The Trust Fabric: Four Layers of Enterprise AI Governance

In May 2026, two of the largest enterprise software vendors in the world claimed the same prize within five days.

Microsoft Agent 365 went GA on May 1. Microsoft positioned it as “the AI control plane.”

ServiceNow Action Fabric went GA on May 5. Anthropic was the first design partner. ServiceNow positioned it as “the shared runtime for humans and AI agents.”

Both vendors used the word “control.” Both vendors used the word “runtime.” Both vendors claimed to govern AI agents.

And here is what neither of them actually does.

Neither sits in the call between the agent and the model.

That gap, between what workflow platforms govern and what regulated enterprises actually need to govern, is what this post is about.

The category split nobody named

Workflow agent governance asks: which agent runs, on whose authority, doing what work?

Runtime model governance asks: what did the agent actually send to the model, and what did the model send back?

Different questions. Different stacks. Different teams. Different buyers.

The CIO buys workflow governance. Workflow agent platforms integrate with the records of work that already exist in the enterprise. They spawn agents, scope authority, track approvals, audit playbooks. They sit above the call between agent and model.

The CISO buys runtime governance. Runtime systems inspect the actual data path. They read the prompt before it leaves the network. They redact PII. They enforce data loss prevention. They log every model call with identity attribution. They sit in the call between agent and model.

When a workflow agent platform fails, the agent runs the wrong workflow. That is a CIO problem.

When runtime governance fails, the agent sends customer PII to a public model. That is a CISO problem.

Different buyers, different budgets, different failure modes, different teams.

The cloud era taught the enterprise this exact lesson. Workflow tools governed work. Network controls inspected traffic. Different planes, different vendors, both required. ServiceNow, Salesforce, and Workday governed business processes. Palo Alto, Check Point, and Zscaler inspected the packet. No one suggested those products competed with each other because they did not.

The AI era is splitting the same way.

The four layers

Here is what the architecture actually looks like in May 2026.

Layer 1. Identity Proofing.

The question this layer answers: who is the actual human, really?

Most enterprise identity stacks were built before AI agents existed. The assumption was that a human signs in, the identity provider verifies that the human is who they claim to be, and the human then does work. When agents arrived, that assumption broke. Agents now sign in on behalf of humans, take action with delegated authority, and produce data that gets attributed to a human principal. The integrity of every downstream layer depends on the verification of that human at the source.

This is the work that NIST IAL2 and AAL2 specify. Biometric verification at enrollment. Cryptographic authentication at session. The identity binding that ties an agent action back to a specific real person, not just to a user account that could be compromised, shared, or fabricated by a North Korean operative running a fake remote workforce.

Layer 2. Access Governance.

The question this layer answers: what is the human allowed to do?

This is the layer the enterprise already runs. Okta, Entra, Active Directory, SailPoint, Veza. The identity provider, the directory, the access governance platform. Roles, groups, entitlements, scopes. The data plane that decides whether a specific authenticated person has the right to take a specific action.

The Trust Fabric integrates this layer. It does not replace it. Customers plug their existing identity stack into the architecture. The enterprise IdP remains the authoritative source for what a human can do, and the runtime layer above inherits those scopes when the human delegates authority to an agent.

Layer 3. Runtime Governance.

The question this layer answers: what did the agent actually send to the model?

This is the layer most enterprise AI infrastructure does not have. The runtime layer sits in the call path between the agent and the model. It inspects the prompt before it leaves the network. It applies inline policy. It redacts PII before exfiltration. It enforces data loss prevention by classification. It governs MCP tool calls before they execute. It logs every model interaction with full identity attribution.

The cloud-era analog is the network security stack. Palo Alto, Zscaler, Netskope, Check Point. The category of vendor that decided the network traffic itself was a thing to inspect, not just a thing to route. The same logic applies to the AI traffic. The prompt and the response are the new network packet, and they need an analog at the runtime layer.

Layer 4. Audit and Evidence.

The question this layer answers: can we prove what happened to a regulator?

