Radar #2 — Governance Converges on Specifications

Thirty-six articles since the last Radar. One pattern dominated: governance is converging on a specific architectural layer — specifications — and the convergence is happening independently, across organizations that are not coordinating. That is not a trend. That is a structural discovery being made simultaneously by teams who had no reason to arrive at the same answer.

Five Teams, One Architecture: Specifications Are the Governance Layer

In a single week, five independent teams published findings pointing to the same conclusion. Matt Rickard argued that specifications narrow the interface between human intent and machine execution. GitHub’s Copilot team ran 11 agents touching 345 files and 28,858 lines in under three days — and concluded that blame belongs to process, not agents. Google’s Skills framework achieved 96.3% specification pass rates with 63% fewer tokens. Anthropic’s Claude Code turned out to be 512,000 lines of harness surrounding roughly 200 lines of API calls — a 2,560:1 governance-to-capability ratio. Kent Beck proposed specifications as the primary unit of engineering work.

The pattern extends further. Spacelift embeds governance into infrastructure translation — developers never see the constraints. Thoughtworks encodes team standards into versioned instruction files. Meta’s structured reasoning forces AI to construct logical certificates before judgments, raising accuracy from 78.2% to 88.8%. The vocabulary differs across all of these implementations. The architecture is identical: a narrow, declarative interface where constraints are specified before generation, not enforced after it.

If your agent governance relies on review after generation rather than specification before generation, you are governing the wrong layer.

Every Department Is Hitting the Same Governance Wall

Adobe reports 86% of creators now use generative AI. Amazon Fresh cut image turnaround by 93%. VS Code’s engineering team hit 2.2x commit growth — but only after mandating Copilot code review on every PR before human review, with an 80% acceptance rate on automated comments. Marketing teams are building what amounts to CI/CD pipelines for go-to-market. Design teams face what one researcher calls “Static Decay” — AI twins built from qualitative data degrade invisibly because no governance layer tracks data provenance.

The governance questions engineering answered years ago — version control, review gates, deployment constraints, rollback procedures — are now every function’s questions. But most functions are adopting AI’s velocity without adopting engineering’s governance discipline. They borrow the words (guardrails, pipelines, workflows) without building the enforcement. Governance that enables is adopted. Governance that blocks is circumvented. The functions now inheriting AI need to learn this distinction before they scale past the point where retrofitting governance is feasible.

Governance Fails at the Configuration Layer, Not the Policy Layer

Anthropic’s .npmignore oversight exposed 512,000 lines of source code, 44 hidden feature flags, and an unreleased autonomous agent system called KAIROS — none of which had been disclosed to users. Anti-distillation protections could be bypassed by stripping one field in a proxy. A company building AI governance tools could not govern its own build pipeline. Two leaks in five days.

This is not an isolated failure. Benchmark evaluations show 15% performance swings from switching evaluation scaffolds alone — making leaderboard differences of 2-5 points smaller than measurement noise. Enterprise spec-driven development faces seven barriers to adoption, all organizational, none technical. And DeepMind’s four governance attempts confirm the pattern at institutional scale: governance proposals that require approval from the entity being governed are requests, not reforms. The failures are not in policy design. They are in configuration, tooling, and power structure — the layers nobody audits.

So What

Organizations are building governance at the wrong altitude. Policy documents sit too high — they describe intent but cannot enforce it. Monitoring dashboards sit too low — they detect problems after they have propagated. The evidence from this cycle points to a specific architectural layer: specifications. Embedded in tools, enforced at generation time, invisible to the user. Five independent teams discovered this simultaneously, which is the strongest validation signal available — convergence without coordination.

Three actions for this cycle. First, audit your AI tool configurations with security-grade rigor — Anthropic’s leak proves that even governance-focused vendors fail here. Second, extend governance infrastructure beyond engineering into every function using AI autonomously — marketing, design, and sales are hitting the same wall with less institutional knowledge to draw on. Third, stop consuming benchmark leaderboards as procurement signals — build your own evaluation infrastructure or accept that you are comparing noise.

This Edition Synthesizes

• The Spec Layer — Five independent teams converged on specifications as the primary agent governance mechanism in one week.
• Claude Code Source Leak — A .npmignore error exposed 512,000 lines revealing undisclosed features and bypassable security measures.
• Governance Leaving Engineering — Adobe, marketing ops, and organizational theorists hit the same governance wall engineering solved years ago.
• Enterprise SDD Gap — Seven organizational barriers block spec-driven development at scale — none are technical.
• Supply Chain Two-Front Crisis — AI agents find vulnerabilities while AI-generated PRs overwhelm maintainers, targeting the same dependency surface.
• AI Value Chain Economics — NVIDIA captures 79% of AI profit; applications get 7%, creating ungoverned vendor concentration.
• The Intent Layer — Spacelift, Google, and Anthropic prove invisible governance eliminates workarounds visible governance creates.
• Mandatory Agent Review — VS Code’s 2.2x velocity came from mandatory review gates, not despite them.
• Codifying Intelligence — Meta turns tribal debugging knowledge into testable software artifacts, reducing MTTR 20-80%.
• DeepMind Governance — Four structural governance attempts failed because power holders have no incentive to dilute control.

Questions on what these signals mean for your organization? contact@victorinollc.com