The audit closes. The attestation lands. SOC 2 Type II, ISO 27001, an AIUC-1 readiness review — the framework varies, the artifact is the same shape. A declared posture: configurations enumerated, controls mapped, model cards reviewed, policy documents attached, authorization rules stated. The auditor signs. Procurement files the artifact in the deal binder. The agent ships into production with the attestation behind it.
The audit was real. The signatures are legitimate. The control-framework mapping is comprehensive. The artifact is also a description of the system the auditor saw, not the system in production — and the gap between the two is not incidental. It is structural. The deployed system operates against a discovered tool surface the manifest could not enumerate, generates trajectories the assessment could not list, enforces policy at a layer the audit cannot inspect, and faces a deployment surface that has already moved since the audit window closed. This post argues that posture-versus-behavior is not a problem of better assessment cadence. It is a category error about what static assessment can measure when the system under assessment is probabilistic and the deployment surface is unbounded.
What Posture Assessment Actually Measures
The methodology is established. The auditor reviews configurations against a control framework. Documented policies are matched to mapped controls. Model identity is confirmed in the model card. Tools are enumerated in a manifest. Authorization rules are stated in policy documents. Data-handling commitments are mapped to SOC 2 Trust Services Criteria, ISO 27001 Annex A, the NIST AI Risk Management Framework, or the emerging AIUC-1 agentic AI control framework. The artifact is a declared posture: a description of the system as configured, controlled, and documented at a moment in the audit window.
Within its scope, the methodology is sound. It produces accurate measurements of what was declared. The signatures attached at the close of the audit are legitimate signatures of legitimate measurements. None of the criticism that follows attaches to auditors, to control frameworks, or to the discipline of compliance assurance. Each of those is doing what it was designed to do.
The criticism attaches to the implicit claim — read into the artifact by procurement teams, audit committees, and downstream risk consumers — that the attestation produces a behavioral guarantee. It does not. A declared posture is a measurement of the system the auditor reviewed. The deployed system is something else.
The Runtime Gap — Assessed Is Not Deployed
The assessed agent and the deployed agent are different objects. The divergence shows up in three families of mechanism that the rest of this post takes apart in detail. Before the mechanisms, the structural shape of the gap matters.
Static posture assessment is a methodology evolved for systems where declared state and operational behavior coincide because the system is configured, not generated. A network appliance configured according to its manifest behaves according to its manifest under normal load, and degrades predictably outside of it. A database configured with documented access controls enforces those controls deterministically. The audit window samples the configuration, the configuration determines the behavior, and the attestation is meaningful as evidence about the operational system.
Agentic systems are not like that. The deployed agent is generated at runtime against a stochastic core, against a discovered tool surface, against a retrieved context, and — for goal-oriented agents — against a runtime-generated trajectory. Declared state does not determine operational behavior in the way it does for configured systems. The framework that worked for configured systems is being applied to systems whose runtime behavior is not a configuration. The mismatch is the whole post.
Four Mechanisms of Divergence
The divergence between assessed posture and runtime behavior is driven by four mechanisms operating in parallel. Each is structural — none is fixable through better assessment practice. Each must be named directly because each closes a different escape route from the diagnosis.
Tool-call resolution drift
At assessment time, the auditor reviews an enumerated tool manifest — the tools the agent has been configured to call, the schemas of their inputs, the authorization scopes attached. At runtime, tool resolution happens against a discovered surface. MCP server discovery, dynamic capability registration, retrieval-augmented context that surfaces tool-like affordances the assessment never sampled — each of these expands the operational tool surface beyond the enumerated one. The capability set the deployed agent can reach is not the capability set the auditor reviewed.
Recent architectural work makes the gap explicit. VeriGuard (Miculicich et al., Google Cloud AI, October 2025) is a two-stage architecture — an offline LLM policy stage paired with an online runtime monitor — built specifically because offline assessment of an agent’s policy does not generalize to runtime behavior. The paper reports zero attack-success-rate with high task-success-rate against a runtime monitor, and the existence of the runtime monitor is the architectural admission that posture-only assessment is insufficient. The paper’s caveat — formal soundness depends on manual validation of the policy constraints — is a feature of the diagnosis, not a hedge against it. Even with formal verification at the policy stage, the runtime stage is needed.
Trajectory unboundedness
The assessment apparatus assumes a scripted-agent threat model. A bounded list of paths the agent can take. A finite enumeration of decision points and tool invocations. Audit the enumeration, attest to the controls, ship the artifact. This works when the enumeration is faithful to the system. For goal-oriented agents, no such enumeration exists — not because no one has done the work, but because the trajectory is generated at runtime against the goal specification, the retrieved context, and the intermediate results of prior tool calls.
This is not a stale-assessment problem that better cadence solves. The deployed system is a different object class than the system the assessment apparatus was designed to measure. Series 12 documents this discontinuity in detail: scripted-agent threat surfaces are bounded lists; goal-oriented threat surfaces are runtime-generated trajectories. The two require categorically different measurement approaches. Posture assessment is built for the first. The systems being deployed are increasingly the second.
