Configuration Management for AI Agents: The Missing Twin of Agentic Governance

The first post in this series argued that AI governance, as currently practiced, has a structural gap: a latency gap between the speed at which autonomous agents act and the speed at which humans can intervene. Observability tools document the gap. They do not close it.

What closes latency gaps is configuration management. The discipline is not new. It is older than the AI governance conversation by three decades, and it has been the operational backbone of enterprise IT, financial services, and critical infrastructure that entire time. The argument of this post is straightforward: applied to AI agents, configuration management is the missing twin of every agentic governance framework currently on the market.

Two pieces of evidence make the case before the argument starts. The frontier model labs have already built parts of it without naming it. And the professional certification body for AI governance has named what governance professionals are accountable for without operationalizing it. The opportunity in front of practitioners right now is to bridge the two.

Frontier labs are already doing this

Anthropic’s Responsible Scaling Policy v3.0, effective in February 2026, defines AI Safety Levels — graduated baselines tied to specific model capabilities. When a model’s capability evaluation crosses a defined threshold, the AI Safety Level is upgraded and stronger safeguards become mandatory. The policy specifies classifier guards, monitoring, and jailbreak defenses for sensitive deployments; Anthropic’s separate Safeguards technical materials describe the multi-layered defense-in-depth architecture in more operational detail — access controls, real-time classifiers, asynchronous monitoring, granular per-role permission sets, multi-party authorization for sensitive model assets, and streaming token-level classifiers that score outputs as they are generated. Anthropic holds ISO/IEC 42001:2023 and SOC 2 Type II certifications and publishes the associated audit material on its trust center.

The closest publicly documented analog to a frontier-lab Tier-3-equivalent response is the Claude Mythos Preview system card, published April 7, 2026. Mythos is Anthropic’s most capable frontier model to date and the company decided not to make it generally available — it was routed instead to a defensive cybersecurity partner program. Anthropic is explicit in the system card that this deployment restriction did not stem from an RSP Capability Threshold breach; catastrophic risks across the policy’s threat models remain assessed as low. The decision was a deployment-strategy choice tied to dual-use cybersecurity risk — the model’s capability profile was judged better suited to a controlled partner channel than to broad commercial release. The system card is operationally important for a different reason. It publishes specific behavioral rates from internal monitoring — bypass attempts under 0.01 percent of completions, clearly dishonest behaviors under 0.0002 percent, unauthorized data transfer under 0.0002 percent — which are the first frontier-lab KRI-style numbers anyone has published in operational form. Anthropic also acknowledges in its v3.0 announcement materials: "we needed to improve our process for tracking compliance with the RSP." A frontier lab naming the configuration-management-tracking gap in its own published audit material. The operational pattern — capability assessment, internal monitoring at quantified rates, an organizational decision to constrain availability, partner-only release with use-case restriction — mirrors a Tier-3 intervention in everything but the vocabulary the RSP itself uses.

Every one of those terms has a structural analogue in configuration management discipline. AI Safety Levels play the role of baselines for the model itself. Capability thresholds function as tripwires. Multi-party authorization is change control in everything but name. Defense-in-depth with streaming classifiers is drift detection. ISO/IEC 42001 is the external audit attestation. The analogy is structural, not a one-to-one literal translation — ASLs in particular are capability tiers tied to deployment commitments, not configuration baselines in the ITIL sense — but the disciplines under different vocabulary are recognizably the same.

OpenAI’s recently published Agentic Governance Cookbook covers a different slice of the same picture. It treats policies as code that "version, travel, and deploy alongside applications." It distributes those policies as pip-installable packages so that "any team can pip install instant compliance." It captures every LLM call, tool execution, and handoff in a structured trace. Its opening posture — governance drives delivery — is the right framing.

Where the OpenAI cookbook stops is also instructive. It does not specify approval workflows for the policy itself. It does not provide live key risk indicators with predefined intervention paths. It does not include a rollback procedure when an evaluation fails post-deployment. The cookbook implements two of the four configuration management disciplines well and the other two not at all.

The pattern across both vendors is the same. The disciplines are real, the implementations are partial, and the vocabulary is fragmented. Each lab has solved its own problem inside its own walls. The enterprise deploying agents on top of those models inherits a partial governance layer and is responsible for closing the rest of the gap itself.

The professional body has named the work without operationalizing it

The IAPP launched the Artificial Intelligence Governance Professional certification in 2023 to formalize what AI governance practitioners are accountable for. The current Body of Knowledge (version 2.1, effective February 2, 2026) defines four domains. Domain III covers governing AI development. Domain IV covers governing AI deployment and use. Together they describe the operational scope of the AI governance role.

