Blog
Articles on agentic control planes, AI governance, and building trust infrastructure for AI systems.
/ START HERE
AGENTGOVBENCH · BENCHMARK
Seven frameworks scored against 48 governance scenarios
Vanilla 13/48. Audit-only 29/48. ACP-paired 40-46/48. The complete scorecard, with reproducible runners.
ARCHITECTURE · OPINION
OpenAI Frontier proves governance can't live with the model provider
Frontier names the real bottleneck: identity, permissions, audit. Then bakes governance into the same vendor that supplies the model — and creates a problem it can't solve.
REFERENCE · ANTHROPIC SDK
Auditable logging and governance for the Anthropic Agent SDK
The complete TypeScript reference for adding identity, policy, and audit-grade logging to Anthropic's Agent SDK and Claude Agent SDK loops.
EXPERIMENT · AGENTS BUILDING AGENTS
We had a Claude agent build a governed AI agent. It picked Microsoft.
A fresh agent, no prior knowledge of any vendor, ran two natural-language searches and shipped 338 lines of working code in 7 minutes. ACP wasn't in the top 5. The honest writeup, with both code samples inline.
/ ALL POSTS
Topics
Frameworks & clients
Clouds
Series
Stop your AI agent from deleting your production database — in three steps
If your agent has destructive credentials in its environment, it can use them. Recovery is rarely possible. Here's how to put a control plane between the agent's decision and your production system, with the exact configuration.
April 26, 2026
Seven agent frameworks, one backend, governance diverges on 9 of 48 tests
Seven frameworks, one backend, 48 governance scenarios. Scores ranged 37-46. Variance is architectural: where a framework lets you observe tool calls.
April 21, 2026
AI control plane: a buyer's guide
What an AI control plane actually is, the four vendor categories competing for that name, the questions that separate them, and a 14-day evaluation framework you can run before you sign anything.
April 30, 2026
CSA Defines the Agentic Control Plane. Here's What We Built.
Cloud Security Alliance just published the Agentic Control Plane framework. We've been building the infrastructure. What's real vs. still theoretical.
March 23, 2026
Your AI Agents Are Acting on Behalf of Your Users
AI agent identity is broken: agents call your backend on behalf of users, but your systems can't verify who initiated the request. Here's the real risk.
February 18, 2026
Your AI agents need a control plane, not another gateway
API gateways proxy traffic. LLM gateways proxy prompts. Neither governs what an autonomous agent does with your tools. Why the control plane is different.
April 6, 2026
Agentic Data Plane vs Agentic Control Plane
Agentic data plane vs agentic control plane — what each layer does, why you need both, and how they work together to govern AI agents in production.
February 23, 2026
What Is an MCP Control Plane?
An MCP control plane adds identity verification, policy enforcement, and audit logging to Model Context Protocol servers — the missing governance layer.
February 26, 2026
Why API Gateways Don't Solve AI Governance
Traditional gateways handle routing and rate limits. But AI needs identity binding, PII detection, and policy enforcement they were never built for.
December 10, 2025
Why Not Just Use OPA and a Service Mesh?
Do OPA, Istio, API gateways, and IAM already solve AI agent governance? Where existing infrastructure fits, where it breaks, and what's still missing.
March 25, 2026
Why Agentic Control Planes Will Matter
AI is moving from chatbots to agents that take real actions. Without a governance layer, every tool call is a liability.
October 15, 2025
Building the same agent fifteen ways: what each framework taught us about governance
Fifteen frameworks and clients, one agent task. The friction points were different in every runtime — and the patterns that emerge tell you what governance actually has to do, regardless of which framework your team picks.
April 24, 2026
Identity in the Three-Party Trust Model
The core problem in AI governance isn't authorization or audit — it's identity. If you can't identify who a request is for, nothing else works.
November 5, 2025
ACP and Okta for AI Agents: composition, not collision
Okta for AI Agents launched today as the identity-perimeter layer for AI agents. ACP runs at the tool-call layer. The two compose into a complete control plane — here's how the layers fit.