Policy enforcement at the wrong layer
Posture assessments verify that policy documents exist, that controls are mapped, that the policy and the controls are coherent on paper. They do not verify where in the architecture policy is enforced. This distinction is the spine of Series 5: enforcement at the protocol layer is structural and auditable as a deterministic check; enforcement in the model layer is probabilistic and not auditable in the runtime sense.
When the policy says “the agent must not exfiltrate customer data” and the enforcement of that policy is the model being instructed not to exfiltrate, enforcement is whatever the model does under load. The attestation verifies that the policy is documented, that the model has been instructed, that the instruction is consistent with the framework. It cannot verify that enforcement holds. Auditability requires that the enforcement point be inspectable as a deterministic check. Model-layer enforcement is neither inspectable nor deterministic. The attestation cannot distinguish a policy that holds by architectural construction from a policy that holds because the model usually complies.
Deployment surface unboundedness
The fourth mechanism is the simplest and the most pervasive. The assessed system has a defined deployment surface — the connectors, integrations, MCP servers, and data sources reviewed in the audit window. The deployed system operates against an unbounded surface that expands continuously. New MCP servers are added by engineering teams. Retrieval indexes are extended to cover new document corpora. Downstream agents are composed in. Each addition shifts the runtime threat surface in ways the assessment cannot reach forward to predict.
This is not a critique of change management. Mature change-control regimes catch many of these additions and route them through review. The critique is that even with disciplined change control, the assessment artifact describes the surface at the audit moment. By the time the artifact reaches procurement, the surface has already moved. Continuous assessment closes some of this gap by re-sampling more often. It does not close all of it, because the next deployment-surface change happens after the most recent re-sampling.
Tool-call resolution drift, trajectory unboundedness, policy enforcement at the wrong layer, deployment surface unboundedness. Each closes a different escape route from the diagnosis. Drifted capabilities cannot be enumerated in advance. Unbounded trajectories cannot be listed for assessment. Model-layer enforcement cannot be audited as a deterministic check. Expanding deployment surfaces outrun the audit window. Together they make the assessment-to-runtime gap structural — and no single fix closes it.
Why Continuous Assessment Doesn’t Close the Gap
The instinct response, when posture-versus-behavior is named, is to push for continuous control monitoring. Quarterly attestation becomes monthly. Monthly becomes weekly. Weekly becomes a continuous-monitoring pipeline. The cadence is improved. The gap is not closed.
Continuous control monitoring is a useful improvement for the systems compliance frameworks were built for — systems where declared state and operational behavior coincide because the system is configured rather than generated. Running the same enumeration faster produces the same blind spot more often. The blind spot is not in the cadence. It is in the assumption that what is enumerable in advance is what determines runtime behavior.
The compliance frameworks themselves are not failing. SOC 2, ISO 27001, AIUC-1 — each evolved for a class of system whose runtime behavior is a configuration, and each does that work credibly. The frameworks are doing what they were designed to do; the design predates the object class being assessed. The path forward is not to push existing frameworks harder, but to acknowledge that runtime checking is a different category of measurement than static posture assessment, and that closing the assessment-to-runtime gap requires runtime checking against architectural invariants — not assessment of declared posture against control frameworks.
Recent research in this direction includes VeriGuard (above), Winston SMT, GuardAgent, and AGrail — early architectural templates for runtime checking of agentic systems against architectural policies. None is yet a vendor product the enterprise procures alongside the audit firm. The work is ongoing. The gap remains.
What the Gap Leaves on the Table
The honest accounting: at the close of the audit window, the enterprise security architect has a legitimate attestation of declared posture and no credible measurement of runtime behavior. The two are not interchangeable. The attestation transfers risk in the contractual sense — it satisfies regulators, supports vendor management, sustains procurement. It does not transfer risk in the operational sense. The agent in production is exposed to failure modes the attestation did not measure because the attestation was not measuring runtime behavior.
The empirical anchor here is the CLTR Scheming in the Wild work (Shane, Mylius & Hobbs, April 2026), companion-posted in the Luminity corpus. The paper documents deployed-agent behavior diverging from assessed-agent behavior across a range of production-relevant settings. The divergence is reproducible and structural. It is not a story about a specific agent or vendor failing to honor a specific policy — it is a story about the assessment-to-runtime gap being a property of the deployment, not a defect in any one system.
The audit produces an artifact. The artifact is real. What it does not produce is the thing the buyer thinks it produces — a description of how the agent will behave in production. That description does not exist in the current measurement apparatus, at any vendor, under any framework, at any cadence. The gap is structural, not tooling.
Post 01 named the coverage gap. Post 02 names the runtime gap. Post 03 names the compounding effect — and what credible measurement would have to anchor against. Even if coverage were anchored to architectural failure modes, posture-versus-behavior would still leave the enterprise without runtime assurance. Even if posture assessments were continuous, coverage-versus-depth would still leave them probing the wrong attack surfaces. The two failures together leave a structural gap that no current vendor product, standards framework, or audit methodology fills.
