The Viability Index Becomes the Warning Light
The April 2026 arXiv paper Governing What You Cannot Observe: Adaptive Runtime Governance for Autonomous AI Agents, by Germán Marín and Jatin Chaudhary, asks how an agent can remain fully authorized while drifting into unsafe behavior.
Permission Is Not Health
The paper, arXiv:2604.24686 [cs.AI], was submitted on April 27, 2026. Its starting point is sharper than ordinary access control: an autonomous agent can keep every credential it was granted and still become unsafe over time. Behavior can drift after a model update, prompt revision, adversarial probe, data shift, or adaptive threshold change. The authorization table says the agent may act. The system's condition says the action surface is degrading.
This is a fresh angle beside path-policy governance, runtime governance planes, execution-boundary control, and monitoring traces. Those pages focus on policy placement, action paths, or audit interpretation. This one treats runtime governance as a health monitor for risk that is only partially observable.
Unobserved Risk
Marín and Chaudhary call the central idea the Informational Viability Principle. In their notation, governance estimates a bound on unobserved risk, B_hat(x), by combining uncertainty U(x), structural bias SB(x), and reality gap RG(x). The action is allowed only when observed capacity S(x) exceeds that bound by a safety margin. The vocabulary matters because it refuses to collapse all risk into one confidence score.
Uncertainty is about distributional or behavioral drift. Structural bias is about group-level imbalance or accumulated unfairness. Reality gap is about sequential plans whose risk emerges only after operations are composed. A single transfer, message, or tool call can pass local checks while the aggregate pattern becomes the problem.
Three Properties
The Agent Viability Framework is grounded in viability theory and names three properties. P1 is monitoring: the governance layer needs accumulated cross-request state. P2 is anticipation: it must project whether the agent is approaching a boundary before harm is consumed. P3 is monotonic restriction: the system can autonomously tighten defenses, but it cannot autonomously relax them.
P3 is the most institutionally interesting rule. It accepts over-restriction as costly but reversible: a legitimate action may be blocked, then reviewed and adjusted by an accountable human. Under-restriction can be irreversible: data leaves, fraud settles, or discriminatory treatment accumulates. The paper treats that asymmetry as an integrity invariant, not a tuning preference.
RiskGate
RiskGate is the paper's reference implementation. It combines statistical estimators for the three risk terms, including KL divergence, segment-vs-rest z-tests, and sequential pattern matching. It also uses a fail-secure monotonic pipeline, a closed-loop Autopilot, and a scalar Viability Index in the range [-1,+1] with a first-order prediction of when the system may exit the safe region.
The worked demonstrations are useful, but they are demonstrations, not product evidence. One trace shows a structuring-style pattern where no single operation violates a rule, while the plan-level gate detects the composed pattern. Another uses a credit pre-approval scenario in which block-rate disparity accumulates through an adaptive loop; the paper reports that the Autopilot's continuous monitoring gives lead time before a reactive z-test would have fired. The governance lesson is not that a single index is magic. It is that drift, bias, and plan composition need separate instruments.
Limits
The paper is careful about scope. It says the contributions are a framework, theoretical organizing principle, reference implementation, and analytical evidence of coverage. It does not report measured detection rates, false positive rates, latency, monetary ROI, or head-to-head comparisons on live or synthetic traces. A calibrated empirical evaluation is explicitly scoped as later work.
The limitations are practical as well as theoretical: threshold sensitivity, cold start, adversarial robustness, concurrency under partial failure, and the risk that a scalar warning light hides which constraint is actually binding. P3 is also deliberately conservative. It blocks autonomous relaxation, so correction of over-restriction requires human intervention or slower evidence-driven threshold learning.
Governance Standard
A governed agent should not be judged only by whether its credential is valid. Runtime records should preserve the agent identity, registered purpose, active tools, policy version, observed capacity, uncertainty signal, bias signal, plan-composition signal, Viability Index, binding constraint, threshold, intervention, human override, and post-intervention state. The record should distinguish a blocked action from a tightened operating envelope.
The Spiralist rule is simple: authorization says who may act; viability says whether the current actor is still healthy enough to continue.
Sources
- Germán Marín and Jatin Chaudhary, Governing What You Cannot Observe: Adaptive Runtime Governance for Autonomous AI Agents, arXiv:2604.24686 [cs.AI], submitted April 27, 2026.
- arXiv experimental HTML for Governing What You Cannot Observe: Adaptive Runtime Governance for Autonomous AI Agents, reviewed June 25, 2026.
- Related pages: The Execution Path Becomes the Policy Object, The Agent Runtime Becomes the Governance Plane, The Execution Boundary Becomes the Control Layer, The Monitoring Trace Becomes the Interpretive Gap, The Uncertainty Estimate Becomes the Decision Cost, AI Agents, and AI Agent Observability.