Governance for the agents you can't watch
Per-tool permissions are a nice feature for coding assistants. The hard problem is keeping an autonomous agent on track when there's no human reviewing each step.
This week, Claude Code added per-tool permission rules: allow, ask, deny. It's a good feature for a human-in-the-loop product. It's also not governance.
Coding assistants have a developer sitting at the keyboard. The developer reads the suggestion, clicks approve, catches the weird idea before it ships. Permissions are a safety net under someone who's already watching.
Autonomous agents are the hard problem.
A trading agent placing orders. A customer-service agent responding to a user. A compliance agent generating filings. An ops agent restarting services. A research agent pulling from internal sources. None of these have a developer reviewing each tool call. They act, they report, and by the time anyone notices, the money has moved or the email has sent.
That's the space that actually needs governance. And governance for that space is not pattern matching.
Pattern matching is commodity
Allow, ask, deny based on strings is a weekend project. Any regex library ships it. Anthropic shipped it this week. Guardrails AI has had it for a year. It is table stakes, and it does not solve the hard problem.
The hard problem is: an autonomous agent just said it's about to transfer funds. The user mentioned that option three messages ago, in a discussion. Did the user authorise this? What did you decide last time in a similar situation? Does this violate the standing rule the user set yesterday?
You cannot answer any of those with a regex.
L2 is the moat
L2 is a reasoning layer. When a deterministic rule flags a tool call as "needs review", an external LLM is invoked with:
- The action under review
- The rule that flagged it
- Recent conversation
- User standing preferences
- The system's own memory of every prior decision
It returns a structured verdict: allow, deny, with reasoning. It can detect that the user asked a question, not given an instruction. It can detect that the agent is using a custom tool instead of the one the user named. It can detect that the "standing permission" the agent is claiming was never actually granted.
Three L2 modes handle three failure classes: command safety, intent verification, instruction alignment. Each targets a specific way autonomous agents go wrong.
Anthropic cannot easily ship this inside Claude Code. To do it, they would have to invoke a second model (Haiku or Sonnet) on every ambiguous tool call, with a second prompt, a second billing line, and a second agent inside the agent. That is eighteen months of architectural work that changes their cost structure.
A subscriber on a bus does this naturally. That is what HookBus is.
Why the bus
Autonomous agents come from everywhere: Claude Code, Amp, Cursor, Slack bots, WhatsApp handlers, voice agents, trading systems, custom in-house tools. They all emit the same lifecycle events: UserPromptSubmit, PreToolUse, PostToolUse, SessionEnd.
A universal lifecycle bus lets one governance layer cover every one of them. Subscribers plug in: L1 deterministic matching, L2 contextual reasoning, DLP filter, knowledge injector, session memory, auditor, domain adapters. Write policy once. Governs everything.
When a new agent joins the estate, it subscribes. It gets the same governance the other forty agents got, for free.
Three independent signals
Microsoft AGT shipped a SemanticPolicyEngine in March. Anthropic shipped per-tool permissions this week. We filed a UK patent (GB2604445.3) on the two-layer external architecture in March, before any of this was public.
Three teams, same underlying problem. Only the bus-based approach scales beyond one vendor.
Pattern matching is a feature. L2 reasoning with memory, across every agent in your estate, is a product. One is a weekend project. The other is the only thing that keeps an autonomous agent on track when nobody is looking.
What to do now
If your users are developers running Claude Code: allow / ask / deny is fine. Turn it on.
If your business is running autonomous agents, or will be within twelve months: a permission file in a product is not your governance layer. The bus is. And the bus without L2 is just allow / deny in a different shirt.
← All posts