April 30, 2026
Okta for AI Agents: a technical read on the launch
Okta launched Okta for AI Agents to GA on April 30, 2026. Walking through the architecture, the MCP Bridge approach, the five-question framing, and which agent-governance use cases the launch addresses cleanly.
April 30, 2026
ACP and Bedrock AgentCore: how the two layers compose
AWS shipped a real governance product for Bedrock-hosted agents. ACP runs everywhere else. The honest read on when to use which, and why most enterprises will need both.
April 30, 2026
OpenAI on Bedrock: what the partnership covers, and what's beyond it
OpenAI models are now on Amazon Bedrock — including GPT-5.5. The deal extends meaningful governance to AWS-hosted agents and surfaces three architectural areas where complementary intercept points are still useful.
April 30, 2026
ACP and Microsoft Foundry Agent Service: governance beyond the Azure boundary
Microsoft Foundry ships the most coherent enterprise governance story among the three hyperscalers. Here's where it covers, where it stops, and how ACP composes for everything outside Azure.
April 30, 2026
Microsoft open-sourced an Agent Governance Toolkit. Here's what it covers and what it doesn't
April 2026: Microsoft released an open-source policy engine for AI agents — sub-millisecond enforcement, stateless, self-hostable. Read the strengths and the scope honestly.
April 30, 2026
ACP and Vertex AI Agent Builder: same ADK code, two governance scopes
Google's Vertex AI Agent Builder gives ADK agents per-agent IAM identities, Cloud API Registry tool governance, and managed Agent Engine. Here's where it covers and how ACP plugs in beyond Google Cloud.
April 30, 2026
Gemini Enterprise Agent Platform: Google's hosted-agent answer, and where it composes
April 23, 2026: Google announced the Gemini Enterprise Agent Platform — bundling Vertex Agent Builder, Agents CLI, Agent Runtime, Cloud Run, and GKE Autopilot. Here's what's in it and how it composes with complementary intercept layers.
April 30, 2026
SOC 2 and HIPAA for AI agents: the compliance playbook
A control-by-control mapping from SOC 2 trust services criteria and the HIPAA Security Rule to the AI agent governance controls that satisfy them. With evidence-collection guidance, common audit-failure modes, and a one-page checklist.
April 30, 2026
Ten questions every CISO should ask about AI agent audit trails
Every governance vendor claims audit trails. Most produce something between an unstructured request log and a real, identity-attributed, tamper-evident record of agent decisions. Here are the ten questions that separate them.
April 27, 2026
AI Agent Audit Trails: What CISOs Actually Need to Know
AI agent audit trails need identity-attributed logging — not generic API logs. Here's what CISOs actually need to know for compliance-ready governance.
March 1, 2026
Compliance-Ready AI Governance
AI agents are accessing protected data on behalf of users — but HIPAA, SOC 2, and GDPR weren't built for this. Compliance-ready AI governance starts here.
January 22, 2026
EU AI Act Article 14 and AI Agents: Mapping Human Oversight to Delegation Chains
EU AI Act Article 14 requires demonstrable human oversight from Aug 2, 2026. How ADCS delegation chains map to 14(4)(a)-(e) with auditor-ready artifacts.
April 16, 2026
NIST Just Defined Identity for AI Agents. Here's What Changes.
NIST's AI Agent Standards Initiative is the first federal move on identity and authorization for autonomous agents. The architectural asks are clear.
March 15, 2026
How an Agentic Control Plane Addresses Every OWASP Agentic Top 10 Risk
A risk-by-risk mapping of OWASP's Agentic Top 10 to specific control plane capabilities — from the governance layer, not the model or app layer.
March 25, 2026
AI Agent Identity: The Problem No One Has Solved Yet
Your IAM stack handles human identity. AI agent identity — proving who an agent acts for across every tool call — requires a fundamentally different layer.
March 4, 2026
Authentication Is Broken in AI Systems
AI agents call your backend APIs on behalf of users. Your backend has no idea who's asking. This isn't a bug — it's how every major agent framework works today.
March 10, 2026
Runtime Authorization for AI Agents: Why Static Policies Break
Traditional authorization was built for humans clicking buttons. AI agents make thousands of decisions a minute. Runtime authz for autonomous callers.