Cryptographic audit trails. HMAC-chained tamper evidence. RFC 3161 trusted timestamps. WORM-immutable archive with S3 Object Lock or Azure Immutable Blob. AI Bill of Materials per EU AI Act Annex IV. Identity-bound provenance from Layer 1 carried through to evidence packages that regulators can examine.

This is the layer that turns runtime data into compliance posture. Without it, a runtime system produces logs that nobody can defend in an examination. With it, a runtime system produces evidence packages that map to SR 11-7, FINRA 3110, FFIEC, EU AI Act, and HIPAA on demand.

The workflow plane sits parallel

Workflow agent governance, the category Microsoft Agent 365 and ServiceNow Action Fabric occupy, sits parallel to this stack. Not below it. Not above it. Parallel.

The workflow plane spawns agents, scopes the workflow they run, manages approvals, tracks records of work, audits the playbook decisions the agent made along the way. Everything ServiceNow’s installed base already does for human work, now extended to agent work.

The Trust Fabric composes with both. APERION does not compete on workflow orchestration. The runtime plane and the workflow plane are different categories that both need to exist.

In the cloud era, ServiceNow and Palo Alto Networks were complementary procurement decisions. Both vendors won. Neither replaced the other. The CIO bought ServiceNow. The CISO bought Palo Alto. The board signed off on both.

The same pattern will hold in the AI era. The buyer who needs to govern what work the agent does will buy workflow platforms. The buyer who needs to govern what data the agent sends will buy runtime platforms. The architectural reality says both are required.

Why APERION takes Layers 1, 3, and 4

The Trust Fabric is the architecture. APERION is the company that builds the layers of it that regulated enterprises cannot get from their existing identity stack.

Layer 1 needs biometric verification to defend against AI-era identity attacks. The id.me partnership signed May 13 provides NIST IAL2/AAL2 verification at the source. APERION integrates id.me as the front door of the architecture, not as a replacement for the enterprise IdP at Layer 2.

Layer 3 is the runtime governance layer. SmartFlow is APERION’s enterprise product at this layer. On-premises, Kubernetes-native, inline at every prompt, response, and MCP tool call. The open-source companion at this layer is Shield, the developer-tier MCP runtime governance binary released in May 2026 at github.com/AperionAI/shield.

Layer 4 is the audit and evidence layer. APERION’s Regulatory Examination Suite produces the artifacts that examiners actually request: SR 11-7 model risk packages, FINRA 3110 supervision reports, EU AI Act conformity assessments, FFIEC examination evidence. Identity-bound provenance from Layer 1 flows through Layer 3’s runtime data, into Layer 4’s audit archive, signed and timestamped.

Five patents filed across these layers. Seven months continuous production at a financial services design partner. Acrisure design partner POC begins June 2026. Five Eyes joint advisory recommends exactly this architecture.

The implication for procurement

Enterprise AI procurement now requires two stacks, not one.

The workflow plane is being assembled. Microsoft Agent 365 GA on May 1. ServiceNow Action Fabric GA on May 5. Both incumbents will compete hard for that buyer.

The runtime plane is the open category. The Five Eyes joint advisory (“Careful Adoption of Agentic AI Services,” April 30, 2026) named the runtime controls regulated enterprises need. Six national cyber agencies published a 30-page procurement spec.

If you are a CISO at a regulated enterprise evaluating AI infrastructure in 2026, the question is not which workflow agent platform to buy. That decision will get made and it will be the right one. The question is what to put in the call path between the agent and the model, on your hardware, under your policy, with your audit trail.

That is the runtime plane. That is what the Trust Fabric is.

Read the deep technical companion to this post: SmartFlow Platform Overview. Complete capability map, deployment patterns, identity integration, and reference architectures.

The Five Eyes joint advisory: CISA hosted PDF.

Where APERION sits in the workflow vs runtime split:see the runtime governance product page at aperion.ai/products/smartflowand the open-source Shield repository at github.com/AperionAI/shield.