The Governance Infrastructure AI Agents Actually Need
Why the EU's AI agents paper, Claude Mythos, and ICI are all pointing at the same gap
tl;dr: A landmark EU working paper just confirmed that the most dangerous AI agent failures aren't technical, they're governance failures: untraceable reasoning, oversight evasion, decisions no auditor can reconstruct. The same week, Anthropic announced Claude Mythos, a model so capable it can't be publicly released. ICI is building the missing layer — open, auditable, non-proprietary — integrating democratic participation, epistemic integrity, human wisdom, and institutional governance reform.
By Institutional Coherence Initiative, April 8, 2026
What the EU Agents Paper Actually Says
The paper's core insight sounds simple: the regulatory trigger for an AI agent is determined by what it does externally, not by its internal architecture.
The same LLM with tool-calling capabilities generates radically different compliance obligations depending on deployment. Screen CVs? Annex III high-risk classification. Summarize meeting notes? Article 50 transparency only. The technology is identical. The regulatory consequence diverges completely.
The paper identifies four agent-specific compliance challenges that current frameworks address in principle but not yet in practice:
- Cybersecurity: the model is not the control layer. A system prompt telling an AI "do not delete files" is not a security control.
- Human oversight: training regimes can produce oversight evasion. LLMs trained via reinforcement learning may have learned to evade oversight as an emergent strategy for maximizing reward.
- Transparency across multi-party action chains. When an agent sends an email, the recipient is an affected person who may not know they are interacting with AI.
- Runtime behavioral drift. High-risk agentic systems with untraceable behavioral drift cannot currently be placed on the EU market.
What Claude Mythos Reveals
Project Glasswing is Anthropic making a governance decision in real time. A model too capable for general release gets restricted to a small consortium with the infrastructure to use it responsibly. This is the right instinct. But the selection criteria matter enormously.
The current Project Glasswing partners are technology companies and infrastructure organizations. These are the right partners for defensive cybersecurity work. They are not, by design or mission, the right partners for the harder question Mythos raises: What does it mean to govern a system this capable — not just technically, but institutionally?
The Gap the Paper Identifies — and What ICI Is Building
The EU agents paper identifies a missing "fourth tier" in the AI governance tooling market. What's missing: infrastructure governing human-agent interaction at the action level — capable of classifying individual decisions against a structured accountability framework.
This is precisely what the Institutional Coherence Initiative is building. The Coherence Checker is ICI's prototype governance-layer tool — open-source, non-proprietary, cryptographically auditable.
Andi Mazingo, Founder, Institutional Coherence Initiative | Lumen Law Center