The first three dispatches each read a single instrument and found the same shape at its edge. Compression Debt found it in a standard’s requirement; The Certification Boundary found it in the certificate; The Audit Substrate found it in what an audit can observe. Three instruments, three edges, one direction: each pointed past conformance toward something runtime, behavioral, and structural that the instrument itself could not reach.
This dispatch steps back from the single instrument to the field. The same direction the prior dispatches found at three edges is visible across the whole landscape of bodies working the problem — standards authors, regulators, identity architects, insurers, infrastructure agencies — none coordinating, most unaware of each other’s drafts, arriving at the same layered model anyway.
Convergence pressure is Luminity vocabulary for that phenomenon: the structural force that pulls independent bodies toward the same architecture without anyone steering. The reading that follows is grounded in the public record those bodies have already produced, read most directly through the OWASP Agentic Security Initiative’s State of Agentic AI Security and Governance (v2, June 2026), which catalogs the convergence across domains in one place.
The pattern, stated
Across four domains that do not normally rhyme — identity, regulation, insurance, and critical infrastructure — independent bodies are arriving at the same model: that agentic systems require governance at runtime, over behavior, enforced structurally, rather than at design time, over documents, attested procedurally.
This is convergence pressure, and it is worth distinguishing from coordination. Coordination is what happens when bodies agree to align — a working group, a joint publication, a shared specification. Convergence pressure is what happens when bodies that are not coordinating produce aligned structures anyway, because each is responding independently to the same underlying property of the problem. The OWASP ASI v2 report frames the moment plainly: developments its first edition had described as anticipated — human-in-the-loop mandates, continuous compliance monitoring, AI supply-chain transparency — are, a year later, either codified in law or in late-stage standardization. The conversation, in its words, has moved from whether these controls arrive to how organizations operationalize them.
What makes this a pattern rather than a list is that the bodies share no charter. A national standards initiative, a regional regulator, an insurance underwriter, and an infrastructure-protection agency answer to different constituencies and optimize for different outcomes. When they converge, the convergence is not consensus. It is evidence.
Why convergence is evidence
The logic is the load-bearing move of this dispatch, so it is worth stating slowly. When a single body recommends an architecture, that recommendation carries the weight of one body’s judgment, and a reader is right to weigh it against the body’s incentives and blind spots. When many independent bodies, optimizing for different things, arrive at the same architecture without coordinating, the architecture is no longer tracking any one body’s judgment. It is tracking the problem.
This is the same inference an engineer makes when independent teams, given the same failure, reach for the same fix: the convergence of independent solutions is evidence the solution is responding to the structure of the failure rather than to the taste of the solvers. Applied to the agentic governance landscape, it means the runtime-behavioral-structural direction is not a fashion the field has adopted and might shed. It is the shape the problem has pressed into every instrument that has taken the problem seriously.
What presses is not abstract. The same OWASP ASI record documents that adversaries are already deploying agents offensively at scale, at request rates no human operator could match. The bodies are not converging on runtime, behavioral, structural governance in anticipation of a threat. They are converging because the threat is operational — insurers pricing exclusions, seven nations co-signing infrastructure guidance, regulators codifying continuous obligation are each responding to incidents already in the record. The pressure is the reality the instruments are reacting to.
The corollary matters for how an enterprise reads the catalog that follows. The individual instruments will date — specific articles will be amended, specific specifications superseded, specific filings revised. The convergence is the durable finding. An enterprise that tracks the instruments is tracking things that change; an enterprise that reads the convergence is reading the direction the changes are moving in.
The convergence catalog
Read as one pattern surfacing across four domains, the public record assembled in the OWASP ASI v2 report reads as follows.
Independent bodies are converging on authorization built for agents. NIST’s AI Agent Standards Initiative is adapting OAuth 2.0 and policy-based access control for agents; the OpenID Foundation has analyzed the gaps around recursive delegation and multi-agent token exchange; the Model Context Protocol authorization specification already mandates OAuth 2.1 flows with resource-scoped tokens. Three bodies, three starting points, one direction: identity that derives, expires, and revokes through delegation chains, verified at the moment of action rather than asserted at design.
The convergence is toward continuous obligation, arriving faster than its fragmentation suggests. Within the EU, a single agentic incident can simultaneously trigger the AI Act’s Article 73 incident-reporting duty, NIS2, and DORA, on different timelines and to different authorities; in the U.S., over a hundred and forty-five state AI laws enacted in 2025 create overlapping obligations with conflicting definitions while federal preemption remains unresolved. The instruments conflict in detail. They agree in direction: ongoing, monitored, runtime obligation rather than one-time attestation.
The convergence is being priced. AI-specific exclusions are now appearing in policies; organizations should audit existing coverage for those exclusions before renewal; and security posture now directly determines insurability. When an underwriter prices runtime behavior into a premium, the runtime-behavioral direction has reached the one domain that converts a structural claim into a number.
As agents move into the control loop in energy and manufacturing, OT environments invalidate IT-centric assumptions — air-gapped networks, legacy protocols without modern authentication, and safety-instrumented systems under IEC 62443 that treat availability as co-primary with confidentiality. The CISA/NSA joint guidance published in December 2025, co-authored with a coalition of seven nations, addresses AI agents in OT directly and sets out core principles for secure integration. Different domain, same arrival: authority over physical actuators bounded structurally, at runtime.
Four domains, no shared charter, one model. That breadth is the finding. No single instrument in the catalog establishes the pattern; the pattern is what the instruments establish together.
What it converges toward
The convergence is not toward more rules. It is toward a particular shape, and the shape is one the prior dispatches in this series already named.
It converges from point-in-time toward continuous: identity verified at the moment of action, compliance monitored across the operating life, obligation that runs rather than attests once. It converges from documentary toward behavioral: human oversight at machine speed is physically impossible — an agent executing thousands of actions an hour against a reviewer who can evaluate dozens — so the governable unit becomes observed runtime behavior, not reviewed documentation. And it converges from probabilistic toward structural: bounds enforced by construction, in identity that cannot be exceeded and authority that cannot reach the actuator, rather than bounds requested of a probabilistic intermediary.
Continuous over point-in-time. Behavioral over documentary. Structural over probabilistic. These are the three axes the first three dispatches read at the edges of single instruments — the certification boundary between point-in-time conformance and runtime sufficiency, the audit substrate between documentary and behavioral evidence, the compression that defers structural enforcement into a probabilistic requirement. The convergence pattern is those same three axes, read not at one instrument’s edge but across the whole field at once. The field is moving in the direction the edges pointed.
Continuous over point-in-time. Behavioral over documentary. Structural over probabilistic. Four domains with no shared charter arrive at the same three axes — and unforced agreement among independent bodies is not consensus, it is evidence the direction is tracking the problem rather than the solvers’ taste.
What convergence settles, and what it does not
Convergence pressure settles a question that would otherwise stay open: whether the runtime-behavioral-structural direction is real and shared, or a position one corner of the field happens to hold. The breadth of the catalog settles it. The direction is real, it is shared, and it is arriving across every domain that has taken agentic systems seriously.
What convergence does not settle is the architecture itself. That independent bodies agree governance must be continuous, behavioral, and structural does not specify how a given agent is built so that its behavior is bounded by construction and observable at runtime. Convergence establishes the destination is shared. It does not draw the road. The instruments converge on what must be true of an assured agent; none of them, and not their sum, specifies the architecture that makes it true.
That gap is the subject the series closes on. The convergence names the property the field agrees an assured agent must have. Whether that property can be attested by any instrument, or must instead be built into the agent at the substrate level, is the question of assurance as architecture — and it is where this series ends.
