For a while, AI governance could stay one layer above the system.
Teams could talk about model behavior, safety policies, evaluation results, and disclosure language. That was often enough because the system mostly produced text.
The situation changes when the system starts taking action.
Once an agent can send, buy, deploy, approve, write, route, or mutate something outside the chat window, the interesting question is no longer whether the model is generally capable or generally aligned.
The question becomes simpler and harder at the same time:
What exactly has to become explicit before the action is allowed to happen?
The old unit was the model
A great deal of AI governance language was built around the model.
That made sense for an earlier phase of the market. The center of gravity was the model itself, its training, its evaluation profile, its known limitations, and the policies around how people should use it.
That vocabulary is still useful. It is just no longer enough.
A model can be excellent at generating plausible output and still sit inside an agent system whose runtime boundary is vague, whose approval path is decorative, and whose evidence trail collapses the moment anyone asks what actually happened.
The unit is now the action
An agent system is not just a model with nicer prompting.
It is a model attached to tools, identities, connectors, permissions, memory, workflow state, and some execution boundary that may or may not be visible to the operator. At that point the thing that matters most is no longer the raw answer. It is the governed action.
That is why the action becomes the right unit of analysis.
If you treat the action as the trust-bearing object, different questions come into focus:
can the action be ruled admissible before side effects
can the boundary of the action be explained
can assumptions be captured while they still matter
can approval stop execution before the effect, rather than merely annotate it later
can the path be reconstructed after the fact
Those are runtime questions. They are not solved by a model card.
Why this pressure is now wider than one company or one market
This is not just one product category maturing. The pressure is now visible across several official governance tracks.
In the EU, the AI Act is applying in stages. The main regulation applies from August 2, 2026, while the prohibitions, definitions, and AI literacy obligations have applied since February 2, 2025, and some governance and general-purpose AI model obligations have applied since August 2, 2025. That does not mean every builder suddenly becomes a lawyer. It means governance can no longer stay fully informal once AI systems move into higher-consequence use. See the official EUR-Lex summary and the full AI Act text.
In Singapore, IMDA launched the Model AI Governance Framework for Agentic AI in January 2026 and published an updated framework on May 20, 2026. The signal matters because the framework is explicitly about agents that can take actions, adapt, and interact with tools and other systems.
In Japan, the AI law framework took effect on June 4, 2025. It is not the EU AI Act in Japanese clothing. It is lighter and more promotion-oriented. But it still reflects the fact that AI governance has moved from abstract principle into national operating structure. See the official Cabinet Office page and the English law translation.
In Canada, the previous Bill C-27 process did not become the governing AI law path, but Canada still has a live Voluntary Code of Conduct on Advanced Generative AI Systems and an AI Strategy for the Federal Public Service 2025-2027. That combination is a useful reminder that implementation pressure does not wait for one perfect statute.
In the United States, there is still no single AI Act that stands above everything else. Instead, builders face a stack: NIST AI RMF 1.0, the Generative AI Profile, federal OMB memoranda on agency use and acquisition, FTC enforcement pressure, and state law such as Colorado’s SB24-205 as amended by SB25B-004, which delays key requirements to June 30, 2026.
None of these regimes say exactly the same thing.
That is not the point.
The point is that they all make it harder to pretend governance ends at model documentation.
What builders usually discover too late
Most agent stacks are much stronger at generation than at governed action.
They can call tools. They can chain steps. They can maintain a working session. They can even log activity.
What often stays thin is the control layer between intention and side effect.
That is where the hard questions show up:
Was this action admissible before it ran, or merely explainable after it ran?
Was approval actually able to pause execution, or was it just a review ornament?
Did the system preserve the assumptions that shaped the action, or only the final tool call?
Can the operator explain which identity, connector, and boundary were involved?
If the runtime changes six months later, does the control story survive?
Teams usually discover the gap only after the first real buyer review, the first production scare, or the first internal argument over who had authority to let the agent proceed.
Where PCAA fits
This is the design space PCAA is trying to formalize.
The current PCAA paper on arXiv frames the problem as model-agnostic runtime governance for heterogeneous agent systems. The important move is not a new slogan. The important move is treating the action certificate, rather than a vendor-native session record, as the durable governance object.
That leads to a more useful runtime question set:
what was admissible before the action
what opened the action
what assumptions mattered
what approval, if any, closed the human oversight requirement
what outcome record survives replay and proof export
That is a more durable way to think about governance than attaching a different trust story to every runtime brand.
It is also closer to how builders actually suffer. Runtime churn is normal. Tooling churn is normal. Partner churn is normal. The control method has to survive that.
What this does not mean
This does not mean regulation is solved.
It does not mean every runtime exposes the same control depth.
It does not mean every deployment can stop every risky side effect at the same checkpoint.
It does not mean a portable governance model makes a deployment automatically compliant.
It means something narrower and more useful.
If governance does not survive contact with action, it is not yet runtime governance.
The practical conclusion
If a system only produces language, governance can remain somewhat abstract.
If a system produces side effects, governance has to become operational. It has to show up in admissibility, boundary visibility, assumptions, approval, and reconstructable evidence.
That is why the action boundary is where the subject becomes real.
It is also why the next phase of AI governance will be decided less by who has the best trust language and more by who can make agent action legible before, during, and after execution.
