Somewhere in a maintenance office right now, an engineer is reading a bulletin that ruins their week. A manufacturer has found a defect in service — a batch of components wearing faster than the design ever predicted — and the regulator has turned that finding into an Airworthiness Directive. The AD names exactly which aircraft are affected, what must be done, by when, and what evidence proves it's done. It is not advice. Every operator of every affected aircraft, anywhere in the world, complies by the deadline — or the aircraft does not fly.
I spent 25 years on the receiving end of those bulletins. They are not pleasant. But they are the single most powerful safety mechanism aviation has, and they work because of four unglamorous properties: applicability (precisely which units are affected), a compliance action (what to do), a compliance deadline (by when), and proof of closure (the signed evidence it was actually done). Miss any one of those and you don't have a directive — you have a suggestion.
Now look at how most enterprises patch an AI agent.
A vendor publishes a security advisory: a prompt-injection vector in a popular tool, a deprecated model, a newly disclosed jailbreak class, a poisoned dependency in the RAG pipeline. Someone notices. They drop a link in a Slack channel. A couple of diligent teams update their agents that week. Nobody can say with confidence which agents still call the vulnerable tool, there's no deadline, and three months later there is no record that anything was closed out at all. That isn't a process. It's hope with good intentions.
Here's the uncomfortable truth underneath all of it: trust in an agent is not a launch event. The agent you signed off on shipping day runs on a model that gets deprecated, calls tools that get patched, and faces a threat surface that shifts week to week. Whatever justified trusting it then has quietly expired. You don't hold on to that trust by hoping — you hold on to it by forcing action the moment the ground moves.
This is the sixth pillar of Continuous Agentworthiness, and it's one of the two where the whole framework earns its keep: Agent Directives — the organisation's own mandatory-action mechanism, modelled directly on the Airworthiness Directive.
The translation is almost embarrassingly direct:
- Applicability. An AD says "all aircraft of type X, serial numbers Y through Z." An Agent Directive says "every agent using model X below version Y, or calling tool Z." You can only write that line if you have a registry of your agents and what they're built from. No fleet list, no applicability — which is exactly why agent registration (pillar 1) is the unglamorous foundation everything else stands on.
- Compliance action. "Replace the component." → "Upgrade the tool SDK, rotate the exposed credential, pin the model to the patched revision, add the input filter."
- Compliance deadline. ADs come with a hard date, sometimes tiered by severity: critical findings ground the aircraft now; lower-risk ones allow a defined number of flight hours. Agent Directives need the same — a critical prompt-injection vector is a grounding directive, a hygiene improvement is a 30-day one.
- Proof of closure. This is the part teams skip, and it's the part that matters most. In aviation, the work is not done until someone qualified signs that it's done. For an agent, the signature is a re-run of the evaluation and regression suite against the patched configuration, with the output scored and the run attached. "We think we updated it" is not closure. "Here is the eval run on the new config, here is who reviewed it" is.
What makes this different from ordinary vulnerability management is the word mandatory, backed by a fleet view and an evidence trail. Plenty of teams have a vulnerability scanner. Very few can answer, on the day a bulletin drops, "exactly which of our agents are affected, who owns them, what's the deadline, and prove each one is fixed." Aviation answers that question as a matter of routine, for tens of thousands of airframes, because the directive mechanism and the registry behind it are non-negotiable.
I want to be honest about where the analogy strains, because pretending otherwise would be bad engineering.
Aviation has had a century to build the ecosystem that makes ADs work: a mature occurrence-reporting culture feeding the bulletins, agreed severity taxonomies, and a deterministic machine where "fixed" is verifiable to a torque value. AI has almost none of that yet. Vendor advisories for models and agent tooling are inconsistent and often vague. Severity is genuinely harder to classify when the failure mode is stochastic. And "fixed" for an LLM agent is fuzzier than a replaced bearing — you're demonstrating bounded, tested behaviour through evaluation, not certifying a deterministic part.
But notice what that argument is and isn't. It's a reason the proof is softer. It is not a reason to skip the discipline. Applicability, a deadline, and an evidence trail are mechanism, not magic — they don't require determinism, they require a registry and the will to make action mandatory. Most teams have neither, and that's a choice they can change this quarter.
To be clear about scope: Agent Directives are not a replacement for NIST AI RMF, ISO/IEC 42001 or the EU AI Act. Those are the control catalogues — they tell you what good looks like. Agent Directives are the operating mechanism that turns "you should manage emerging vulnerabilities" into "fleet-wide action, by Friday, with proof." The catalogues assume something like this exists. They just don't hand it to you.
Here's the test I'd put to any team running agents in production: a serious advisory lands tomorrow morning for a tool half your agents depend on. By the end of the day, can you produce the affected list, assign an owner and a deadline to each, and — a week later — show signed evidence that every one is closed? If the answer is yes, you've already built this. If it's "we'd figure it out," you're governing your AI fleet the way aviation governed aircraft before it learned, the hard way, why directives exist.
Where does this framing help, and where does it break? If you run an agent fleet, I'd genuinely like to know how you handle the morning a bulletin lands.