 | March 15, 2026 | April 9, 2026 |
| Framing | Formal — path-dependent policy functions | Cryptographic — execution conditions, not advisory principles | Empirical — validated in 1,000 simulated trials |
| Shared thesis | Runtime governance must live outside the agent. The agent cannot govern itself. | ||
Why This Post Exists
When a new product category is forming, one of the hardest things to demonstrate is that the category is real — that the problem has a shape the whole industry will eventually recognize, rather than a framing only the founder believes in. Markets are full of products that looked sharp in a pitch deck and turned out to be solving a problem nobody else was ready to name.
One of the clearer signals that a category is real is when independent thinkers, with no connection to each other or to your product, arrive at the same architectural conclusion. Not a similar conclusion. The same conclusion. From different domains, different literatures, different motivations.
That is what happened to Surfit in the last six weeks.
Each effort, written in ignorance of the others and of Surfit, converges on the same structural answer: governance for AI agents has to live outside the agent, at the execution boundary, and the agent cannot be trusted to govern itself.
This post walks through each paper, what it argues, where Surfit agrees, and where the frameworks diverge — because the convergence is real and worth sitting with, but only if the similarities and differences are described honestly.
Paper 1: Policies on Paths
The paper from Kaptein and colleagues is the formal version of the argument. They start from the EU AI Act and the observation that agents produce path-dependent behavior — the same agent on the same task can take different sequences of actions on different runs, each action having its own compliance implications.
Their central claim is that static policies — the kind encoded in permission systems, OAuth scopes, or rule engines — are a strict subset of a more general framework. The paper shows that prompt-level instructions and static access control are special cases of runtime path evaluation: one shapes the distribution over paths without evaluating them, the other evaluates deterministic policies that ignore the path entirely.
They argue that runtime evaluation is the general case, and it is necessary for any policy that depends on what the agent has already done, what system state it encounters, or what the combined effect of its action sequence will be.
That is Surfit's thesis as a product. The Wave engine evaluates actions in the context of the agent's history (trust scoring), the organizational state (business context), and the proposed next action (risk classification). Kaptein et al. are arguing, in formal terms and from a different starting point — EU regulatory compliance rather than enterprise operations — that this is the only class of approach that can handle the actual problem.
This is the paper of the three that lines up most precisely with how Surfit thinks about governance. The framing is formal; the conclusion is identical.
Paper 2: Aegis
The Aegis paper shares one very specific thesis with Surfit, and it is worth isolating that thesis precisely.
Mazzocchetti's framing of governance as "execution conditions rather than advisory principles" is the same distinction Surfit makes between advisory governance (which the agent can ignore) and architectural governance (which the agent cannot bypass). The surface language is different — Aegis talks about cryptographic sealing, Surfit talks about credential separation — but the underlying argument is the same: governance that depends on the agent cooperating is not really governance. Enforcement must be architectural, external, and non-bypassable.
The implementations diverge significantly after that shared thesis. Aegis is built around cryptographic attestation of every emission, an Immutable Ethics Policy Layer sealed at system genesis, a quorum-of-validators design (the "Senatus" of five autonomous Auctor agents) for policy amendments, and OS-level syscall interposition for emissions that don't go through the signed publish API. It is constitutional-governance-as-code, focused on long-running autonomous systems where the enforcement target is ethical and legal drift.
Surfit is built around a deterministic business-context scoring engine (the Wave engine, 1–5), credential separation at the API level, per-action receipts, and cross-system correlation for multi-step threat patterns. It is operational-governance-as-code, focused on enterprise agent actions where the enforcement target is "does this specific action make sense for the business right now."
So the convergence is real but specific. Two people, working independently in the same month, both concluded that agent governance has to be architecturally enforceable rather than advisory — the same structural insight. Their engineering answers are different because they are solving adjacent problems, not identical ones. But the shared thesis — governance as execution condition, not as advisory principle — is the core of what Surfit argues.
Paper 3: Harnessing Embodied Agents
The third paper, from Qin and colleagues, is the empirical version of the argument. They apply runtime governance to embodied agent systems — robots, not cloud APIs — but the architectural claim is identical, and they back it with experimental data.
