The rapid proliferation of “AI governance” solutions has created a structural conflation between compliance instrumentation and runtime governance. Many contemporary systems embed explainability artifacts, monitoring dashboards, drift detection, and cryptographic signing into development pipelines, improving audit readiness and regulatory traceability. However, these systems frequently do not enforce policy at the point of execution. This paper introduces a formal doctrinal framework that distinguishes: • Evidence-routing compliance systems (observability architectures that document and monitor AI behavior), and• Authorization governance substrates (runtime enforcement architectures that prevent unauthorized actions before execution). The paper formalizes the distinction along five doctrinal axes (enforcement locus, signature semantics, failure behavior, bypass resistance, and override governance) and introduces a six-criterion Enforcement Test Protocol that yields a binary classification: authorization governance present or absent. Fail-closed semantics are explicit: DENY blocks a requested action as impermissible, and ABSTAIN blocks execution pending authorized human override when evidence is missing, evaluation fails, or policy application is ambiguous. Through a running example in automated loan decisioning and analysis under the EU AI Act, GDPR Article 22, and the evolving U.S. federal AI policy landscape, the paper demonstrates that documentation volume does not equal enforceability. Systems that log, sign, and monitor may still fail open when governance conditions fail. The central thesis is architectural and testable: Governance without enforceability is advisory. The paper concludes with an integration doctrine: observability and authorization are complementary layers. Audit instrumentation improves traceability; authorization substrates prevent harm. Neither substitutes for the other. This working paper contributes a publicly usable evaluation protocol intended for enterprise buyers, regulators, auditors, and researchers seeking clear criteria for distinguishing monitoring-based governance claims from enforcement architectures. Version 1.1.0 (July 2026): updates U.S. federal policy references following the rescission of Executive Order 14110; migrates the standard citation to the Five Tests Standard (5TS) v1.2.0; clarifies fail-closed verdict semantics, with missing evidence and evaluation failure resolving to ABSTAIN; adds Enforcement Test Protocol scope notes on implementation tier and input integrity. The framework, taxonomy, and test criteria are unchanged from v1.0.
Edward Meyman (Mon,) studied this question.