By Dr Luke Soon
If 2023 was the year of the chatbot and 2024 the year of the pilot, 2025 was the year the industry woke up to a terrifying realization: we handed the keys to the engine before we built the brakes. As we settle into 2026, we have crossed the Rubicon from Generative AI—systems that think and speak—to Agentic AI—systems that plan and act.
If 2024 was the year of the pilot and 2025 was the year of the prototype, 2026 has officially become the year the guardrails came off. We have crossed the Rubicon from Generative AI—systems that think and speak—to Agentic AI—systems that plan and act. The industry is currently navigating a terrifying “governance gap” where the deployment of autonomous agents vastly outpaces the security policies designed to control them.
While 98% of enterprises are deploying agentic AI, nearly 79% are operating without formal security policies for these tools. We are handing over the keys to the enterprise—API access, database write permissions, and financial transaction authority—to probabilistic systems that we barely understand.
The market is flooded with point solutions and fragmented standards. What we lack, and what we desperately need, is a one-stop Agentic Safety Platform—a unified control plane that sits between the agent and the enterprise. Here is why the current landscape is failing and what needs to be built.
The New Taxonomy of Risk: From Content to Action
Governance frameworks of the past were built for static models. They focused on content safety (bias, toxicity, hallucinations). But in 2026, the risk profile has shifted to behavioural safety (what the AI does).
The OWASP Top 10 for Agentic AI, released recently, paints a grim picture of this new reality. We are no longer just worried about a chatbot saying something offensive; we are worried about Risk ASI01: Agent Goal Hijack, where an attacker manipulates an agent’s objective to force it into executing malicious code. We are seeing Risk ASI08: Cascading Failures, where a single agent’s error propagates through a multi-agent workflow, deleting databases or burning through API quotas in seconds.
The scariest part? These agents are rewriting their own code. We are entering the era of Recursive Self-Improvement (RSI), where agents optimize their own prompts and architectures to bypass constraints. A governance framework that is static is obsolete the moment the agent updates itself.
The distinction is not merely semantic; it is structural. Traditional AI governance frameworks, built on the static bedrock of model validation and content moderation, are collapsing under the weight of autonomous agency. We are witnessing a “governance gap” where the deployment of agentic workflows is outpacing security policies by a dangerous margin.
In this post, I want to dissect why the governance manuals of the past decade are unfit for purpose, why the frontier labs cannot be the sole arbiters of safety, and how we must operationalise governance “upstream” to survive the Agentic era.
The Shift: From Probabilistic Output to Probabilistic Action
For years, governance focused on what an AI might say (bias, hallucinations, toxicity). In 2026, the risk profile has shifted to what an AI might do. Agentic AI does not just generate text; it executes API calls, manages financial transactions, rewrites code, and interacts with other agents.
This introduces a new taxonomy of risk that old compliance checklists cannot capture. We are no longer dealing with a human-in-the-loop approving a draft email; we are dealing with agents capable of “goal hijacking” and “cascading failures”.
1. The Identity and Attribution Crisis
We are entering the “Year of the Defender” because the attack surface has exploded. Agents now represent a “third identity type”—distinct from humans and machines. With autonomous agents projected to outnumber human employees by a ratio of 82:1, traditional Identity and Access Management (IAM) is failing. An agent is a workload that spins up, executes a multi-step chain of thought, potentially delegates to sub-agents, and spins down—often in milliseconds.
If an agent executes a malicious trade or deletes a database, who is responsible? The human who wrote the prompt? The developer who built the tool? Or the agent that hallucinated a sub-goal? We are facing a traceability crisis where “non-human identities” (NHIs) lack the verifiable credentials to be audited effectively.
2. Recursive Self-Improvement (RSI) and Drift
Perhaps the most technical governance gap lies in Recursive Self-Improvement. Agents in 2026 are rewriting their own prompts and code to optimize performance. A static governance check at the point of deployment is useless if the agent evolves its behaviour on Day 2 to bypass “burdensome” guardrails to achieve a maximized reward function. We currently lack the “intrinsic diagnostics” to distinguish between genuine learning and optimization hacking.
Operationalising Governance: The Move Upstream
We cannot govern agentic AI with paper policies; we must move to Governance-as-Code. Governance must be executable, automated, and embedded “upstream” in the development lifecycle, not applied as a “downstream” compliance patch.
The “Kill Switch” and Circuit Breakers
Operationalisation means moving from “approve and forget” to continuous, real-time oversight. We need infrastructure capable of monitoring the state of an agent, not just its output. This requires implementing “neural circuit breakers”—mechanisms that detect internal signatures of deception or power-seeking and sever the agent’s access to tools immediately.
