
Two terminal agents was one too many
For most of this year we were building two terminal agents. AGTerm had a CLI and an orchestration layer of its own, and …

This is the third pillar of private AI — governance and observability — and the one that most “AI platform” pitches treat as a downstream concern. It is not. In May 2026, with the EU AI Act’s high-risk obligations enforceable in three months, the governance pillar is what determines whether your runtime is shippable at all.
For two decades, governance, risk, and compliance was a post-hoc discipline. Something happened; you wrote it down; an auditor read what you wrote down; a report went to a regulator. The control was the record. The enforcement was the attestation. The actual production system did what it did, and GRC sat next to it with a clipboard.
AI agents broke that model in eighteen months. An agent makes thousands of decisions per minute, each one capable of calling a model, writing to a database, sending a message, or invoking a tool. By the time an auditor reads last quarter’s log, the agent has done a hundred million things, three of which are now class-action lawsuits. Post-hoc does not scale to autonomous systems. The control has to be the agent’s environment, not a write-once report next to it.
This is what “real-time GRC” actually means: governance, risk, and compliance enforced inline, before the action completes, with the audit log as a side effect — not the product.
In May 2026, with the EU AI Act’s high-risk obligations enforceable from August 2 and penalties reaching €35M or 7% of global revenue, the gap between teams that have moved to real-time GRC and teams that have not is becoming the gap between teams that can keep deploying agents and teams that cannot.
Real-time GRC for AI agents has four parts. Skip any one and you have something less than real-time.
Every outbound LLM call, every tool invocation, every state mutation goes through a policy evaluator before it executes. The evaluator answers a yes/no question — “is this action allowed for this agent in this scope?” — and either lets the call through or blocks it with a structured reason.
This is not log-and-allow. This is decide-and-act. The latency budget is single-digit milliseconds in the hot path; anything more and developers will route around it.
Policies do not live at one level. They live at every level — global, organization, team, deployment, endpoint, user, agent group. When an agent makes a call, the evaluator walks the hierarchy and applies the most specific rule that matches. This sounds obvious; it is also the part most homegrown policy layers get wrong.
The right model is inheritance with override. An org-level policy says “no calls to model X.” A team-level policy says “this team can call model X for redaction tasks only.” Both rules coexist, the more specific one wins, and any override is logged for audit.
It is not enough to know which model was called. You have to know what was sent. A PII detector, a secrets scanner, a custom regex pack for your industry — these all have to run inline on the request payload, with the same latency budget. The output is augmented data (“prompt contained credit card numbers, redacted before forwarding”) and a policy decision (“this agent is not allowed to forward unredacted PII; block”).
In 2026, the providers that matter (Anthropic, OpenAI, Google, Mistral, Cohere, AWS Bedrock, Azure, Vertex, plus open-source via vLLM and Ollama) all have different request/response shapes. Real-time content enforcement has to normalize across them.
Every decision — allowed, blocked, augmented — is written to an event log that is cryptographically chained, so any retroactive tampering is detectable. The log is the artifact compliance reads. It is also the artifact the platform team reads when something breaks. There is one log, not two.
When an EU AI Act auditor asks “show me every high-risk decision your agent made between these dates, including which policies applied and why,” the answer is a query, not a project.
A good evaluator is small, fast, and composable. The patterns we see in the field:
Rate limiters. Per-agent, per-team, per-org. Tokens per minute, requests per minute, dollars per day. Sliding window, not fixed bucket — bursts matter.
Tool permissions. Allowlist or denylist. “This agent can call database.read but not database.write.” Critical for agent capability sandboxing.
Model restrictions. “Only Claude or GPT-5 in this deployment.” “No Bedrock models because we have not signed the BAA.” “Open models only in air-gapped environments.”
Network policies. Where the agent can reach. Outbound URL allowlists, DNS-level restrictions, geofencing.
Content scanners. PII, secrets, profanity, custom regex packs. Both directions — request and response.
Safety settings. Provider-native safety flags (Gemini safety thresholds, Bedrock guardrails) plus platform-level safety policies.
Multimodal controls. Image / audio / video upload restrictions. File size, type, hash deny-lists.
Output filters. Strip or redact specific fields from the model response before it returns to the agent.
