Genesis: Human Experience in the Age of Artificial Intelligence | Synthesis: The Superintelligence Protocol

Subscribe

Genesis: Human Experience in the Age of Artificial Intelligence | Synthesis: The Superintelligence Protocol

admin Avatar

By

Luke Soon

·

TrustOS: The World’s First Agentic Safety Operating System

By Dr. Luke Soon · GenesisHumanExperience.com · June 2026

There is a reason we call them operating systems and not operating checklists.

An operating system does not advise the processor. It does not produce a quarterly attestation that memory was, on balance, probably allocated responsibly. It enforces. Ring 0 is not a policy document; it is the place where instructions either execute or they do not, where privilege is granted or denied in nanoseconds, where every system call is mediated by something that cannot be talked out of its job.

Enterprise AI in 2026 has no Ring 0.

What it has instead is a sprawling bazaar of trust utilities — inventory tools, attestation engines, prompt firewalls, observability dashboards, compliance evidence generators — each genuinely useful, each marketed as “AI governance,” and almost none of them capable of stopping an autonomous agent mid-trajectory when it reaches for an action it was never authorised to take. The market is selling user-space applications and calling them the kernel.

I call the architecture we actually need TrustOS: a layered trust operating system for the agentic enterprise, running from the data substrate at the bottom to human flourishing at the top, with — critically — a deterministic enforcement kernel in the middle that does not yet exist as a product anyone can buy.

This piece maps every layer of TrustOS against the vendors who claim to occupy it. It pays particular attention to a development most analysts are underweighting: the data governance incumbents — Databricks, Dataiku, Collibra, Informatica, Microsoft Purview — who spent a decade governing tables and pipelines and are now executing a land grab upward into AI and agentic governance. Their thesis is simple and quietly radical: the company that governs the data already holds the choke point, so the trust kernel should be built where the data lives.

They might be right. Let us walk the stack and find out.

Why an operating system, and not another framework

The field has converged with unusual speed on a shared diagnosis. Singapore IMDA’s Model AI Governance Framework for Agentic AI (January 2026) — the world’s first government-issued agentic framework — MAS’s AI Risk Management Guidelines, GovTech’s ARC framework, the MI9 runtime governance architecture, OWASP’s Agentic AI threats and mitigations work, and a growing body of academic research on runtime governance for agentic systems in financial services all say versions of the same thing:

The risk object has changed. A classical model is a function: input in, output out, validate periodically, monitor in aggregate. An agent is a trajectory: a sequence of reasoning steps, retrievals, tool calls, state changes and approvals unfolding at machine speed. The failures that matter — unsafe tool use, skipped approvals, privacy breaches, silent numeric errors dressed in fluent prose, prompt injection riding in on a retrieved document — are process failures that materialise mid-run. No amount of pre-deployment validation catches a failure that only exists at runtime.

Advisory controls are not controls. Prompt-level guardrails and LLM-as-judge verifiers depend on the probabilistic compliance of the very class of system they are meant to constrain. A verifier that operates in the same semantic space as the agent it polices is structurally blind to precisely the errors it exists to catch: the plausible-but-wrong coverage ratio, the conversational “approval confirmed verbally” that satisfies no recorded approval event. The emerging field consensus is blunt — only controls that can be evaluated deterministically, in bounded time, independent of the language model, count as binding. Everything else is advice, and its residual risk must be owned, not assumed away.

Human review does not scale to machine speed. Humans cannot inspect every step of systems executing thousands of trajectories an hour. Oversight must become conditional and event-driven — designed into policy, triggered by violations — or it becomes theatre. And theatre, as I have argued elsewhere, carries its own HX cost: reviewers reduced to rubber stamps deskill, fatigue, and stop seeing.

If you accept those three propositions, the architectural conclusion follows: trust must be layered, enforced, and continuous — an operating system, not a binder. Here is the stack.

The Seven Layers of TrustOS

L1 — The Data Trust Foundation

What it governs: lineage, classification, access control, quality, and rights over the data that every model and every agent ultimately touches.

Who plays here: Databricks Unity Catalog, Microsoft Purview, Collibra, Alation, Atlan, Informatica (now inside Salesforce), BigID.

This is the oldest and most mature layer, and for years it was treated as plumbing — necessary, dull, beneath the AI conversation. That era is over. The sharpest strategic insight of 2026 is that data governance is becoming the foundation of AI governance, because an agent’s authority is, in the end, mostly a question of what data and tools it can reach. BigID’s trend analysis puts it plainly: governance is shifting to the data layer, agents must be governed as digital identities with defined permissions and audit trails, and most organisations currently have no visibility into which agents exist or what they can access.

The data incumbents heard this, and they moved. More on that land grab below — it deserves its own section.

