Instruction-Plane Governance and Drift Detection for Agentic AI Systems

Agentic AI systems introduce a class of governance artifact — instruction-plane files such as AGENTS.md — that are treated operationally as high-privilege policy but governed as low-privilege documentation. This mismatch creates a substrate-layer attack surface that is persistent, upstream of any specific user request, invisible to most users, and transitive through supply chains. This paper argues that AGENTS.md-class artifacts are not a prompt injection problem — they are an instruction-plane governance failure — and that the appropriate response is not additional content filtering but explicit governance architecture applied to the instruction plane itself. Part I frames the governance failure: instruction planes, their privilege properties, and the distinction between indirect injection and classic prompt injection. Part II provides an operational drift-detection rubric specifying minimum logging requirements, continuous integrity checks, and alert conditions for detecting substrate-layer drift in agent instruction surfaces.