Governing Agents the Way Cells Govern Themselves
/ 4 min read
Biology needs six systems to govern autonomous cells. We think we can do it with one control plane.
The industry has converged on a networking metaphor for agentic AI governance: a centralized layer that routes policy to runtime the way an SDN controller routes packets. The metaphor is useful. It is also structurally misleading. Network control planes assume deterministic workloads, known identities, and binary decisions. Agentic AI is none of these. I work on agentic governance in banking, and the more I build, the more I find that cell biology, not networking, is the engineering manual.
Cells solved this problem billions of years ago. They are autonomous units that act independently, reproduce, mutate, and occasionally turn malicious. Biology coordinates them without centralizing every decision. The answer is not one mechanism but six, layered, each addressing a failure mode the others cannot reach.
A cell membrane is constitutively closed. Nothing crosses without a dedicated channel. This is not a firewall with an allow-list. It is selective permeability where the default is impermeable. An agent that reads email does not automatically get a send channel. The two are structurally separate. More importantly, membrane permeability is stateful: ion channels open when voltage thresholds are met, not because the right molecule arrives. Permissions should gate on runtime conditions — error rate, system load, confidence — not only identity. Static grants are the wrong abstraction.
Cell cycle checkpoints operate through negative stop signals. One unattached chromosome blocks mitosis regardless of how many others are aligned. This is not a weighted risk score. It is a binary check for blockers. Agents about to send a message, execute a trade, or delegate to a sub-agent should face the same logic: one unresolved flag halts progression. The networking metaphor treats all traffic uniformly. Checkpoints distinguish reversible from irreversible transitions and apply disproportionate scrutiny to the latter.
The endocrine system broadcasts hormones without point-to-point wiring. Cortisol floods the bloodstream; every cell responds according to its own receptor profile. A governance layer can broadcast risk state and let each agent class respond proportionately. A payments agent escalates to human approval. A summarization agent increases logging. Same signal, different response. The principle the networking metaphor misses entirely is negative feedback. Cortisol drops when the threat passes. A governance layer that escalates but never de-escalates accumulates friction until productive work stops.
The immune system introduces the concept of self. A control plane maintains rules. The immune system maintains a model of normal and reacts to deviations. An agent with valid credentials that behaves abnormally should trigger a response, something rule-based systems cannot catch because no one wrote a rule for behaviour that was never anticipated. The immune system also surfaces the most dangerous governance failure mode: autoimmune disease. Controls so aggressive they block legitimate work are the governance equivalent of the body attacking its own tissue. Approval fatigue, forced workarounds, shadow IT: autoimmune symptoms. A governance architecture without an explicit tolerance mechanism will eventually destroy itself.
DNA repair classifies damage before choosing a fix. A base mismatch triggers one pathway. A double-strand break triggers another, or apoptosis if repair fails. Governance failures deserve the same discipline. A wrong tool selection is a mismatch: patch the instruction. A cascading autonomous failure is a double-strand break: quarantine and rollback. An agent that repeatedly fails despite repair is a candidate for retirement. “Update policy” is not one action. It is a family of repair pathways, each calibrated to a different severity.
Epigenetics is how cells with identical DNA express different capabilities depending on context. A liver cell and a neuron share the same genome; what differs is which genes are activated or silenced through chemical marks. An LLM’s weights are its genome: fixed, shared, expensive to change. What governs its behaviour is what the runtime expresses: the system prompt, available tools, permissions, memory. You do not retrain a model to restrict it in production. You methylate its dangerous capabilities, silence the bash executor and the email sender, while its reasoning stays active. Same agent, different expression. And like biological marks, agent restrictions should be heritable. A sub-agent inherits its parent’s constraints by default, the way a daughter cell inherits its parent’s methylation pattern.
The most important insight is not in any single mechanism. It is that biology requires all six. A governance architecture that claims to handle discovery, classification, proportionate enforcement, observation, repair, and adaptive learning with a single “control plane” is making a claim that biology, after four billion years of optimization, could not sustain. The honest architecture is a composite: layered mechanisms at different timescales, each with its own feedback loop. The networking metaphor gives you a box with inputs and outputs. Biology gives you a living system that does not destroy its own productive capacity in the process of protecting itself.