- -The core failure is timing. If policy runs after execution, you are already in incident response mode.
- -Most top-ranking governance articles explain principles but skip runtime defaults, retry behavior, and failure semantics.
- -Pre-dispatch governance needs a typed decision contract, not best-effort prompt checks.
- -CordClaw provides the OpenClaw enforcement point: plugin -> local daemon -> Safety Kernel.
- -Sandboxing, in-context rules, and post-hoc checks each help, but none replace policy-before-execution.
The problem: post-hoc controls are late by design
Agent incidents usually do not start as model-quality issues. They start as action-control issues. A tool call runs with the wrong scope. A production write is executed without approval. A risky command is allowed because no deterministic gate exists before execution.
Post-hoc monitoring can detect that failure. It can page on-call. It can produce a strong incident report. It cannot reverse a side effect that already ran.
That is why pre-dispatch governance exists. It puts an enforceable decision boundary before execution so the control point can block, gate, or constrain an action while there is still something to prevent.
Research baseline: top-ranking guides and the implementation gap
On April 1, 2026, I reviewed high-ranking resources for AI agent governance to identify common guidance and missing implementation details. Rankings change by region and time, but the recurring gap is stable.
| Source | What it covers well | What is still missing |
|---|---|---|
| Palo Alto Networks - A Complete Guide to Agentic AI Governance | Strong risk framing, accountability model, and lifecycle governance scope. | No concrete dispatch contract for fail mode, retries, policy timeouts, or approval replay behavior under load. |
| MindStudio - AI Agent Governance: Best Practices for Enterprise | Useful enterprise checklist: identity, oversight tiers, monitoring, and emergency controls. | Limited detail on out-of-process enforcement architecture or exact pre-execution decision wiring. |
| Traefik - Why Agent Governance Must Live Outside the Runtime | Clear argument for independent trust boundaries and runtime compromise assumptions. | Little implementation detail for approval state machines, policy evidence schema, and retry semantics. |
This guide focuses on that missing implementation layer: decision contracts, out-of-process enforcement, fail-mode defaults, and operation-ready rollout patterns.
Definition: what pre-dispatch governance actually means
Pre-dispatch governance means every proposed action is evaluated against policy before state mutation and before tool execution. The policy engine returns a typed decision. Execution behavior is then deterministic.
| Decision | Execution behavior | Operator objective |
|---|---|---|
| ALLOW | Action executes normally. | Keep low-risk throughput high. |
| DENY | Action is blocked before execution. | Stop known-bad patterns early. |
| REQUIRE_APPROVAL | Action enters explicit approval queue; no dispatch until approved. | Add human gate on high-risk actions. |
| THROTTLE | Action is deferred or rejected with back-pressure semantics. | Protect systems during overload or abuse. |
| ALLOW_WITH_CONSTRAINTS | Action executes with strict limits (scope, budget, tools). | Permit useful work while shrinking blast radius. |
The contract is typed, not implied
If the policy input is vague, the outcome will be inconsistent. You need explicit action metadata: topic, capability, actor identity, risk tags, labels, and tenant scope.
{
"job_id": "run_42:infra_apply@1",
"tenant_id": "default",
"topic": "job.infra.apply",
"capability": "infra.mutate",
"risk_tags": ["production", "write", "irreversible"],
"labels": {
"environment": "production",
"service": "billing"
}
}Reference architecture: where the enforcement point lives
A practical control boundary for OpenClaw security looks like this: the plugin intercepts actions, forwards metadata to a local daemon, and the daemon calls the policy engine out of process.
How this maps to Cordum and CordClaw
Cordum enforces policy in two places. The gateway performs submit-time checks before persistence and bus publish. The scheduler performs pre-dispatch checks before worker execution.
CordClaw applies the same principle to OpenClaw tool execution. A TypeScript plugin intercepts action hooks, sends structured metadata to a local Go daemon, and the daemon evaluates policy through the Safety Kernel. Decision enforcement is outside the model runtime.
This is the operational point: model reasoning can be manipulated. The external enforcement boundary should not be.
Choosing deployment scope: local guardrail or full control plane
Teams often start with local OpenClaw security and later expand to organization-wide governance. Both paths are valid. The wrong move is forcing full centralization before proving that policy-before-execution improves safety outcomes in day-to-day workflows.
| Path | When to choose it | Main benefit | Main limitation |
|---|---|---|---|
| CordClaw standalone | Single team or pilot phase needs fast OpenClaw pre-dispatch enforcement. | Fast install path and local deterministic checks. | No centralized multi-team operations view. |
| CordClaw + Cordum control plane | Multiple teams need shared governance, approvals, and audit operations. | Centralized policy lifecycle, approval routing, and run evidence at scale. | Higher platform footprint than local-only mode. |
The practical strategy is staged adoption: prove pre-dispatch policy outcomes locally, then move to a shared control plane when approval volume, audit demand, or cross-team policy reuse becomes painful.