Their framework separates agent cognition from execution oversight into a dedicated runtime governance layer. Every capability invocation passes through admission control, policy checking, and execution monitoring. If the framework sounds familiar, that is because it is the same architecture Surfit describes in its landscape post: the agent proposes, the governance layer evaluates, and execution is conditional.
The contribution of this paper is that it provides empirical validation that the architecture works. Across 1,000 randomized trials, their runtime governance layer intercepted 96.2% of unauthorized actions, reduced unsafe behavior under drift from 100% to 22.2%, and achieved 91.4% recovery success with full policy compliance. They baseline this against alternatives with embedded safety logic and show statistically significant outperformance.
This is important because it answers one of the early questions any external governance architecture has to handle: does adding a runtime layer between the agent and the action surface actually work, or does it just add latency while missing most violations? Qin et al. show that, at least in simulation within the embodied agent domain, it works decisively — and that systems without this separation fail catastrophically under realistic adversarial conditions. The embodied agent setting is different from enterprise API governance, but the architectural principle being validated is the same one Surfit implements.
Where They Converge and Where They Diverge
The three papers do not describe identical systems. They describe three engineering answers that share one core thesis.
What This Means
When three independent research efforts, working in different domains on different problems, converge on the same core architectural answer in the same six-week window, that is not coincidence. It is the signature of a real structural insight that the field is ready to name.
Put these three papers together with the already-visible competitive movement — Microsoft shipping the Agent Governance Toolkit in April, 1Password introducing unified access for agent credentials in March, IBM and Auth0 and Yubico announcing human-in-the-loop authorization partnerships at RSAC — and the pattern is unmistakable. The industry is recognizing the same problem Surfit is built to solve, and converging on the same class of answer.
What every serious 2026 analysis of agent governance is now saying:
→ Static permissions are not enough — runtime path evaluation is needed
→ Governance embedded in the agent is structurally advisory, not enforceable
→ Execution authority must sit outside the agent, architecturally enforceable
→ The external governance layer is where business policy actually becomes enforceable
Surfit did not wait for the research literature to catch up. The architecture was built first, because the problem was visible to us first — from shipping AI agents in real operational contexts, where the gap between "the agent has permission" and "the action makes sense right now" made itself painfully obvious. The research community is now arriving, independently, at overlapping conclusions.
The convergence matters for a second reason. Surfit is a product that occupies a category — Layer 3, the execution decision layer — that has very few other entrants. One reasonable objection to occupying a nearly-empty category is that the category might not be real. These three papers, written by people who have no knowledge of Surfit and no incentive to validate our framing, argue the opposite. The category is real. Externalized runtime governance is the right architectural class. The specific engineering details — scoring engines vs cryptographic attestation vs capability admission — will be debated. The structure will not.
What Comes Next
If the last month is any indication, the literature on runtime agent governance is about to compound. Kaptein et al. identify open problems including risk calibration and the limits of enforced compliance. Mazzocchetti's Aegis focuses on cryptographic attestation and immutable policy layers. Qin et al. have already published follow-on work on governed capability evolution and contract-based capability interfaces for embodied agents. Each paper opens the door to follow-on work — on how organizations calibrate their risk thresholds, how governance layers handle adversarial drift, how policy violations are proven after the fact.
Surfit's product roadmap is adjacent to all of these. Predictive risk scoring based on approval patterns. Real-time policy simulation before deployment. Execution replay for forensic analysis. These are not academic exercises for us — they are the next capabilities customers are asking for as they move agents from advisory to operational authority.
The research framing and the operational framing are converging. Which is what happens when a category becomes real.
Surfit is the production implementation of runtime agent governance — shipping today, customer zero, and operating at the exact architectural layer the research community has started to name.
Watch the DemoNone of these three papers are peer-reviewed journal publications. They are preprints on arXiv. What they are is independent arrival — three research efforts reaching overlapping structural conclusions in parallel, with no knowledge of each other or of Surfit. That is a different kind of signal than a single peer-reviewed paper would be. Peer review certifies rigor within an established framing. Independent convergence certifies that the framing itself is ready to be named.
← Back to Blog