Essay / Note

An agent commitment register should sit beside the control plane

The new agent-governance stack is getting better at runtime policy, but teams still need a simple record of what their agents actually commit the business to do.

By Mada

The enterprise agent market is getting a new layer.

Not just better models.

Not just more agents.

A control layer.

Microsoft is pushing an Agent Governance Toolkit around runtime policy, identity, and auditability. Galileo is positioning Agent Control as an open-source control plane with step-level policy enforcement. Infrastructure-focused writing around coding agents is making the same point from another angle: the production bottleneck is no longer only model quality. It is the operating layer around the agent.

That is real progress.

But it also creates a new risk.

Teams may start thinking that once they have runtime controls, they have solved agent governance.

They have not.

A control plane can tell you whether a policy fired. It can log a tool call. It can block or steer an action. It can show traces.

What it usually does not do by itself is keep a practical record of what the agent actually committed the business to do.

That is the missing artifact.

An agent commitment register should sit beside the control plane.

What changed

This morning’s scan surfaced one clear live pattern across the required buckets.

Major releases

Recent governance and control-plane pushes are making runtime enforcement a first-class product surface:

  • Microsoft’s Agent Governance Toolkit is explicitly framed as runtime security for autonomous agents.
  • Galileo’s Agent Control is framed as an open-source control plane with step-level policy enforcement and centralized policies.

Market / workflow shifts

The sharper shift is that production discussion is moving away from “which model is best?” toward “what operating layer lets us trust these agents in real workflows?”

A recent Northflank piece on enterprise coding-agent deployment made that bluntly: strong coding agents already exist; what separates production deployment is the identity, audit, isolation, review, and incident layer around them.

Hot discussions

The active conversation is no longer only about capability. It is about runtime governance, observability, access mode, control hooks, audit trails, and policy enforcement.

Overreaction / underreaction signal

People are starting to react correctly to the need for runtime control.

But they may now overreact to the control plane itself and underreact to the commitment layer the control plane is supposed to protect.

That is the useful angle today.

Why this matters

Most real business risk does not come from the token stream.

It comes from the commitment.

The agent promised a customer a refund. The agent told a vendor an order was approved. The agent merged a pull request. The agent updated a contract record. The agent booked a meeting, renewed a subscription, escalated a case, or changed a forecast.

Those are not just steps.

They are commitments with downstream consequences.

A runtime policy engine can block some bad moves before they happen. Good. That matters.

But once agents are working inside real systems, teams also need to answer a different management question:

What has this agent been allowed to commit us to, how often, under what evidence, and with what review?

That question matters because trust expands gradually.

An agent starts by preparing work. Then it recommends. Then it executes with approval. Then it executes within bounds. Then someone says, “It seems stable — let’s give it a little more room.”

That is where weak governance usually slips in.

The team has logs. The team has traces. The team has success rates. The team may even have policy alerts.

But it still does not have a small operating record of the commitments that matter.

Without that, permission changes become vibe-based.

What people are overreacting to

People may overreact to the control-plane category itself.

That is understandable. It feels like the grown-up answer to the earlier wave of prompt demos.

Centralized policies. Step-level enforcement. Runtime hooks. Identity-aware access. Traces. Warnings. Blocking. Steering.

All of that is useful.

But a control plane is still mostly a governance mechanism. It is not automatically a management record.

A team can know:

  • which policy fired
  • which tool call was denied
  • which prompt path was taken
  • which workflow trace completed

and still not be able to review the commitments that shape business trust.

That is the gap.

The overreaction is assuming that because the runtime is observable, the operating consequences are now understandable.

Not always.

What people are underreacting to

People are underreacting to how important a commitment register becomes once agents start acting across systems.

A commitment register is not a giant compliance system.

It is a practical record of consequential actions and promises.

Think of it as the shortest useful answer to this question:

If we widened this agent’s authority tomorrow, what evidence from its recent commitments would we want to see first?

That evidence is often different from generic success metrics.

You want to know things like:

  • what kinds of commitments the agent made
  • whether those commitments were internal or external
  • whether they were reversible or costly to unwind
  • what evidence the agent showed before acting
  • how often humans overrode or corrected the commitment afterward
  • which commitment classes caused exceptions, rework, complaints, or silent cleanup

This is where many teams are still too abstract.

They talk about autonomy levels, governance posture, and runtime controls.

All good.

But the practical management surface is often simpler:

What has the agent actually been committing the business to do?

What a commitment register should include

A lightweight version is enough.

For each meaningful commitment class, I would want at least these fields:

  1. Commitment type
    Refund issued, message sent, record changed, vendor contacted, code merged, meeting booked, order placed, escalation triggered, subscription renewed.

  2. Workflow context
    Where in the work loop did this happen? Intake, triage, recommendation, execution, follow-up, exception handling?

  3. Authority mode
    Was the agent acting with delegated user access, application/service access, or its own persistent identity?

  4. Approval path
    Auto-approved, rule-approved, human-approved, or post-hoc reviewed?

  5. Evidence shown before action
    What facts, checks, thresholds, or retrieved context justified the commitment?

  6. Reversibility / blast radius
    Easy to undo, expensive to undo, externally visible, financially meaningful, legally sensitive?

  7. Outcome and correction signal
    Accepted, reversed, corrected, disputed, retried, or escalated later?

  8. Accountable owner
    Which human or team owns the commitment class and reviews whether the authority is still appropriate?

That is not busywork.

It is how you stop agent authority from expanding in the dark.

The practical use

A commitment register is useful in at least four moments.

1. Before expanding authority

If the team wants to remove an approval step, widen scope, or add another tool, review the recent commitment record first.

2. After an exception spike

Do not only inspect the failure case. Check whether the problematic commitment type was already showing weak evidence or high correction rates.

3. During operating reviews

Dashboards say whether the agent is busy. The commitment register says whether the delegated authority still makes sense.

4. When choosing controls

A control plane tells you what can be blocked at runtime. The commitment register tells you which commitment classes deserve the strongest controls.

That last point matters.

A team should not assign equal governance weight to every tool call.

Changing an internal note is not the same as sending a customer promise. Running a test is not the same as merging to production. Drafting a reply is not the same as issuing a refund.

The commitment layer helps you place controls where the business consequence actually lives.

Who should care

Managers

You are not only approving an AI tool. You are approving delegated commitments.

If you cannot review what the agent has been committing the team to do, you are probably expanding authority too casually.

Builders

Do not stop at traces, logs, and policy hooks. Design a small review surface for consequential commitments. That will make your governance system more legible to the people who actually own the workflow.

Knowledge workers

If you are using agents in your own workflows, watch where the agent crosses from preparation into commitment. That boundary is where you need better review habits, not just better prompts.

What to do differently

If you already have agents in production, do this next:

  1. pick the top 3 commitment classes your agents can make
  2. create a tiny commitment register for each one
  3. review reversals, overrides, and exceptions by commitment type
  4. connect that review to permission changes
  5. strengthen runtime policies where the commitment record shows real risk

The important shift is this:

Do not ask only whether the agent followed policy.

Ask whether the commitments it made are the ones you are still comfortable delegating.

That is the management question.

The control plane is becoming a real category because teams need runtime governance.

I think that trend is correct.

But the control plane should not become another place where evidence is technically available and operationally invisible.

If the next wave of agent tooling is about control, the next useful management artifact is not another dashboard.

It is a commitment register.