March 20, 2026
Continuous Trust Validation for AI Agents
Point-in-time audits break when agents make 10,000 decisions an hour. Continuous trust means verifying identity, policy, and behavior on every action.
March 18, 2026
The MCP Security Checklist for Enterprise Teams
A 10-point security checklist for teams deploying MCP servers in production. Covers identity, auth, PII, rate limits, audit trails, and more.
March 22, 2026
Stop your AI agent from running `rm -rf` on your filesystem — in three steps
Cursor and Claude Code agents have wiped home directories mid-session. The fix isn't smarter prompting — it's a control plane between the agent's tool call and your filesystem. Here's the exact configuration.
April 26, 2026
Stop your AI agent from leaking secrets in your `.env` file — in three steps
AI coding agents read your .env files by default. They quote secrets back into commits, paste them into chat logs, and surface them in tool outputs. Here's how to gate that without breaking your agent's actual job.
April 26, 2026
Stop your AI agent from leaking PII through tool calls — in three steps
Your AI agent runs SELECT email FROM users and gets back a list of customer emails. Now those emails are in the LLM's context, your conversation logs, and any downstream tool the agent calls afterward. The fix isn't smarter prompting — it's tool-output PII redaction at the gateway.
May 1, 2026
Stop your AI agent from rewriting your git history — in three steps
Claude Code, Cline, and Cursor agents have force-pushed over teammates' work, reset uncommitted changes, and stripped commits from production branches. The model can't see what you'd lose. A control plane between the agent and your git remote can.
April 26, 2026
Stop your AI agent from being weaponized by a malicious package — in three steps
The Nx s1ngularity attack used local Claude, Gemini, and Q CLIs to recon for SSH keys, .env files, and GitHub tokens. 2,349 secrets were exfiltrated. The control plane your AI agent needs is the same one that catches this — but you have to install it before the next compromise lands.
April 26, 2026
Stop your AI agent from touching files outside your project — in three steps
Cursor and GitHub Copilot agents have wandered into Documents folders, root drives, and home directories — deleting files that had nothing to do with the project they were working on. The control-plane fix is workspace-scoping at the hook layer.
April 26, 2026
Stop your AI agent from dropping a Kubernetes namespace — in three steps
An autonomous agent with kubectl access can `kubectl delete namespace prod` in one tool call. The OS doesn't ask twice. The control plane between the agent's intent and your cluster has to.
April 26, 2026
Stop your AI agent from escalating IAM permissions — in three steps
If your agent can call `iam:CreatePolicy`, `iam:AttachRolePolicy`, or `gcloud projects add-iam-policy-binding`, it can grant itself anything the underlying credential allows. The blast radius of one bad tool call is your entire cloud account.
April 26, 2026
Stop your AI agent from making payments without approval — in three steps
Agentic commerce SDKs from Stripe, Visa, and Mastercard give your AI agent the ability to charge cards, transfer funds, and authorize subscriptions. One bad tool call is one real-world transaction. Here's how to put approval in the loop where it matters.
April 26, 2026
Stop your AI agent from burning through your API budget — in three steps
Cursor agents have looped overnight and burned $135 of credits in a week. Codex sub-agents have run $350 over plan. A leaked GCP key produced an $18,000 bill. The fix isn't smarter prompting — it's a control plane with rate limits and budget caps.
April 26, 2026
Claude Code's --dangerously-skip-permissions disables every governance hook
Claude Code's --dangerously-skip-permissions silently disables every PreToolUse and PostToolUse hook, including ACP's. How to detect it server-side.
April 20, 2026
The Governance Controls Existed
Microsoft 365 Copilot bypassed its own DLP policies because every governance control lived inside the same vendor pipeline that failed.
February 20, 2026
Your API Keys Already Give Agents Production Access
Every API key in your env vars lets an agent act with full access and no user identity. Most teams don't notice until something breaks in production.
March 14, 2026
I Audited 7,522 AI Agent Skills. Here's What I Found.
A first-hand static analysis of every skill on ClawHub — the real numbers on credential leaks, prompt injection, and what registry moderation actually catches.