The gap: L1 governs access, not behaviour. Knowing an agent could read the customer table does not tell you whether the trajectory that read it was policy-conformant.

L2 — Model & Lifecycle Governance

What it governs: the classical MRM estate — model inventory, validation evidence, drift, bias, explainability, documentation, change control.

Who plays here: IBM watsonx.governance (FedRAMP-authorised, strongest inside the IBM stack), Dataiku Govern, ModelOp, Fiddler, Arthur, the model-risk modules of SAS and the cloud hyperscalers.

This layer is where the regulatory muscle memory lives — SR 11-7, PRA SS1/23, OSFI E-23 — and it is precisely the layer the agentic shift strains hardest, because its core assumption (a stable input–output mapping, validated periodically) no longer describes the systems being deployed. The honest framing: L2 remains necessary and is no longer sufficient. McKinsey’s 2026 AI Trust Maturity survey scores the average organisation at 2.3 out of 4; Grant Thornton finds 78% of organisations could not pass a governance audit. The lifecycle layer is not even fully built, and the ground has already moved beneath it.

L3 — Policy, GRC & Compliance Evidence (Observation Governance)

What it governs: AI use-case registries, risk tiering, policy mapping to EU AI Act / NIST AI RMF / ISO 42001, approval workflows, audit evidence.

Who plays here: Credo AI (Forrester Wave leader, Q3 2025; its Agent Registry now tracks agent capabilities and autonomy levels), Holistic AI (deepest on EU AI Act readiness), OneTrust, ServiceNow AI Control Tower (agentic workflow support added May 2026, routing high-risk agent decisions to human reviewers), Trustible, Modulos (the first platform to complete ISO/IEC 42001 product conformity assessment, May 2026), Vanta.

This is the most commercially crowded layer, and the consolidation signal is telling: IBM has embedded Credo AI’s Policy Packs as the content engine inside watsonx.governance’s compliance accelerators — the GRC specialists becoming content libraries for the platform incumbents.

But name this layer honestly: it is Observation Governance. It documents what should happen and attests, after the fact, to what did. It cannot intercept a single tool call. When the EU’s Digital Omnibus agreement of May 2026 pushed Annex III high-risk obligations to December 2027, much of this layer’s urgency narrative deflated overnight — which rather proves the point. A control whose business case rises and falls with a compliance deadline was never a control. It was paperwork with a deadline.

L4 — The Gateway & Guardrails Layer (the enforcement primitives)

What it governs: the chokepoints — every model call, every retrieval, every tool invocation passing through a mediated gateway where policy can be applied before execution.

Who plays here: This is where the landscape gets genuinely interesting, because three tribes are converging on the same territory:

  • The data platforms, building up. Databricks’ Unity AI Gateway (April 2026) extends Unity Catalog — the same permissions model that has governed enterprise data since 2021 — to LLM endpoints, MCP servers, tools and agents. Every model call and tool invocation is evaluated against catalogue-defined policies before it executes, and logged after, with on-behalf-of access controls and per-agent cost attribution. Dataiku’s LLM Mesh plays the same role in its estate: a secure gateway routing prompts to approved models, with Guard Services enforcing PII redaction, toxicity screening, cost ceilings and quality evaluation inline, wired back into Dataiku Govern’s registries and sign-off gates.
  • The security vendors, building down. Check Point (which acquired Lakera in November 2025), Cisco (Robust Intelligence, 2024), and Palo Alto Networks (Protect AI, folded into Prisma AIRS) now own the AI firewall category — real-time detection of prompt injection, jailbreaks, indirect injection and data leakage at the input/output boundary.
  • The open-source primitives. NVIDIA NeMo Guardrails, Guardrails AI, AWS Bedrock Guardrails, and gateway projects like Bifrost.

Two technical shifts at this layer matter enormously for the architecture argument. First, the field has accepted that a credible guardrails platform must cover four placement points — input, output, retrieved content before it enters the prompt, and tool-call arguments before a tool executes. Anything less is a 2023-vintage content filter. Second, the leading platforms now emit OpenTelemetry-compatible spans, so a blocked action lands on the same trace as the model call that provoked it. That is the governance-semantic telemetry substrate the runtime governance literature has been calling for, arriving through the unglamorous door of observability standards.

The gap: gateways enforce at points. They check this call, this argument, this output. What they do not natively hold is the trajectory — the temporal logic that says “no external release may occur unless a recorded approval event precedes it” or “no write action after a sensitive-data flag.” Point enforcement without path enforcement is a lock on every door and no concept of who has been walking through the building.

