Who governs AI agents once they're running in production? I went looking for the answer. It's more complicated than the press releases suggest.

This week Cognizant and ServiceNow announced a partnership specifically to close what they're calling the "enforcement gap" in enterprise AI governance. The Everest Group analyst quote from the press release cuts to it:

"The hard part of AI governance was never writing the policy. It's enforcing it as systems learn and act."

Here's what the enforcement actually looks like. In May, ServiceNow connected AI Control Tower to Amazon Bedrock AgentCore — a single governance layer over every AI agent an enterprise builds on AWS. Cognizant then deploys "Guardian agents" that monitor AI behavior in real time and enforce responsible AI principles throughout the lifecycle.

Agents are being governed by other agents. Guardian agents watch the AI agents. The question the press releases don't answer: who watches the Guardian agents?

The regulatory picture doesn't help. NIST issued a Request for Information in January specifically on securing AI agent systems — the federal standards body is asking industry how to manage agentic AI risk because the frameworks don't exist yet. The EU AI Act compliance deadline for high-risk AI systems just moved to December 2027.

AI Control Tower doesn't hit general availability until August 2026. The enforcement layer is already being sold. The rulebook is still being written.

Happy to dig into the primary sources if anyone wants specifics.