Runtime defaults that matter
Governance programs usually fail on defaults, not on principles. These implementation defaults drive real behavior during incident conditions.
| Control | Value | Source | Why this matters |
|---|---|---|---|
| Scheduler safety timeout | 2 seconds | Cordum scheduler internals | Bounds policy latency in the dispatch hot path. |
| Safety circuit open threshold | 3 consecutive failures | Cordum scheduler internals | Prevents cascading failures against degraded Safety Kernel. |
| Safety circuit open duration | 30 seconds | Cordum scheduler internals | Creates recovery window before half-open probes. |
| Dispatch retry ceiling | 50 attempts, 1s-30s backoff | Cordum scheduler internals | Avoids infinite retry loops while preserving transient recovery. |
| Gateway submit-time fail mode | `GATEWAY_POLICY_FAIL_MODE=closed` by default | Cordum Safety Kernel reference | Prevents accidental bypass when policy backend is unavailable. |
Timing model: where prevention actually happens
The biggest confusion in agent safety is mixing up detection timing and prevention timing. Detection can be excellent and still be late. Pre-dispatch governance shifts control earlier in the lifecycle.
| Lifecycle step | Pre-dispatch model | Post-hoc-only model |
|---|---|---|
| Action proposal | Agent emits structured action metadata. | Agent executes action first. |
| Policy evaluation | Safety decision happens before any side effect. | No blocking decision exists at action time. |
| Approval gate | High-risk action is held in approval state until approved. | Approval becomes retroactive sign-off after execution. |
| System mutation | Only allowed or constrained actions can mutate systems. | Mutation already happened before oversight can react. |
| Detection | Monitoring confirms policy worked and captures trace. | Monitoring discovers incident and begins containment. |
| Recovery | Mostly policy tuning and replay validation. | Rollback, forensic triage, and possible customer impact handling. |
This is why security teams often describe pre-dispatch governance as moving from forensic control to operational control. You still investigate incidents, but fewer incidents begin with unrestricted execution.
A useful rule during design reviews: if a control cannot stop a risky action before it touches external state, classify it as detective, not preventive. Detective controls are still required. They are not a substitute for pre-dispatch policy enforcement when side effects are expensive or irreversible.
Fail-open vs fail-closed: choose your risk, do not inherit it
A production governance design must define behavior for policy dependency outages. If this is not explicit, the runtime will still choose for you, usually in the worst moment.
| Mode | Behavior under outage | Recommended usage | Operational risk |
|---|---|---|---|
| Fail closed | Reject or requeue actions when Safety Kernel is unavailable. | Production and regulated environments. | Availability impact during dependency outage. |
| Fail open | Allow actions when policy dependency is unavailable. | Low-risk non-production environments with clear guardrails. | Bypasses policy decisions exactly when controls are degraded. |
For most teams, production should be fail closed. If uptime pressure forces a temporary fail-open mode, treat it as an incident state with explicit alerts, narrowed scope, and an expiration window.
Evidence model: what to log so you can prove control
Governance without evidence is policy theater. Every pre-dispatch decision should produce a compact record tied to execution trace and policy snapshot.
{
"job_id": "run_42:infra_apply@1",
"decision": "REQUIRE_APPROVAL",
"rule_id": "require-approval-prod-write",
"policy_snapshot": "sha256:8d1f...",
"approval_ref": "run_42:infra_apply@1",
"actor_id": "svc-agent-prod",
"trace_id": "trace_01HZZ...",
"created_at": "2026-04-01T10:22:14Z"
}This single record is enough to answer four audit questions fast: who initiated the action, what rule matched, which policy version decided, and where in the run timeline the decision happened.
Why post-hoc monitoring fails as the primary safety layer
Monitoring is still required. You need it for detection, triage, and learning. It is just the wrong primary layer for preventing high-impact actions.
| Failure situation | Post-hoc result | Pre-dispatch result |
|---|---|---|
| Destructive command was allowed | Alert arrives after command execution. | Command is denied or approval-gated before run. |
| Agent writes to production resource | You can log and roll back later, if rollback exists. | Policy blocks write unless explicit production approval is present. |
| Credential leak in generated output | Output can be quarantined, but execution already happened. | Pre-dispatch limits reduce risky actions; output safety still catches leaked content. |
| Safety dependency outage | Monitoring stays alive but cannot prevent side effects. | Fail mode is explicit (`open` or `closed`) with measurable risk tradeoff. |
The short version: post-hoc is forensic control. Pre-dispatch is preventive control. Use both, but do not pretend they solve the same timing window.
