The foundational
positions.

54% of organizations are actively deploying AI agents, with U.S. organizations projecting average AI spend of $207 million over the next twelve months, nearly double the prior year. [1] The procurement path is open. Access is no longer the variable. It is the constant.

Nearly three-quarters of IT and business leaders expect their organizations to use AI agents within the next two years. Only 21% report having proper governance in place for what those agents may do. [2] That is not a technology gap. It is a direction gap.

Direction is governance. It is the set of decisions that define what AI may do before it acts. Three primitives constitute direction.

No model upgrade answers these. No compute budget resolves them. They are governance decisions, made before deployment or discovered during the consequences of not making them.

The pattern

PCs leveled access to computing. The web leveled access to information. Cloud leveled access to infrastructure. In each cycle, access became the baseline everyone shared. Direction determined who captured value. [4]

AI follows the same pattern. Access is commoditizing. The organizations where governance is in place when agents act will capture value. Those that deploy first and define terms later will spend more, control less, and absorb the consequences of ungoverned agent behavior.

The organizational signal

Australia's Department of Finance required every Australian Public Service agency to appoint a Chief AI Officer by July 2026. The mandate added a direction function: a senior leader responsible for how AI is used, not whether it is available. [3]

That distinction captures the structural shift. The question is no longer "do we have access to AI?" The question is "do we have direction for AI?" Most organizations do not.

Three dedicated enforcement products launched in the second half of 2025. Credo AI built an AI agent governance registry. OASIS Security launched agentic access management in November 2025, and raised $120 million in a Series B round in March 2026. Arthur AI added agent discovery and governance capabilities in December 2025. [1] Each is real, funded, and solving a genuine operational problem. Each operates at the enforcement layer.

The pattern

The market signal is unambiguous: organizations are buying enforcement. Runtime policy evaluation, agent monitoring, compliance mapping, audit log collection. These products execute rules at runtime. They apply policies as agents act. The enforcement layer is legitimate infrastructure, and it is a competitive market with well-capitalized vendors converging on the same operational problems.

When multiple vendors compete on policy evaluation speed, runtime monitoring coverage, and OWASP risk framework mapping, differentiation compresses and procurement compares price sheets. The underlying governance terms remain undefined regardless of which enforcement product wins the deal.

The structural distinction

Enforcement is not governance. The enforcement layer executes rules. The governance terms layer defines what those rules enforce. These are not the same layer, and the difference matters in practice.

Authorization scope, data boundary agreements, and liability allocation are governance terms. An enforcement engine applies them at runtime. The engine does not define them. If the governance terms are undefined, the engine enforces nothing meaningful. It applies policy expressions to live agent behavior and produces audit trails that document compliance with terms no one agreed to.

An organization that has deployed a governance tool has not necessarily defined governance terms.

The regulatory signal

The EU AI Act treats these as separate requirements. Article 9 requires a risk management system: documented identification and analysis of risk, established, implemented, and maintained at the system level. This is governance architecture. [2] Article 12 requires logging capabilities: automatic recording of events throughout the system's operational lifetime. This is enforcement visibility. [3] Both are required. Neither satisfies the other.

The distinction is not an architectural opinion. It is a regulatory requirement in force across the European Union from August 2026.

The consequence

When governance tooling replaces governance terms, the organization has a compliance surface but not a governance architecture. An enforcement engine with undefined governance terms enforces nothing meaningful. It monitors for policy violations against policies no one has deliberately authorized. It generates compliance documentation against standards the organization has not committed to.

OAuth 1.0 was published in 2010. OAuth 2.0 (RFC 6749) was finalized in October 2012. [1] OpenID Connect 1.0 was finalized in February 2014. [2] In those four years, the authorization and identity primitives for web-scale software were written. Every identity product built after 2014 operates within those constraints. The organizations that shaped those specifications during the standards window shaped a decade of authentication and authorization architecture.

The pattern

In every infrastructure category, there is a period between category formation and category crystallization when the defaults are being written. During that window, the organizations that define terms shape how every subsequent product implements them. After the window closes, everyone builds within the defaults.

The window is not permanent. It closes when regulatory frameworks solidify, when standards bodies finalize specifications, and when the market converges on implementation patterns. Identity management closed between 2012 and 2014. The terms OAuth and OpenID Connect defined became the architecture constraints every identity vendor has built within since.

The timing

Three dedicated enforcement products launched in the second half of 2025. OASIS Security raised $120 million in March 2026. [3] The enforcement infrastructure is being built at speed. The governance terms those products will enforce are still being written.

The EU AI Act's high-risk system obligations take effect August 2, 2026. [4] Standards bodies are beginning formal work on agent governance primitives. The window is open. It is not open indefinitely.

The layer distinction

Enforcement is how you enter the category. Governance terms are how you define it. This is not a sequence claim: governance terms before enforcement tooling. It is a structural claim: governance terms above enforcement tooling. The terms layer defines what the enforcement layer implements. Authorization scope, data boundary policy, and liability allocation are governance terms. Enforcement products apply them at runtime.

The organizations that define those terms during the current window will not simply have documented their own governance. They will have contributed to the default architecture that all future enforcement products implement.

The consequence

After a standards window closes, governance terms become compliance inputs. Before it closes, they are architecture decisions. The cost structure is different. The influence is different. The ability to define rather than adopt is only available once per category cycle.

In identity management, the organizations that participated in OAuth and OpenID Connect specification work gained lasting influence from defining terms that became public defaults. The leverage in agent governance operates on the same principle.

Microsoft launched Agent 365 in May 2026 to govern what work AI agents are authorized to do under organizational policies. Portal26 launched an Agent Management Platform in March 2026 to discover agents and flag unauthorized behavior. Google added an AI Control Center to Workspace on May 3, 2026. ServiceNow expanded its AI Control Tower in May 2026 to discover, govern, and secure AI agents across the enterprise. [1] [2] [3] Three enterprise governance consoles in May 2026, all responding to the same structural problem: agents operating without organizational visibility or governance terms.

The pattern

Organizations are deploying agents faster than they are defining governance terms for those agents. 54% of organizations are actively deploying agents. [4] The result is a fleet of systems making commitments, moving data, and acting across organizational boundaries under authorization terms that were never formally defined.

Each untracked deployment widens the gap between what the organization believes it can defend and what its runtime systems are actually doing.

The mechanics of compounding

Governance debt compounds for structural reasons. Each agent deployed without authorization scope, data boundary policy, and liability assignment becomes a liability that must be retrofitted. Retrofitting is harder than pre-deployment governance for four reasons. First, agents have already committed to transactions under undefined terms, and those transactions are in the record. Second, audit trails may be incomplete or missing for the period before governance was applied. Third, data has already crossed organizational boundaries without documented consent. Fourth, accountability has defaulted to whoever built the agent rather than being deliberately assigned to a principal.

Retroactive governance does not erase the record. It begins a new record while the old one persists.

The regulatory dimension

The EU AI Act's high-risk system obligations take effect August 2, 2026. [5] The governance terms required for compliance do not come installed with enforcement tooling. They require deliberate governance architecture work. Organizations that deferred that work before the enforcement deadline do not have more time. They have more debt.

The discovery signal

Microsoft, Google, and ServiceNow are not firms with limited enterprise visibility. They built governance discovery tools because agents were already operating in their customers' environments and no one had visibility into them. The shadow agent fleet is not a theoretical risk. It is the present state of enterprise AI deployment for organizations without governance architecture in place.

An organization that discovers agents after deployment does not have a discovery problem. It has a governance architecture problem.