L5 — Agentic Runtime Governance (Execution Governance) — the unshipped kernel

What it should govern: the execution trajectory itself. Continuous authorisation at every step. Temporal and path conformance checking against codified policy. Drift detection over populations of trajectories — the agent that starts favouring shorter paths, abstaining less, leaning on one retrieval source. Tiered containment: safe mode, tool restriction, human takeover, hard stop. Capability-level abstraction so that validation evidence pools and reuses across every workflow that invokes the same capability, rather than every use case being a bespoke governance project.

Who claims to play here: Zenity — named by Gartner in April 2026 as the “company to beat” in AI agent governance, with intent-aware runtime enforcement, full-lifecycle observability and shadow-agent discovery across Copilot Studio, Agentforce, Bedrock and Azure AI Foundry. Noma Security, GuardionAI and the agent-runtime-security cohort. The hyperscaler runtimes (AWS AgentCore, Azure AI Foundry) with native controls. And, increasingly, the upward-reaching gateways of L4.

Who actually occupies it: nobody, completely. Gartner’s own language gives the game away — the market, it notes, is evolving beyond static policy controls toward continuous monitoring and context-aware, intent-focused runtime enforcement. Evolving toward. The research community has already specified what the destination looks like: governance decisions expressed as deterministic functions over a governed state; workflows formalised as transition systems in which an unauthorised action is not blocked so much as undefined — the release-without-approval transition simply does not exist in the system’s grammar; capability catalogues with pooled evidence; escalation and abstention as distinct, first-class terminal states. Singapore’s IMDA framework, MAS’s guidelines, MI9, ARC and the financial-services runtime governance literature have converged on this shape with striking unanimity.

No vendor sells it. The security players frame the problem as threat detection — necessary, but a burglar alarm is not a constitution. The GRC players frame it as evidence — necessary, but a diary is not a brake. The kernel — deterministic, capability-aware, trajectory-native, MRM-grade — is the largest whitespace in enterprise software, and the August 2026 conversation about Observation versus Execution Governance is really a conversation about whether anyone will build Ring 0 before the first agent-caused loss event builds the business case for them. Gartner already predicts more than 2,000 “death by AI” legal claims by the end of 2026 and that half of agent failures through 2030 will trace to governance gaps, not model defects.

L6 — Identity, Oversight & Orchestration Governance

What it governs: agents as first-class identities — credentials, delegation chains, on-behalf-of authority, agent-to-agent trust; plus the human oversight machinery: HITL gates that trigger on risk rather than rubber-stamping everything, escalation routing, rollback.

Who plays here: the identity establishment (Okta, Microsoft Entra, emerging agentic-IAM specialists like Keycard), Zenity again on the identity surface (static, dynamic, tool-based and implicit agent-to-agent identities), and the workflow incumbents (ServiceNow’s Intelligent Approvals).

This layer is where the multi-agent future bites first. KPMG’s pulse data showed agent deployment quadrupling within two quarters of 2025; Gartner’s 2026 CIO survey finds only 17% of organisations have deployed agents but over 60% expect to within two years — the steepest adoption curve of any technology measured. Every one of those agents is an identity, a delegation, a potential cascade. Trust-chain tracking and cross-agent permission inheritance are barely past whiteboard maturity anywhere in the market.

And it is at this layer that the human question stops being an implementation detail. Event-driven oversight is the right architecture — but an oversight function that only ever sees exceptions is an oversight function being slowly trained out of its own judgement. Alert fatigue, automation bias, deskilling: these are not soft concerns to be appended in a final paragraph. They are failure modes of L6, as real as a broken approval gate, and almost no vendor instrument measures them.

L7 — The HX Flourishing Layer

What it should govern: whether the whole stack beneath it is making human life more fully human. Capability-trajectory tracking — are the humans in the loop gaining or losing skill? Relational integrity — where is agent interaction substituting for human connection in ways that degrade wellbeing? Meaningful agency — are the choices surfaced to people genuine, or algorithmically pre-collapsed? Flourishing distribution — PwC’s finding that the top 20% of companies capture 75% of AI’s economic gains is not a market statistic; it is a distribution failure that a complete trust stack would measure.

Who plays here: no one. This is the apex whitespace, and it is the layer that gives the rest of the stack its purpose. A TrustOS that perfectly contains every rogue trajectory while quietly hollowing out the judgement, relationships and agency of the humans it serves has not failed safely. It has failed completely — just without an incident report.

This is the Long-AND, not Short-OR, rendered as architecture: humanity AND the machine, flourishing as a governed, measured property of the system, not a hope expressed in the preamble of a policy document.

The Land Grab: when the data janitors came for the AI throne

Now, to the development I flagged at the outset — because it may decide who ends up owning TrustOS.

