For organizations deploying AI systems, compliance has moved from a future consideration to an active obligation with defined consequences. The EU AI Act is in force, with penalties reaching up to €35 million or 7% of global annual turnover for the most serious violations, and up to €15 million or 3% for non-compliance with high-risk system obligations, and compliance obligations are expanding across jurisdictions as new frameworks take effect. 

Among the frameworks now shaping enterprise AI governance globally, three have emerged as the most widely referenced operative frameworks for regulated enterprises: the EU AI Act, the NIST AI Risk Management Framework, and ISO 42001. They define the common structure around which most regulated enterprises are building their AI governance approach today, and all three share a foundational assumption about how AI systems operate that agentic AI does not satisfy.

What the Major Compliance Frameworks Require

The three frameworks approach AI governance from different angles, but their compliance obligations share a common structural gap when applied to agentic deployments.

The EU AI Act

Takes a risk-based approach to governing AI systems. For high-risk systems deployed in financial services, employment, healthcare, and critical infrastructure, it mandates pre-deployment conformity assessments, technical documentation, data governance controls, logging obligations, and human oversight mechanisms. The bulk of these requirements become fully enforceable in August 2026.

The NIST AI Risk Management Framework

Organizes AI governance across four core functions: Govern, Map, Measure, and Manage. It provides a structured approach to identifying, assessing, and responding to AI risk across the full development and deployment lifecycle, with controls designed to be established before deployment and reviewed at defined intervals in production.

ISO 42001

Establishes the first internationally certifiable AI management system standard, giving organizations a structured framework for demonstrating responsible AI governance through documented controls, risk assessment processes, performance monitoring, and continual improvement cycles, verified through external audit.

Beyond these three operative frameworks, the US National AI Legislative Framework, released in March 2026, signals the direction of federal AI policy in the United States. While not yet law and not imposing binding obligations on enterprises, it is worth examining alongside the others because the contrast it creates is instructive. Rather than prescribing specific technical controls, it focuses on protecting consumers from AI-enabled scams, safeguarding intellectual property, preventing censorship, and enabling American AI competitiveness. It calls for a uniform national framework to replace conflicting state laws, but does not mandate the logging obligations, conformity assessments, or runtime enforcement mechanisms that high-risk deployments require under the EU AI Act, NIST AI RMF, or ISO 42001.

Each of these frameworks was developed in response to real governance needs, and the obligations they impose are serious and ongoing. All of these were also designed for AI systems whose behavior can be defined, tested, and audited in advance, but agentic AI operates outside those parameters.

The Compliance Problem Agents Create

Traditional AI systems produce a defined output in response to a defined input. That output can be reviewed, validated before deployment, and monitored in production, which is the model that pre-deployment conformity assessments and post-hoc audit trails were built around.

Agentic AI operates differently. Rather than producing a single output for review, an agent pursues objectives through sequences of autonomous decisions, each shaped by real-time context, live data, and the outcomes of previous steps. In the course of completing a single task, an agent may:

• Call external APIs and act on responses without human review at each step

• Access sensitive data across multiple systems in sequence

• Trigger downstream workflows that affect other processes or organizations

• Interact with other agents across organizational boundaries, compounding decisions across an automated chain

The EU AI Act's Article 12 logging obligations, for example, were designed for systems that produce discrete, reviewable outputs. For agents executing multi-step workflows, a log of what happened is not the same as verification that each action was authorized before it took effect.

The same limitation applies across the logging, monitoring, and risk management controls that the NIST AI RMF and ISO 42001 prescribe. What each of these frameworks requires is that organizations demonstrate, with verifiable evidence, that their AI systems operated within defined boundaries throughout deployment. For agentic AI executing multi-step autonomous workflows, the mechanisms those frameworks prescribe produce a record of what happened rather than governance of what was permitted to happen.

What Runtime Governance Addresses

Addressing this gap requires governance that enforces policy, verifies agent identity, and produces cryptographically verifiable compliance evidence at the moment of execution. OpenBox's Runtime Governance Engine intercepts every agent action, verifies identity, enforces policies and guardrails, scores risk in real time, and produces a signed compliance report at the moment of execution, generating the continuous, verifiable evidence that each of these frameworks expects organizations to demonstrate.

The specific capabilities this delivers for regulated enterprises include:

• Runtime policy enforcement that evaluates every agent action against configured policies before execution, with non-compliant behavior automatically blocked or escalated for human review.

• Cryptographically verifiable records that map AI activity to compliance requirements automatically, generated at the moment of execution.

• Dynamic risk scoring that adapts controls to how an agent is actually behaving in production, rather than applying static rules set at deployment.

• Human-in-the-loop escalation for high-stakes decisions, enabling oversight to operate within agent workflows rather than outside them.

Protocol-aware runtime governance and OpenBox's compliance infrastructure work alongside the risk assessments, technical documentation, and management system certification these frameworks require. Full documentation is available at docs.openbox.ai

The compliance frameworks that currently govern enterprise AI were built for a model of AI that predates autonomous agents. As regulatory guidance for agentic systems continues to develop across jurisdictions, the structural gap between what existing frameworks assume and what these systems actually do will become more consequential. Organizations that have governance infrastructure operating at the point of execution will be able to demonstrate compliance at the level those frameworks require.