Read carefully against the BoK, the curriculum points to operational governance work — establishing policies and procedures throughout the AI life cycle, performing key activities to assess the AI model — without describing the operational mechanics of how that work is done. The most-cited community resource for AIGP candidates, Oliver Patel’s unofficial resource guide, catalogs roughly a hundred references covering law, policy, risk assessment, and standards. Configuration management vocabulary does not appear. Drift thresholds do not appear. KRI frameworks do not appear. Agentic-specific governance is largely absent.

This is not a criticism of the certification. It is a structural observation. AIGP defines what professional AI governance is. The market has not yet defined how the work gets done day to day. The framework that follows is one practitioner’s attempt to provide an answer.

The Prism CM-AI Framework

The framework consists of four configuration management disciplines applied across three delivery layers, with a Key Risk Indicator tier model layered over the whole.

The four disciplines

Baseline. A documented description of what good looks like for each production agent. This includes the approved model and version, the system prompt’s content hash, the inventory of tools the agent can call, the data scope it can access, the expected output distribution, the latency band, the refusal rate, and the cost-per-action target. Without a documented baseline, drift is undetectable, because there is nothing to drift from.

Change Control. A defined approval path for any change to the baseline. This is where most current AI deployments are weakest. Organizations gate model upgrades but rarely gate prompt revisions. They gate new tool integrations but rarely gate scope expansions to existing tools. Change control is what ensures the agent currently operating in production is materially the same agent the organization approved to operate in production. Without it, the live system can drift away from the approved configuration through a thousand small unreviewed changes.

Drift Detection. Continuous comparison of the live agent’s behavior against the baseline, at machine speed, with defined thresholds and defined responses. This is not a dashboard. It is an automated control loop that detects deviation and triggers escalation without waiting for a human to refresh a screen.

Audit and Remediation. The ability to reconstruct, after the fact, exactly what the agent did, why, and against what baseline — combined with the ability to roll back to a previous baseline when needed. Most organizations have logs. Few have the rollback path tested. The first time an agent goes wrong is not the right time to discover that the rollback procedure is theoretical.

The three delivery layers

These four disciplines run across the three layers that Prism’s compliance practice uses on every engagement:

1. Discover and Map. Inventory the agents in production. Document each agent’s tools, data scopes, and dependencies. Establish the baseline.
2. Automate and Enforce. Implement change control workflows, drift detection, and audit logging in code and infrastructure. Make the baseline executable.
3. Govern and Report. Set KRI thresholds, maintain exception workflows, produce audit evidence, brief the board. Make the system defensible to a regulator, an auditor, or an insurer.

The result is a 4×3 matrix: four configuration management disciplines, three delivery layers, twelve cells of operational work. The matrix is not a checklist. It is the structure that ensures every discipline is implemented at every layer, rather than implemented in policy at one layer and never reaching the others.

The KRI tier overlay

The signature element of the framework is the Key Risk Indicator tier model, adapted from financial-services operational risk practice. KPIs measure value produced. KRIs measure boundary integrity. The two are complementary and answer different questions, and the failure mode in most current AI deployments is treating output volume as if it were a safety signal.

KRIs operate on three tiers. Tier 1 is a warning — drift detected, investigate within 24 hours, document the cause. Tier 2 is action — drift exceeds tolerance, auto-throttle the agent, human review required before continued operation. Tier 3 is intervention — operational risk threshold breached, kill-switch fires, rollback to last approved baseline, incident report filed, post-incident review within five business days. Each tier has a defined response and a defined authority. Without the tier model, KRIs are decoration.

The KRI tier model gets a full treatment in the next post in this series. The point for now is that it is what allows governance to operate at the speed of the agent rather than the speed of human attention.

What this framework is not

The conversation around AI agent governance has accelerated in 2026. Several adjacent voices are converging on parts of the same problem from different lineages. This framework is positioned alongside, not against, each of them. The differentiation is worth naming directly.

**Microsoft’s Agent Governance Toolkit** (April 2026) ships open-source runtime security infrastructure using an OS-kernel metaphor — defense in depth, execution rings, trust scoring. It is excellent runtime enforcement infrastructure. It does not use configuration management vocabulary, does not provide a Key Risk Indicator framework, and does not bridge to financial-services operational risk practice. The toolkit is the kernel; configuration management is the state-management layer that authorizes the policies the kernel enforces.

Charli AI Labs’ Governance Control Plane and the broader "control plane" discourse argue, correctly, that observability is not control. The proposed solution is a Governance Virtual Machine with policy injection and active interception. Execution-permission models prevent unauthorized action; configuration management detects when authorized agents have drifted from the version that was authorized. Both are necessary in a mature stack.