For a decade, Databricks, Dataiku, Collibra, Alation and Informatica were filed under “data governance”: catalogues, lineage, stewardship. Worthy. Unfashionable. While the AI governance startups raised rounds on EU AI Act anxiety, the data players were accumulating something more durable — the policy graph of the enterprise. Who can see what. Which table is sensitive. Where the lineage runs. What the access policy actually is, in executable form, not in a PDF.

In April 2026, Databricks showed its hand. Unity Catalog — the permissions model already governing the data estate — was extended into Unity AI Gateway, and the framing was unapologetic: the catalogue that already knows who can access your customer data now also governs which agents can call which tools, and under what conditions, with every interaction evaluated against policy before execution and logged after. For an enterprise whose classifications, ABAC policies and lineage already live in Unity, governing agents becomes incremental effort rather than a greenfield programme. The same RBAC model, the same audit queries, the same policy engine — now mediating agentic traffic, MCP servers and even the coding-agent sprawl of Claude Code and Cursor instances spawning ungoverned OAuth tokens across engineering organisations.

Dataiku ran the same play from the analytics side: the LLM Mesh as governed gateway, Guard Services enforcing cost, safety and quality inline, Govern providing the registries, gates and sign-offs, Agent Hub and Trace Explorer extending it to agent trajectories — a four-pillar architecture (safeguards, explainability, drift, central governance) that, notably, spans my L1 through L4 and reaches credibly toward L5’s observability half.

The strategic logic is the strongest in the market, and it is worth stating baldly:

Enforcement gravitates to the choke point, and the data layer is the choke point. An agent with no ungoverned path to data or tools is an agent whose authority is, in practice, defined by the catalogue. The GRC vendors must describeauthority; the data platforms can constitute it. That is a different class of product.

The counterargument — and it is serious — is that the data platforms govern their own estate. The enterprise agent that lives in Copilot Studio, touches Salesforce via Agentforce, and calls a SaaS tool through a vendor’s MCP server crosses three governance domains before lunch. Databricks governs Databricks-mediated traffic superbly; the shadow agent a marketing analyst built in a SaaS tool last Tuesday never enters the gateway at all. This is precisely the seam Zenity’s shadow-discovery positioning exploits, and why the realistic 2026 deployment stitches together a data-platform gateway, a security-layer runtime monitor, and a GRC evidence plane — three vendors, three policy languages, no kernel.

Which is, of course, exactly how computing looked before operating systems: every application managing its own memory, politely.

What the map tells us

Lay the seven layers against the market and three conclusions fall out.

First, the trust stack is being assembled bottom-up and outside-in, but not middle-out. L1 is consolidating around the data platforms. L3 is commoditising into content. L4 is converging via acquisition into the security giants. L5 — the kernel, the deterministic trajectory-enforcement layer that the entire research and regulatory consensus says is the point — remains a specification in search of a product. The most important layer is the least built.

Second, the data incumbents have the strongest claim to the kernel, and the least incentive to admit it is unfinished.Unity AI Gateway and the LLM Mesh are the closest shipping artefacts to Execution Governance — but point-in-time policy checks at a gateway are not temporal conformance over trajectories, and pooled capability evidence with tier-based containment exists in no product datasheet I can find. The gap between “every call is checked” and “every path is governed” is exactly the gap between a firewall and an operating system.

Third, the top of the stack is empty, and that emptiness is a choice. Nothing in the architecture of L7 is technically harder than L5 — capability-trajectory tracking is an evaluation problem, flourishing distribution is a measurement problem. It is unbuilt because no procurement category demands it yet. The first vendor — or the first regulator — to make human flourishing a measured property of an agentic deployment will not be adding a feature. They will be completing the operating system.

The agentic era will be governed. The only questions are at which layer, by whom, and whether the humans inside the system are treated as components to be routed around — or as the reason the kernel exists at all.

Long-AND, not Short-OR. Build the whole stack.

Sources and further reading: Singapore IMDA Model AI Governance Framework for Agentic AI (Jan 2026) · MAS AI Risk Management Guidelines · MI9 Integrated Runtime Governance Framework · GovTech ARC Framework · OWASP Agentic AI Threats & Mitigations · Szpruch, Sudjianto, Bhatti & Ang, Scalable Runtime Governance for Agentic AI in Financial Services (SSRN 6567199, Apr 2026) · Gartner Hype Cycle for Agentic AI 2026; Gartner Market Guide for AI Governance Platforms; Gartner AI Agent Governance assessment (Apr 2026) · Forrester Wave: AI Governance (Q3 2025) · Databricks Unity AI Gateway announcements (Apr 2026) · Dataiku LLM Mesh, Guard Services & Govern documentation · McKinsey AI Trust Maturity Survey 2026 · KPMG AI Quarterly Pulse · Grant Thornton governance audit research · PwC AI Performance Study 2026 · EU Digital Omnibus on AI, provisional agreement (May 2026).

Leave a comment