The Enterprise Agent Control Plane Is Arriving
Enterprise AI is leaving the demo phase, and the winning products are starting to look less like chatbots than identity systems with side effects.
Context
The evidence is no longer coming from one vendor or one category of tool. Microsoft's Agent Governance Toolkit says the quiet part plainly: OAuth scopes and IAM roles tell you what a service can reach, but not what an agent does once connected, which agent acted, or which policy allowed or denied the action. Google's Gemini Enterprise Agent Platform and its Agent Gateway overview describe a stack with agent identities, a registry, default blocking for unregistered MCP tools, and gateway-level decisions over read and write classes. OpenAI's ChatGPT Work announcement names enterprise controls over connectors, browser and network access, local files and apps, scheduled tasks, and auto-review before sensitive actions.
This is not a cosmetic shift. It means mainstream vendors are converging on a view that agent deployment is primarily a governance problem. The model matters. The workflow matters. But the decisive infrastructure is increasingly the layer that joins identity, tool registration, policy, execution boundaries, audit, and revocation.
The business side is starting to say the same thing less elegantly. OpenAI's HP Frontier partnership post frames agent deployment around understanding what is running, what context it can use, what tools it may access, what actions it may take, and how outputs are evaluated. VentureBeat's evaluation-gap piece reports that autonomy is reaching production faster than many enterprises can verify safely. Those are different documents for different audiences. They both point to the same missing control plane.
Analysis
For a while, enterprise agent discussion was dominated by two weak abstractions. The first was the model benchmark: if the system scores well, it must be production ready. The second was the connector catalog: if the assistant can talk to Slack, Drive, CRM, calendar, and browser tools, it must be useful. Both views now look incomplete.
The benchmark problem is obvious once the agent can act. An evaluation can tell you that a model usually completes a task. It cannot, by itself, tell you whether the system was authorized to read a particular repository, send a customer email, approve a configuration drift exception, publish a site, or launch a scheduled background workflow. VentureBeat's survey numbers matter less for their precision than for the underlying pattern: organizations are moving toward production autonomy while still lacking confidence in the verification layer. That is exactly what happens when capability matures faster than authority design.
The connector problem is subtler. Enterprise buyers were told, implicitly, that the question was which tools the model could reach. But once assistants can cross from chat into desktop control, browser automation, local files, ticketing systems, document stores, and scheduled tasks, "tool access" stops being a feature checklist and becomes a policy surface. A connector is not just a data source. It is a path to side effects.
That is why the most mature vendor narratives now sound like control-plane documents.
Microsoft AGT wraps tool calls in deterministic policy enforcement, identity, privilege rings, sandboxing, audit, and MCP security checks. Google gives each agent an identity, forces tools through registry and gateway logic, and defaults to blocking unregistered MCP surfaces. OpenAI distinguishes sensitive actions, connector access, browser and network boundaries, local-app controls, and scheduled workflows. HP's enterprise framing adds the operational question every buyer eventually asks: what is running, under which context, doing what, and subject to which evaluation?
These are not identical architectures, but they are converging on the same shape.
First, they treat the agent as a principal, not just an interface. Once an agent has its own identity or runtime record, the system can stop pretending that every action is reducible to "the user clicked through chat." This matters because enterprises do not actually want a permanent ambiguity between user intent and agent execution. They want to know which side effect belonged to which delegated actor.
Second, they separate discovery from authorization. A registry, MCP catalog, or connector directory is not yet a mandate. It only becomes useful when the policy layer can say which identity may use which tool, in which mode, with which arguments, against which data class, and under which approval requirements. Enterprises have decades of experience learning that asset inventory is not access control. Agent systems are rediscovering that lesson quickly.
Third, they are building runtime boundaries instead of assuming trust at the application edge. Local coding agents, browser-use agents, scheduled background tasks, remote MCP servers, and desktop automation all extend authority past the neat borders of SaaS admin consoles. Microsoft's endpoint emphasis is important here. So is Google's gateway language. So is OpenAI's focus on browser, network, and local-app boundaries. The new perimeter is not the office network. It is the delegated action surface.
Fourth, the strongest products are starting to acknowledge that approval is not a binary. Some actions should be blocked categorically. Some should be auto-approved inside narrow rules. Some should require escalation. Some should only execute in sandboxed or read-only form first. That is a more serious model than the familiar "human in the loop" slogan, which often hides the fact that the human has no useful way to inspect the full chain that led to a recommendation.
This is also why enterprise procurement is shifting. Organizations are not only buying model quality anymore. They are buying evidence. They want to know whether an agent runtime can preserve who acted, which data and tools were in scope, which policy fired, which review step happened, whether revocation was live, and what exact side effect landed. Put more bluntly: the enterprise agent market is moving from assistant UX to accountable execution.
There is a direct parallel here to smart-account mandates. Wallet builders have spent the past year arguing that the important object is not the key but the scoped delegation around the key. Enterprise platforms are reaching the same conclusion offchain. The key question is not "does the assistant have access?" It is "what was it allowed to do with that access, and how would an auditor prove it later?"
The hardest part is what comes next. Each vendor currently tells this story in its own house language. Microsoft has policy rings and governance toolkit primitives. Google has agent identities, registries, and gateways. OpenAI has enterprise controls over tools, browsers, files, scheduled tasks, and auto-review. These are all sensible local answers. But enterprise workflows rarely stay local. A single task may start in ChatGPT Work, touch Google Drive, call an internal MCP server, open a browser workflow, write to a Microsoft-managed environment, and end in a signed transaction or a published artifact. If every layer logs differently and interprets delegation differently, the enterprise still lacks a portable receipt.
That is the real control-plane question now. Not whether the market believes governance matters. It clearly does. The question is whether the emerging control planes can interoperate at the level that matters most: proof of authority.
The Caveat: Vendor-specific control planes are not a failure. In this phase of the market, they are probably necessary. Enterprises need something deployable before they get something standardized. But a stack-local audit trail is only a partial answer once workflows cross vendors and trust domains. The long-term win is not the platform with the prettiest admin console. It is the platform that can prove, outside itself, which principal delegated to which agent, over which tools and data, under which policy and approval state, with which revocation status, before the side effect reached the wire.
Also published on Paragraph.
Enjoyed this issue?
Subscribe to get future issues delivered to your inbox.