A single agent you supervise turn by turn does not need governance. A fleet that you let run does. The moment more than one autonomous agent is opening pull requests against a repository, "be careful" stops being a plan and you need written law.
The framing that worked for me was biological.
Germline and soma
A cell does not get to rewrite its own DNA on a whim. I split the repository the same way. The germline — the charter, the merge policy, the CI gates — can only change through a human-reviewed pull request. The soma — the application code, the docs the fleet learns into — can evolve freely, within the rules. An agent can improve the body all day; it cannot edit its own genome.
Setpoints and an immune system
The fleet defends a handful of homeostatic setpoints — tests green, the queue drained, no protected path touched without sign-off. Every fixed bug leaves a regression test behind: an antibody for that specific pathogen, so the same failure cannot silently return.
Commission in shadow
Nothing earns autonomy on day one. A new repository runs in shadow — the controller observes, proposes, and records, but nothing auto-merges — until it has been audited clean. Trust is granted after evidence, not before.
The brain stem
Tying it together is a controller loop: sense the state of the repo, CI, and the work queue; correct the single largest deviation; dispatch one worker; record what happened. One cycle at a time. It defends the setpoints and it never writes application code or edits its own germline — because the thing enforcing the law should not also be able to quietly amend it.