GOVERNANCE AT THE SUBSTRATE LAYER Why Category-Bound Standards Cannot Govern Agentic AI—and the Case for APR-Series

Agentic AI systems have outgrown the governance assumptions embedded in today’s global standards ecosystem. ISO/IEC 42001, 27001, NIST AI RMF, OWASP AI Exchange, the Machinery Regulation, and the Medical Devices Regulation all rely on a category-bound governance model designed for deterministic, human-defined workflows. Agentic AI does not operate within those constraints. It composes workflows, reframes goals, narrows context, and evolves behabior across time. Category governance cannot govern what it cannot represent. This whitepaper demonstrates why existing standards cannot map to agentic risk, how the Digital Omnibus formalized governance fragmentation, why governance coverage is now a political variable, and how APR-Series provides the substrate-level invariants required to restore coherence. Category governance cannot survive agentic autonomy. Only substrate governance can.