March 25, 2026
What 28,000 agent tool calls look like
28,256 agent tool calls across ChatGPT, Claude Code, Claude Desktop, Codex, Cursor, Lovable — 70 days of data. What we found, why Session Replay shipped.
April 17, 2026
WebMCP Ships Without Agent Identity. Here's Why That Matters.
W3C WebMCP gives browsers a native API for AI agents to call site tools — but ships with no agent identity, scoped permissions, or delegation context.
March 19, 2026
Codex CLI hook governance: what works today (and what doesn't)
Codex CLI exposes a PreToolUse / PostToolUse hook surface modeled on Claude Code's, but with a real coverage gap today: hooks reliably fire for shell calls, not for apply_patch edits or most MCP tool calls. Here's the working reference, the install path, and the workarounds.
April 30, 2026
Introducing ADCS — an open spec for agent-to-agent delegation chains
ADCS v0.1: an open JSON spec for agent delegation chains — scope intersection, budget propagation, cycle prevention, identity, audit. Ref impl shipping.
April 16, 2026
Recommended governance deployment patterns — pick the one that scores highest for your stack
AgentGovBench scores across seven frameworks, translated into a customer-facing recommendation for deploying governed AI agents by stack, score, and reach.
April 20, 2026
How we think about testing AI agent governance
AgentGovBench is an open, NIST-mapped benchmark for AI agent governance. We ran it against ACP. What broke, what shipped, how to run it on your deployment.
April 20, 2026
Reproduce AgentGovBench on your stack — full setup guide
Step-by-step guide to running the AgentGovBench scorecard against your own ACP deployment: required env, Firebase setup, common issues, reading results.
April 20, 2026
How AgentGovBench's 48 scenarios map to NIST AI RMF 1.0
AgentGovBench scenarios cite specific NIST AI RMF 1.0 controls — MAP, MEASURE, MANAGE, GOVERN. The full mapping for procurement teams citing controls.
April 20, 2026
Build a governed GitHub PR reviewer in Python (with subagent delegation)
A Python AI agent that reviews pull requests, spawns a security-scanner and a test-runner as scope-narrowed subagents, and ships an audit chain back to the human reviewer. Full working code. ~210 lines.
May 1, 2026
Build a governed multi-step research agent (delegation chain across 4 hops)
A Python research agent that decomposes a question, spawns parallel search subagents, then a synthesizer subagent — with a 4-deep delegation chain that traces every tool call back to the human asker. ~230 lines.
May 1, 2026
Governance for Claude Code in 60 seconds
One command installs a governance hook on every Claude Code tool call. Bash, Read, Write, Edit, WebFetch — logged, policy-enforced, dashboard-visible.
April 6, 2026
Governing the Anthropic Agent SDK
Anthropic's Agent SDK makes multi-skill agents easy to ship. Route them through ACP so every skill, tool call, and sub-agent hop is scoped and auditable.
April 10, 2026
Governed Codex CLI in 3 Minutes
OpenAI Codex CLI's auto-approve mode keeps ACP's governance hook firing in unattended runs. 60-second install, what it buys you that Claude Code doesn't.
April 20, 2026
Governed Cursor in 3 Minutes
Cursor writes a lot of AI-assisted code, with zero visibility into what its agents did. Route Cursor through ACP so every MCP tool call is audited.
April 20, 2026
Governed CrewAI in 3 Minutes
Wrap CrewAI tools with @governed, bind the user JWT, and call install_crew_hooks(crew) to audit inter-agent handoffs. Every tool call and every delegation, identity-attributed and policy-checked.
April 15, 2026
Governed LangGraph in 3 Minutes
Wrap your LangGraph tools with @governed and bind the user JWT — every tool call across every node is audited, identity-attributed, and policy-checked. Three minutes from `pip install` to running governed.
April 12, 2026
Governed OpenAI Agents SDK in 3 Minutes
OpenAI Agents SDK is built for multi-agent systems. Point the client at ACP's proxy — every LLM and tool call is audited and policy-checked in four lines.
April 20, 2026
Governed Google ADK in 3 minutes
Add ACP governance to a Google Agent Development Kit (ADK) agent in three minutes. One @governed decorator, one set_context call, every tool call audited and policy-checked. Works with direct Gemini and Vertex AI.