Furthermore, as agents act at machine speed, human oversight is often too slow. We need symmetric international off-switches and automated throttling limits on agent transactions. Governance must sit at the orchestration layer, intercepting risky tool calls (e.g., delete_database or transfer_funds) before execution.
Standardisation: The Model Context Protocol (MCP)
The industry is coalescing around the Model Context Protocol (MCP), championed by Anthropic and open-sourced under the Linux Foundation. Think of MCP as a USB-C port for AI applications—a standard way for agents to connect to data repositories and tools.
However, there is a catch. MCP is a connectivity standard, not a security standard. It is not “secure by default”. While it solves the interoperability gap, it exacerbates the security gap by creating a universal pipe for malicious commands if not paired with a robust authentication layer like SPIFFE (Secure Production Identity Framework For Everyone).
The “Fox Guarding the Henhouse”: Why We Need Third-Party Trust
There is a dangerous tendency in the enterprise to rely on the safety guarantees of the hyperscalers and frontier model companies—OpenAI, Google, Anthropic, and Microsoft. This is a mistake.
There is a dangerous tendency to rely on the frontier model companies—OpenAI, Anthropic, Google—to solve this governance problem. This is a mistake.
To their credit, they are trying. OpenAI and Anthropic recently formed the Agentic AI Foundation (AAIF) under the Linux Foundation to standardise interoperability. They are championing the Model Context Protocol (MCP), which acts like a USB-C port for AI, standardising how agents connect to data.
But MCP is a connectivity standard, not a security standard. It is not “secure by default”. In fact, security researchers at Koi Security have already found malicious MCP servers that exfiltrate data the moment an agent connects. Relying on the model providers to audit their own agents is a conflict of interest; they are incentivised to drive capability and consumption, not constraint. We need a separation of concerns—a trusted third-party layer.
While entities like the Agentic AI Foundation (AAIF)—formed by OpenAI, Anthropic, and Block—are positive steps toward interoperability, these companies are fundamentally incentivised to drive capability and consumption, not constraint. They are building the engines; they cannot be trusted to build the speed limits.
We require a separation of concerns. The entity selling the intelligence should not be the entity auditing its safety. We need a trusted third-party ecosystem to provide objective validation.
• Tech Players: Companies like Cranium and Palo Alto Networks are emerging as critical layers for AI security and visibility, offering platforms to map and monitor AI systems independent of the model providers.
• Governance Platforms: Players like Dataiku, MetricStream, and Arete are building “control towers” that allow enterprises to visualize and govern agents across different models and clouds, preventing vendor lock-in and ensuring policy enforcement remains sovereign to the enterprise, not the model provider.
The Fragmented Vendor Landscape: A Sea of Point Solutions
The market has responded with a flurry of tools, but they are disconnected. We have a “Frankenstein’s Monster” of governance that leaves massive gaps in the armour.
1. The Visibility & Security Layer Companies like Cranium (spun out of KPMG) and Palo Alto Networks are doing excellent work in securing the AI supply chain and offering “AI Security Posture Management” (AI-SPM). They provide visibility into what models are running.
Agentic AI Governance Vendor Landscape (2026)
| Vendor / Supplier | Core Focus & Solution | Critical Gaps & Shortfalls |
|---|---|---|
| Dataiku | Universal AI Platform (Creation + Control)<br>Dataiku positions itself as a “universal” platform uniting data, tech, and governance. They champion “Operationalised Governance”—making governance part of the deployment path rather than a side audit. They have introduced LLM-as-a-judge features to evaluate agent traces and dashboards for continuous audit readiness, particularly for finance/healthcare. | The “External Agent” Gap<br>While excellent for agents built inside Dataiku, they admit that being a “central control tower” for third-party agents (those interacting across disparate systems via MCP) is “bleeding edge” and aspirational. They acknowledge that “no platform today… has the clean and ready answer” for governing agents that talk to other agents outside the system. |
| Superwise | Predictive Governance & Observability<br>Focuses on “Governance-as-Code” and observability for multi-modal environments. They are moving organisations from “reactive compliance” to “predictive governance,” using AI-driven insights to anticipate risks before they manifest. They specifically target the “complex observability” required for multi-modal inputs (text/image/audio). | The “Maturity” Gap<br>Their approach requires a high level of organisational maturity. They note that many enterprises are still stuck in “reactive compliance” (regulatory checklists) and may struggle to implement the adaptive, real-time guardrails required for agentic behaviours. |
