If governance isn't enforced at runtime, it isn't governance.
Static policy versus runtime proof: policies and monitoring compared with cryptographic runtime evidence and deterministic fail-closed architecture.