ITIL Foundation Version 5 (PeopleCert, released February 2026) names the gap directly. AI Governance is designated as the sole extension module in the v5 qualification scheme — planned for release in Q2 2026 — alongside nine core modules. ITIL v5 is the strategic guidance for AI in service management; this framework is the operational implementation layer that sits below it.

**GARP’s SR 11-7 strain analysis** (Krishan Sharma, SVP Model Risk Management at Citigroup, February 2026) is the closest published work from the financial-services side. Sharma identifies three critical strains in SR 11-7’s application to agentic AI — dynamic validation, third-party concentration, and explainability standards — and recommends "continuous monitoring and use-based controls" without operationalizing them. This framework is the operational implementation of the response Sharma’s analysis recommends. Section 6 of the accompanying white paper provides the explicit bridge.

The pattern across all of these voices is consistent: each lineage names part of the problem and proposes part of the solution. None integrate the four lineages — financial-services operational risk, IT/ITIL configuration management, runtime control plane architecture, and AI governance professional certification — into one practitioner-implementable framework. That integration is what this framework offers.

Why "configuration management" is the right name

The vendor stack and the broader agentic AI conversation are converging on the term control plane. That language is not wrong. It captures the architectural picture: a layer that sits above the agents, manages identity and access, enforces policy, and provides visibility. Microsoft Agent 365 — announced March 2026, generally available May 1, 2026 — uses exactly that framing.

The control plane abstraction is necessary. It is also incomplete. Control plane describes a place. It does not describe a discipline. The questions a control plane is supposed to answer — what is the approved configuration, who can change it, has it changed, can we prove it — are the questions configuration management has answered for thirty years in adjacent domains.

Naming the discipline matters because it makes the work portable. An organization that has run ITIL configuration management for its on-premises systems already knows how to run it. The skills, the tooling patterns, the audit evidence formats, the change advisory boards — all of it transfers. The framework is not a request to learn something new. It is a request to apply something the organization already knows how to do, to a class of system the organization has not yet applied it to.

That portability is also the framework’s defensibility. The AIGP Body of Knowledge defines the policy outcomes governance professionals are accountable for. NIST AI RMF, ISO/IEC 42001, and the EU AI Act define the standards those policies must meet. Configuration management is the operational mechanic that connects them. Without the mechanic, the policy and the standard live on paper. With it, they live in production.

What this means in practice

Adopting the framework is not a tool purchase. It is the establishment of five operational practices that most organizations deploying AI agents do not currently have. A documented baseline for every production agent. A change control path that includes the prompt. Live KRIs with predefined tripwires. A kill-switch and rollback procedure tested before they are needed. An audit trail that ties any agent action to the baseline that authorized it.

These practices do not slow delivery. They make delivery defensible. The organizations that will scale AI agents successfully over the next two years are not the ones with the most powerful models. They are the ones whose governance is operational rather than ornamental.

The third post in this series goes deep on the KRI tier model — the signature element, and the part of the framework that is least developed in the broader market. After that, the series maps the framework explicitly to NIST AI RMF, walks through a working implementation in the Prism dashboard, and crosswalks the discipline against the AIGP Body of Knowledge for governance professionals studying for the certification.

The full framework reference is available as a single canonical document for teams that want to circulate it internally. Contact through the form below.

This is part 2 of a six-part series on Configuration Management for AI Agents. Part 1 stakes out the latency gap. Part 3 details the KRI tier model.

Sources cited

• Anthropic, Responsible Scaling Policy v3.0 (effective 2026-02-24). anthropic.com/responsible-scaling-policy
• Anthropic, Claude Mythos Preview System Card (2026-04-07). anthropic.com/news/claude-mythos-preview-system-card
• Anthropic, Trust Center — ISO/IEC 42001 and SOC 2 Type II certifications. trust.anthropic.com
• OpenAI, Agentic Governance Cookbook. developers.openai.com/cookbook/examples/partners/agentic_governance_guide/agentic_governance_cookbook
• Microsoft, Agent Governance Toolkit (open-source, April 2026). github.com/microsoft/agent-governance-toolkit
• IAPP, Artificial Intelligence Governance Professional (AIGP) certification. iapp.org/certify/aigp. Body of Knowledge v2.1 effective 2026-02-02.
• Oliver Patel, The Unofficial AIGP Resource Guide (IAPP faculty). oliverpatel.substack.com/p/the-unofficial-aigp-resource-guide
• Krishan Sharma, "SR 11-7 in the Age of Agentic AI: Where the Framework Holds — and Where It Strains," GARP Risk Intelligence, 2026-02-27. garp.org/risk-intelligence/operational/sr-11-7-age-agentic-ai-260227
• PeopleCert, ITIL v5 AI Governance Extension Module. peoplecert.org/itil