A real-time GRC system that ships with two dozen evaluators out of the box gives you 80% of what most teams need on day one. The remaining 20% — your industry’s specific regulatory quirks — is a plugin contract, not a re-architecture.
Compliance is downstream of risk. A risk register that lives in a spreadsheet has the same problem as an audit log that lives in a paper file: it is a snapshot, not a sensor. Real-time GRC means the risk register is live — events flowing in update risk likelihoods automatically; new risks can be opened from observed events; mitigations are tied to enforceable policies.
The FMEA-style model — Severity × Likelihood × Impact, on a Fibonacci scale, yielding a Risk Priority Number — has been standard in safety-critical engineering for forty years. Applied to AI agents:
A live RPN — visible on a dashboard, recalculated as events flow in — is what lets a CISO answer “which of our agents is currently the riskiest?” in real time. A 30-day trend on that number is what lets a board ask “are we getting safer or worse?” and get an answer.
Not all frameworks are equal. The five that consistently show up in enterprise procurement in 2026:
A real-time GRC platform maps your controls to all five at once. When a regulator changes the rules, you update the mapping in one place — not in five compliance reports.
Zentinelle , together with the zentinelle-sdk , is the real-time GRC layer in Calliope’s private-AI stack — deployed inside your cloud, mediating every model and tool call your agents make, on your infrastructure, with your identity model. The shape:
Three integration modes. Hooks (PreToolUse / PostToolUse intercepts for Claude Code, Gemini CLI), a Django proxy (transparent HTTP gateway for any agent), or a high-performance Go gateway (sidecar with credential injection for enterprise scale). Same policy semantics in all three.
24 policy evaluators. Rate limits, tool permissions, model restrictions, network policies, agent capabilities, safety settings, multimodal controls, output filtering, content scanning. All hot-path, all composable.
Policy inheritance. Org → Team → Deployment → Endpoint → User. Most-specific wins. Conflicts and gaps surfaced by the policy analyzer. Versioned with a diff viewer.
Policy simulator. Dry-run a new policy against the last 30 days of historical events before you turn it on. “If this had been live, how many requests would it have blocked, and which ones?”
Compliance packs. One-click activation of curated bundles — SOC 2 starter, GDPR starter, EU AI Act starter — pre-mapped to evaluators.
Live risk register. FMEA model, RPN 1–512, 5×5 matrix, 30-day trend on the organizational risk index. Incidents with SLA tracking, root cause, and timeline.
Tamper-evident audit chain. Cryptographic verification of the event log. Anomaly detection on event streams.
Provider coverage. Anthropic, OpenAI, Google, Mistral, Cohere, AI21, DeepSeek, AWS Bedrock, Azure, Vertex, plus 14 more — including open-source via Ollama and LM Studio.
The integration point worth highlighting: when Zentinelle is paired with a runtime like Astrolift, the gateway is injected by the platform as a sidecar to every workload. Agents do not opt in. There is no “we forgot to wire it up” failure mode. The policy layer is part of the substrate.
You have under three months to be operational on EU AI Act high-risk obligations if you serve EU customers in any high-risk category (Annex III: employment, education, law enforcement, critical infrastructure, essential services, biometric identification, and several more). The risk management system in Article 9 is not a document; it is a process that has to be running in production. Article 12’s logging requirement is not a quarterly report; it is automatic, structured, and queryable.
If your current GRC is a Confluence page and a quarterly compliance review, you are not behind — you are not in the race yet. The teams that will pass an Article 9 audit on day one have all four parts of real-time GRC in production right now, today, in May 2026, with two and a half months to break things and fix them before the deadline lands.
Three diagnostic questions for your current stack:
Can you block — not just log — an unauthorized model call? If the answer is “log and alert,” you are post-hoc. Move inline.
Can you answer “every prompt that contained PII in the last 90 days” with a single query? If the answer is “we’d have to grep through logs,” you do not have content-aware enforcement.
Can you simulate a new policy against historical traffic before enforcing it? If the answer is “we’d have to deploy to staging,” you do not have policy simulation, and your team will be afraid to tighten policies as the regulation tightens.
If you said no twice or more, the gap is real and the deadline is closer than your roadmap thinks. The next posts cover the operational side of governance: what your agents are actually doing in production (the live observability case) and preview environments for AI agents — the practical workflow for testing policies before they hit production.

For most of this year we were building two terminal agents. AGTerm had a CLI and an orchestration layer of its own, and …

When Operational Reliability Is the Regulation Most regulated industries have a data-protection focus: customer …