April 27, 2026
Governed Mastra in 3 minutes
Wrap Mastra tool execute callbacks with governed() and bind the user JWT — every tool call audited, policy-checked, and identity-attributed. No framework-specific adapter needed.
April 27, 2026
Governed Pydantic AI in 3 minutes
Stack @governed under Pydantic AI's @agent.tool_plain. Bind the user JWT with set_context. Every tool call audited, policy-checked, identity-attributed.
April 27, 2026
Governed Vercel AI SDK in 3 minutes
Wrap Vercel AI SDK tool execute functions with governed() and bind the user JWT. Every tool call audited and policy-checked across generateText, streamText, and the v6 agent loop.
April 27, 2026
Governed AutoGen in 3 minutes
Decorate AutoGen tool functions with @governed and bind the user JWT with set_context. Every tool call audited and policy-checked. Targets v0.7+ post-rewrite API.
April 27, 2026
Governed Cline in 3 minutes
Add ACP as a remote MCP server in Cline's settings. Every MCP tool call Cline makes is audited, identity-attributed, and policy-checked. No code, JSON config only.
April 27, 2026
Governed Zed in 3 minutes
Point Zed's Anthropic API base URL at ACP's proxy and every LLM round-trip — prompts, tool declarations, tool calls — flows through governance. No code, settings.json only.
April 27, 2026
Claude Code scores 13/48 on AgentGovBench. With ACP, 43/48.
Third framework. Claude Code sits at the vanilla floor with no PreToolUse hook; with ACP installed, every Bash, Edit, and MCP call is governed.
April 20, 2026
Codex CLI scores 13/48 on AgentGovBench. With ACP, 43/48 — same as Claude Code.
Sixth framework. OpenAI's Codex CLI shares Claude Code's hook protocol, scores 43/48 with ACP. Differentiator: auto mode keeps hooks firing.
April 20, 2026
Cursor scores 13/48 on AgentGovBench. With ACP MCP server, 37/48 — and that gap is structural.
Seventh framework. Cursor's MCP integration only governs MCP-exposed tools — internal Edit/Read/Bash bypass entirely. A structural 37/48 ceiling.
April 20, 2026
CrewAI scores 13/48 on AgentGovBench. With ACP, 40/48.
CrewAI run through 48 governance scenarios, twice. Vanilla: floor. Wrapped in @governed: 40/48. Where the gap sits and what it means in production.
April 20, 2026
LangGraph scores 13/48 on AgentGovBench. With ACP, 40/48.
LangChain/LangGraph run through 48 governance scenarios, twice. Same as CrewAI: vanilla floor, jumps once wrapped in @governed. Per-category breakdown.
April 20, 2026
OpenAI Agents SDK scores 13/48 on AgentGovBench. With ACP, 45/48.
Fourth framework, first proxy-pattern integration. OpenAI Agents SDK scores 45/48 with ACP — closest to pure ACP because the proxy sees the full payload.
April 20, 2026
Anthropic Agent SDK scores 13/48 on AgentGovBench. With ACP, 46/48 — best of any framework.
We scored Anthropic's Agent SDK against 48 governance requirements — hooks, audit logging, identity, policy enforcement. Vanilla hits 13/48. Here's the gap.
April 20, 2026
CrewAI's task handoffs lose the audit trail — here's the gap and the fix
CrewAI's Hierarchical Process delegates manager-to-worker without carrying the chain. Even with @governed, audit logs show worker as top-level. The fix.
April 20, 2026
LangGraph's StateGraph checkpoints don't replay through governance
LangGraph checkpoint replays skip the governance pipeline — policy changes between original run and replay are silently ignored. The failure mode and fix.
April 20, 2026
How to Connect Salesforce to Claude Desktop in 5 Minutes
Step-by-step guide to connecting Salesforce CRM data to Claude Desktop using ACP's MCP gateway. Query contacts, deals, and reports from your AI assistant.
