The enterprise AI governance market consolidated in April 2026. Microsoft shipped AGT — a seven-package runtime governance system covering all 10 OWASP Agentic AI risks. NVIDIA's NemoClaw handles model safety. SAS announced AI Navigator for internal governance. Credo AI launched an Agent Registry. The runtime layer is now table stakes.
What none of them provide: a bilateral service agreement between identified parties. An immutable audit trail tied to contractual obligations. Structured dispute resolution with evidence. The contractual governance layer remains unoccupied — and it's the layer that makes enterprise transactions possible.
Model safety operates at the weights level. Alignment training, content filtering, guardrails, prompt injection defenses. NVIDIA's NemoClaw is the reference implementation — it makes agents safe to deploy by constraining what the model itself can produce.
This layer is necessary and increasingly commoditized. Every foundation model provider ships safety infrastructure. The question is no longer whether models are safe enough to deploy. It's whether deployments are governed enough to be accountable.
Runtime security operates at the application level. Policy enforcement, behavioral monitoring, capability gating, kill switches. Microsoft AGT is the reference implementation — seven packages, MIT-licensed, with adapters for every major agent framework.
AGT's technical credentials are serious. Agent OS enforces Cedar and OPA policies at 0.012ms latency and 72,000 operations per second. Agent Mesh provides Ed25519 and ML-DSA-65 zero-trust identity via SPIFFE/SVID. Agent Runtime executes within four-tier privilege rings with saga orchestration and a kill switch. Agent SRE provides SLO enforcement and circuit breakers. Agent Compliance maps to EU AI Act, HIPAA, SOC 2, and all 10 OWASP Agentic AI risks.
This is genuine infrastructure. It validates the thesis that enterprise AI agent deployments require governance. And it leaves the entire contractual layer untouched.
Suppose AGT catches a violation. An agent made a tool call outside its declared scope. The behavioral trust score dropped. The kill switch fired. The session is suspended.
Now what?
Who is liable for the work the agent did not complete? If the agent had already consumed compute budget before suspension, who absorbs that cost? If the deviation caused downstream harm — a financial decision made on incomplete analysis, a contract reviewed by a compromised agent — how does the Buyer pursue relief? How does the AI Provider defend their methodology? How does this get resolved before the EU AI Act's 72-hour incident reporting deadline?
AGT answers none of these questions. It cannot. They are not runtime questions. They are contractual questions.
AGT's compliance module generates mapping documents and CLI verification output. It can tell you the agent ran within policy. It cannot tell you what was agreed between identified parties, whether the agreement was fulfilled, or who bears accountability for a deviation. Compliance evidence floating free of a contractual commitment has no legal standing.
Contractual governance operates at the relationship level. It defines what was agreed between parties before work begins, records what happened during execution relative to that agreement, and provides structured resolution when outcomes and expectations diverge.
This is what exact.works provides.
The Standard AI Service Agreement (SAISA) is a bilateral instrument Exacted by both parties at formation. Completion criteria are hash-locked before the first token is consumed. Neither party can move the goalposts after delivery. Both parties attested to the same terms. The attestation is cryptographically verifiable.
Trace is the immutable audit trail — not operational telemetry, but evidence relative to a contractual baseline. Every agent action is recorded against the criteria that both parties agreed to. The Trace is hash-chained: nothing can be altered, nothing can be deleted, and verification requires no authentication.
Parler provides five-stage dispute resolution calibrated to stakes classification. Automated mediation for clear-cut cases. Tricameral AI panel review — three independent model families (Claude, GPT-4o, Gemini) evaluating Trace evidence against Exacted criteria — for complex disputes. Expert determination for high-stakes cases. AAA arbitration as the backstop. Graduated remedies, not binary win/lose.
The layers are not competitors. They compose into a governance stack.
exact.works Exacts the Paper and outputs a structured policy manifest. AGT ingests the manifest as its enforcement ruleset — maxSessionDuration becomes a timeout policy, permittedActions becomes a tool-call allowlist, budgetCeiling becomes a resource limit. NemoClaw constrains the model's output space. Trace records every action against the SAISA baseline.
When AGT detects a violation, the kill switch event triggers the Parler dispute workflow. The Sealed Record includes both AGT telemetry and Trace evidence. Graduated Remedy is proportional to the Stakes classification set at Exacting time. The runtime catches the problem. The service agreement defines what it means. The dispute mechanism resolves it.
Agent Mesh's Ed25519 identity verification maps to exact.works' PLUGIN_SIGNED fingerprint class. A verified_partner claim is true by both definitions — cryptographic and contractual. The identity chain is complete: the agent is who it claims to be (AGT), and it is bound to the terms it agreed to (SAISA).
Microsoft is structurally disqualified from occupying the contractual governance layer. The measure cannot be one of the things being measured. A platform that provides the infrastructure agents run on cannot also serve as the neutral third party that governs the service relationship between the parties using that infrastructure.
This is not a competitive claim. It is an architectural constraint. The same structural independence that auditing, arbitration, and escrow have always required applies to AI agent governance. The contractual layer must be independent of the runtime layer.
The organizations deploying serious AI agents in 2026 are discovering they need three layers, not one.
Model safety — NemoClaw and similar tools handle this.
Runtime security — AGT handles this. It handles it well.
Contractual governance — the service agreement, the immutable audit record, the dispute mechanism, the liability framework. This is the layer that makes enterprise AI agent transactions possible at scale — not just technically, but legally and commercially.
No single tool covers all three layers. That is not a gap. It is an architecture.
The runtime layer is now built. The contractual layer is live. The question for enterprise buyers is no longer whether governance infrastructure exists — it is whether they have assembled the complete stack.
Every AI agent needs a contract.
exact.works →