The Advisory Layer Is Not a Governance Layer: Credential-Plane Exposure in Agentic AI Deployments

Agentic AI deployments have produced a widespread architectural error: the conflation of advisory layers with governance layers. Skills files, system prompts, tool schemas, and settings configurations describe intended behavior to a model that attempts to follow them. They do not constrain execution at the credential plane. The credential is what grants execution authority—and credentials do not read system prompts. The gap between the advisory layer and the execution layer is therefore a structural exposure: an agent operating in perfect compliance with its instructions can still execute a destructive, unauthorized, or ungoverned action if the underlying credential permits it and no substrate-layer control exists to intercept. This paper names the error, maps its observable failure modes, and positions substrate-layer governance as the correct intervention point. It draws on the Substrate-Layer Threat Model (SLTM, DOI: 10.5281/zenodo.19740686) and its APR-Series instantiation, the Substrate-Native Threat Model (SNTM, DOI: 10.5281/zenodo.19741264), to characterize the exposure class and describe the conditions under which it is governable.