Pre-dispatch vs sandboxing vs in-context rules
Teams often ask whether one layer can replace the others. It cannot. Each layer handles a different class of failure.
| Layer | Enforcement point | Primary strength | Primary gap |
|---|---|---|---|
| In-context rules | Inside model prompt/context | Low friction | Can be overridden or ignored by adversarial instructions. |
| Runtime sandboxing | OS/runtime boundary | Strong technical isolation | Does not decide if a permitted action is appropriate business behavior. |
| Pre-dispatch governance | Control plane before execution | Deterministic policy decision before side effects | Adds policy latency and requires careful fail-mode design. |
| Post-hoc monitoring | After execution | Great for forensics and detection | Cannot prevent already executed side effects. |
Working implementation examples
1) Policy-as-code for deny, approval, and constrained allow
version: v1
default_decision: deny
rules:
- id: deny-destructive-shell
match:
topics: ["job.openclaw.exec"]
labels:
command_class: destructive
decision: deny
reason: "Destructive shell commands are blocked by default"
- id: require-approval-prod-write
match:
risk_tags: ["production", "write"]
decision: require_approval
reason: "Production write actions require explicit human approval"
- id: constrain-package-install
match:
topics: ["job.openclaw.exec"]
labels:
command_class: package_install
decision: allow_with_constraints
constraints:
budgets:
max_runtime_ms: 15000
max_retries: 12) OpenClaw interception path (plugin shape)
// OpenClaw plugin hook (shape)
export async function before_tool_execution(ctx: ToolExecutionContext) {
const request = {
job_id: ctx.actionId,
topic: `job.openclaw.${ctx.toolName}`,
capability: ctx.capability,
risk_tags: ctx.riskTags,
labels: ctx.labels,
};
const response = await fetch("http://127.0.0.1:19090/check", {
method: "POST",
headers: { "content-type": "application/json" },
body: JSON.stringify(request),
}).then((r) => r.json());
if (response.decision === "DENY") {
throw new Error(response.reason ?? "Blocked by policy");
}
if (response.decision === "REQUIRE_HUMAN") {
return { blocked: true, approvalRef: response.approval_ref };
}
return { allowed: true, constraints: response.constraints };
}3) Validate policy behavior without executing risky actions
# Validate governance path without executing risky actions openclaw cordclaw status openclaw cordclaw simulate --tool exec --command "echo hello" openclaw cordclaw simulate --tool exec --command "rm -rf /"
4) Set fail modes explicitly by environment
# Gateway submit-time policy fallback (default: closed) GATEWAY_POLICY_FAIL_MODE=closed # Scheduler pre-dispatch policy fallback (default: closed) POLICY_CHECK_FAIL_MODE=closed
Common rollout mistakes (and faster fixes)
Most governance rollouts fail for operational reasons, not because policy engines are unavailable. These are the issues that repeatedly stall teams in production adoption.
| Mistake | Fix |
|---|---|
| Treating prompts as policy enforcement | Move critical decisions to an external policy engine. |
| Adding only output filters | Keep output safety, but place deny and approval controls pre-dispatch. |
| No explicit fail mode | Set and document fail mode by environment before rollout. |
| No typed action metadata | Define topic, capability, actor, and risk tags as required fields. |
| Approval without replay checks | Bind approval to job hash and policy snapshot before dispatch. |
| No evidence schema | Persist decision, rule ID, snapshot, and run linkage for every action. |
The practical shortcut is to enforce one high-risk action family end to end first. Teams that start with a broad all-action policy set usually drown in false positives and approval queue noise.
Operational metrics to track from day one
You cannot run governance by opinion. Measure it like any other production control path.
| Metric | Practical target | Reason |
|---|---|---|
| Policy check latency p95 | < 100 ms in production | Pre-dispatch only works if teams keep it on the hot path. |
| Approval queue latency p95 | < 5 minutes for high-risk actions | Long queues drive teams to unsafe bypasses. |
| Fail-open events | 0 in production | Each event means policy was bypassed during safety unavailability. |
| Denied action precision | < 5% false positives | Too many false positives cause policy-disable pressure. |
| Replay completeness | 100% decision-to-run traceability | Compliance and incident response depend on full evidence chains. |
Limitations and tradeoffs
- Every policy check adds latency. Keep checks bounded and cached where safe.
- Approval-heavy designs create queue drag. Risk-tier aggressively to avoid reviewer fatigue.
- Fail-open modes preserve throughput but reduce safety guarantees during outages.
- Structured pre-dispatch policy is strong for action envelopes, weaker for hidden intent in freeform content. Pair it with output scanning.
- Good policies still need operational ownership. Without on-call runbooks, governance devolves into stale YAML files.
30-day rollout plan for production teams
| Week | Goal | Deliverable |
|---|---|---|
| Week 1 | Map high-risk actions | Inventory tool calls by risk tag and irreversible side effects. |
| Week 2 | Enforce first deny + approval rules | Deny destructive defaults, require approval for production writes. |
| Week 3 | Wire evidence and runbook | Decision logs tied to run IDs, operator playbook for approvals and overrides. |
| Week 4 | Chaos-test failure modes | Simulate Safety Kernel outage and validate fail-mode behavior by environment. |
Next step
Ship one irreversible action family behind pre-dispatch governance this week:
- Choose a high-impact action (for example production infra mutation).
- Set default decision to deny, then add explicit approval and constraint exceptions.
- Run simulation commands and chaos-test safety unavailability behavior before broad rollout.
Continue with pre-dispatch vs post-hoc timing patterns and how to add governance to OpenClaw.