Guard: A Governance-Anchored Framework for Runtime Monitoring and Incident Response in Enterprise Agentic AI Systems
DOI:
https://doi.org/10.63282/3050-9416.IJAIBDCMS-V7I2P147Keywords:
Agentic AI, Enterprise Governance, Runtime Monitoring, Incident Response, System of Record, Registry-Bound Execution, Kill-Switch, Lethal Trifecta, RBEC, GUARDAbstract
The rapid enterprise deployment of agentic artificial intelligence (AI) systems introduces operational risks that existing monitoring and incident response (IR) frameworks cannot address. Agentic systems exhibit non-deterministic behavior, autonomous tool invocation, dynamic reasoning chains, and emergent capabilities arising from multi-agent composition — properties that invalidate the static monitoring assumptions of DevOps, MLOps, and LLMOps paradigms. The National Institute of Standards and Technology (NIST AI 800-4, 2026) documents these gaps comprehensively, yet no validated runtime enforcement or IR framework exists for enterprise agentic AI. This paper presents GUARD — Governance-Unified Agentic Runtime Detection and Response — extending the prior enterprise agentic AI lifecycle governance framework of Anuguthala (2026), which established mandatory system-of-record registration, risk tiering, and governance checkpoints but did not specify runtime enforcement mechanisms or structured IR procedures. GUARD closes this gap through three primary contributions: (1) the Agentic System of Record (SoR), extended with a three-entity registration model covering individual agents, workflows, and inter-agent composition boundaries, serving as the authoritative runtime enforcement reference for all agent resource decisions; (2) Registry-Bound Execution Control (RBEC), a three-state runtime mechanism — allow, human-in-the-loop (HITL) pause, or kill-switch — validating every agent resource access against the SoR before execution; and (3) the Agentic Incident Response (AIR) lifecycle, a six-phase risk-tiered IR process anchored to the SoR. Two supporting contributions accompany these: a formal Lethal Trifecta boundary condition — adapted from the risk intersection concept articulated by Willison (2025) — operationalizing risk-tier enforcement within RBEC; and an empirical reference implementation on LangGraph evaluated across 100 trials per scenario. Empirical evaluation across seven scenarios confirms correct detection of all five violation categories — including Lethal Trifecta Boundary Breach detected through monitoring record correlation — with zero false positives across 100 trials per scenario, providing the runtime enforcement layer that completes the governance-to-enforcement architecture initiated in the peer-reviewed prior governance framework (Anuguthala, 2026).
References
1. A. Bick, A. Blandin, and D. J. Deming, “The Rapid Adoption of Generative AI,” NBER Working Paper 32966, Feb. 2025. doi: 10.3386/w32966.
2. N. Maslej et al., “Artificial Intelligence Index Report 2025,” arXiv:2504.07139, 2025.
3. M. Zaharia et al., “The Shift from Models to Compound AI Systems,” Berkeley Artificial Intelligence Research Blog, Feb. 2024. [Online]. Available: https://bair.berkeley.edu/blog/2024/02/18/compound-ai-systems/ [Accessed: May 2026].
4. A. Chan et al., “Visibility into AI Agents,” in Proc. ACM FAccT, pp. 958–973, 2024. doi: 10.1145/3630106.3658948.
5. S. Naihin et al., “Testing Language Model Agents Safely in the Wild,” arXiv:2311.10538, Dec. 2023. doi: 10.48550/arXiv.2311.10538.
6. M. Balesni et al., “Towards Evaluations-Based Safety Cases for AI Scheming,” arXiv:2411.03336, Nov. 2024.
7. A. Meinke et al., “Frontier Models are Capable of In-context Scheming,” arXiv:2412.04984, Jan. 2025.
8. E. Jones, A. Dragan, and J. Steinhardt, “Adversaries Can Misuse Combinations of Safe Models,” arXiv:2406.14595, Jul. 2024.
9. D. Kreuzberger, N. Kühl, and S. Hirschl, “Machine Learning Operations (MLOps): Overview, Definition, and Architecture,” IEEE Access, vol. 11, pp. 31866–31879, 2023. doi: 10.1109/ACCESS.2023.3262138.
10. L. Dong, Q. Lu, and L. Zhu, “AgentOps: Enabling Observability of LLM Agents,” arXiv:2411.05285, Nov. 2024.
11. K. Huang, V. Manral, and W. Wang, “From LLMOps to DevSecOps for GenAI,” in Generative AI Security: Theories and Practices, Springer, Cham, 2024, pp. 241–269. doi: 10.1007/978-3-031-54252-7_8.
12. A. K. Rao et al., “Challenges to the Monitoring of Deployed AI Systems,” NIST AI 800-4, National Institute of Standards and Technology, Mar. 2026. doi: 10.6028/NIST.AI.800-4.
13. R. Shah et al., “Goal Misgeneralization: Why Correct Specifications Aren’t Enough For Correct Goals,” arXiv:2210.01790, Nov. 2022.
14. R. V. Yampolskiy, “On Monitorability of AI,” AI Ethics, vol. 5, no. 1, pp. 689–707, Feb. 2025. doi: 10.1007/s43681-024-00420-x.
15. B. Baker et al., “Monitoring Reasoning Models for Misbehavior and the Risks of Promoting Obfuscation,” arXiv:2503.11926, Mar. 2025.
16. J. O’Brien, S. Ee, and Z. Williams, “Deployment Corrections: An Incident Response Framework for Frontier AI Models,” arXiv:2310.00328, Sep. 2023.
17. S. Longpre et al., “In-House Evaluation Is Not Enough: Towards Robust Third-Party Flaw Disclosure for General-Purpose AI,” in Proc. ICML Position Paper Track, 2025.
18. A. Tamkin et al., “Clio: Privacy-Preserving Insights into Real-World AI Use,” arXiv:2412.13678, Dec. 2024.
19. S. K. Anuguthala, “Enterprise Agentic AI Lifecycle Governance: A Control-Driven Framework from Design to Decommissioning,” International Journal of Artificial Intelligence, Data Science, and Machine Learning, vol. 7, no. 2, pp. 9–16, Apr. 2026. doi: 10.63282/3050-9262.IJAIDSML-V7I2P103.
20. S. Willison, “The Lethal Trifecta for AI Agents: Private Data, Untrusted Content, and External Communication,” Simon Willison’s Weblog, Jun. 16, 2025. [Online]. Available: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/ [Archived: https://web.archive.org/web/20260428130356/https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/] [Accessed: May 2026]. Backup: https://simonw.substack.com/p/the-lethal-trifecta-for-ai-agents
21. Cloud Security Alliance, “MAESTRO: Multi-Agent Environment Security Threat and Risk Oracle — Agentic AI Threat Modeling Framework,” AI Safety Initiative Working Group, 2025. [Online]. Available: https://cloudsecurityalliance.org/blog/2025/04/10/introducing-maestro-a-framework-for-securing-multi-agent-ai-systems [Accessed: May 2026].
22. MITRE Corporation, “Adversarial Threat Landscape for Artificial-Intelligence Systems (ATLAS),” MITRE, 2024. [Online]. Available: https://atlas.mitre.org/ [Accessed: May 2026].
23. NIST, “Artificial Intelligence Risk Management Framework (AI RMF 1.0),” National Institute of Standards and Technology, Gaithersburg, MD, Jan. 2023. doi: 10.6028/NIST.AI.100-1. [Online]. Available: https://doi.org/10.6028/NIST.AI.100-1