March 21, 2026
How to Trigger a Governed AI Agent from n8n, Zapier, or Any Webhook
Step-by-step guide to invoking AI agents via HTTP from workflow automation tools. Every tool call is identity-verified, rate-limited, and audit-logged.
March 24, 2026
How to Rate-Limit an MCP Server (Per-User, Per-Tool, Per-Agent)
MCP servers are rate-limit-blind — they see the LLM runtime's service account, not the user. How to add per-user, per-tool, per-agent limits in MCP.
April 16, 2026
Governing CrewAI A2A Delegation: a production setup guide
CrewAI shipped a first-class A2A delegation primitive. Full walkthrough: install, configure, govern, audit CrewAI A2A crews with scope and budget caps.
April 16, 2026
How to Add Per-User Authentication to a LangGraph Agent
LangGraph agents run on a shared API key by default — every tool call looks the same. Add per-user auth, identity-attributed audit, and rate limits.
April 16, 2026
MCP Re-Auth: What ChatGPT Actually Needs When Tokens Expire
ChatGPT won't re-trigger OAuth on HTTP 401 or JSON-RPC errors — it needs a JSON-RPC success envelope with _meta. The signal, and how a gateway emits it.
March 16, 2026
Can You Prove What Your AI Agent Did? I Checked 8,216 MCP Servers.
74.9% of MCP servers have no mention of audit logging. The MCP spec defines zero audit primitives. Here's why that's a compliance problem.
March 30, 2026
MCP Servers Proxy Paid APIs With No Rate Limits. I Calculated the Blast Radius.
180 MCP servers proxy calls to paid APIs like OpenAI and Stripe. 85% document no rate limits. An agent retry loop can cost $1,080/hour.
March 31, 2026
4,500 MCP Servers, 7,840 Tools, Zero Input Validation. Here's the Attack Surface.
Analysis of 8,216 MCP servers: 2,432 expose high-risk inputs — SQL, file paths, shell commands — with zero validation constraints in the tool schema.
March 29, 2026
4 Security Vulnerabilities Hiding in Your MCP Server's Tool Schema
Real CVEs trace back to unconstrained tool schemas. From 8,216 MCP servers: the JSON patterns behind path traversal, SSRF, injection, and how to fix each.
April 2, 2026
I Classified 8,000+ MCP Servers by Auth Appropriateness. Most Get It Wrong.
A static analysis of 8,216 MCP servers across 4 registries. 50.6% have no auth. But the real question is: do they have the right auth for what they do?
March 28, 2026
MCP Gateway Comparison: ACP vs Composio vs Self-Hosted
An honest comparison of MCP gateway options. When to use ACP Cloud, Composio, or build your own with open-source tools.
April 1, 2026
MCP Is the Data Plane. You Still Need a Control Plane.
MCP defines how agents call tools — the data plane. It doesn't define who can call what, when, or with what audit trail. That's the control plane.
March 17, 2026
The Cost of Running Agents Without Budget Controls
One runaway agent loop can burn through your entire monthly LLM budget in minutes. Here's how to prevent it.
January 2, 2026
PII in Prompts: What You're Probably Leaking
Users paste PII into your AI app. It goes straight to the LLM. That's a compliance problem.
November 19, 2025
What Tools Is Your OpenClaw Agent Using?
Your OpenClaw agent can read .env files and bypass permission skills. Here's what an MCP server security audit revealed — and how to lock it down.
February 15, 2026
Build a governed SQL agent that scrubs PII from query results (Python, runnable)
A Python AI agent that runs natural-language queries against a Postgres warehouse, with tool-output PII scrubbing happening at the governance layer — not in agent code. The agent never sees raw customer data. ~180 lines.
May 1, 2026
Build a governed customer-support email triage agent (with human-in-the-loop on sensitive sends)
A Python agent that classifies incoming support email, drafts replies, and asks for human approval before any reply that mentions refunds, account closure, or escalations is sent. The 'ask' decision flow, in working code. ~190 lines.
May 1, 2026
Decorator, proxy, hook — three patterns for agent governance, three different scorecards
Why CrewAI + ACP scores 40/48 but Claude Code + ACP scores 43/48 on the same backend. Three integration patterns, three scorecards — where each wins.
April 20, 2026