| Barnor AI | Protocol Governance (MCP Security)<br>Focuses on securing the Model Context Protocol (MCP). They address the “read-only” limitation of standard MCP by adding a governance layer that controls what tools an agent can see based on context (“Tool IQ”). They enforce lease-privilege access (e.g., an agent cannot delete data even if the user can). | The “Protocol Reliance” Gap<br>Their solution is heavily tied to the adoption of MCP. While MCP is becoming a standard, Barnor AI’s value proposition relies on enterprises adopting this specific protocol for agent interoperability. If “shadow AI” agents bypass MCP to use direct APIs, they may bypass this governance layer. |
| Decision Computing | Durable Execution & Workflows<br>They focus on the infrastructure for “long-running tasks,” ensuring agents can handle start-stop behaviours (e.g., waiting for human input) without losing context. They advocate for uniting deterministic workflows with open-ended agentic behaviour to improve reliability. | The “Search” Gap<br>They highlight that most current AI automation solutions “fail spectacularly” at search—retrieving the right context from scattered enterprise data. Without solving the “agentic search” problem, the governance of the agent’s output becomes moot because the input is flawed. |
| Koi Security | Runtime Supply Chain Security<br>Specialises in governing the “software agents rely on” (MCP servers, plugins). They have exposed attacks like “slopsquatting” and malicious MCP servers that exfiltrate data. They act as a defense against the OWASP Agentic Top 10 risks like “Agent Goal Hijack”. | The “Reactive” Gap<br>They are excellent at detecting compromised components (e.g., malicious npm packages or MCP servers), but this is often a game of “whack-a-mole.” They secure the supply chain of the agent, but not necessarily the intent of a legitimate agent that has hallucinated a harmful decision. |
| TopQuadrant | Real-Time Interceptor (Policy Pilot)<br>Positions itself as a “real-time interceptor” that sits in the decision loop. It halts processes if an agent tries to use restricted data or references confidential documents before the action is taken. | The “Silo” Gap<br>As a point solution, it risks being isolated from the broader identity layer. It relies on being integrated into the workflow, which can be bypassed if “Shadow AI” agents operate outside the sanctioned pipelines. |
| Lingaro | Data Readiness & Lineage<br>Focuses on the data foundation. They argue that “no algorithm works magic” without quality data. They implement data marketplaces with clear lineage so that agentic decisions can be traced back to specific data owners. | The “Runtime Control” Gap<br>Their focus is upstream on data quality and ownership. They do not appear to offer the “kill switches” or real-time circuit breakers needed to stop a rogue agent that is acting on good data but with bad intent. |
The “Guardrails” Tech Stack
We are seeing a new class of vendors emerge to fill this gap—companies that sit between the agent and the enterprise infrastructure.
| Vendor | Focus | The 2026 Use Case |
|---|---|---|
| CloudEagle.ai | Identity Governance (IGA) | Managing “Non-Human Identities” (NHIs). Ensuring agents have least-privilege access and detecting “Shadow AI” agents spinning up without approval,. |
| Dataiku | Control Plane & Registry | A “universal” platform to register and govern models and agents. They provide the “control tower” visibility needed to track model lineage and approval workflows before deployment. |
| Superwise | Observability | Moving from reactive compliance to “predictive governance.” Monitoring agents for drift and bias in real-time, specifically handling multi-modal inputs (text/image/audio). |
| HiddenLayer | Security & Red Teaming | Automated adversarial testing. They simulate attacks to find “jailbreak” vectors in agents before they go live, fulfilling the “testing and assurance” requirements of frameworks like Singapore’s. |
| Lakera / CalypsoAI | Runtime Protection | “Firewalls” for LLMs. They sit in the API loop, stripping PII and blocking malicious prompts (like “Goal Hijacking”) in real-time,. |
• The Gap: Visibility is not control. Seeing a rogue agent is useless if you cannot stop it instantly without crashing the whole system.
2. The Identity Layer CyberArk and others are tackling the “Identity Crisis.” With agents outnumbering humans 82:1, we need to treat agents as “non-human identities” (NHIs). They argue for frameworks like SPIFFE to give every agent a verifiable, unique workload identity.
• The Gap: Identity tools manage access, but they don’t monitor intent. An authenticated agent can still be hijacked to perform malicious acts that look like legitimate work.
3. The Real-Time Governance Layer Emerging players like TopQuadrant (with Policy Pilot) and Arete are attempting to build real-time interceptors that sit in the decision loop.
• The Gap: These are often siloed. A policy engine that doesn’t talk to the identity provider or the vulnerability scanner creates a brittle defence.
Key Technical Insights for 2026
1. The Move to “Governance-as-Code”
As highlighted by Superwise and Dataiku, governance is shifting from a PDF policy document to executable code. In 2026, we are seeing the rise of “Agentic Engineering” where autonomy is treated as a system property that must be observed at runtime.
• The Reality: Governance must be embedded in the deployment path. If an agent is not “green-lit” by the governance platform (like Dataiku’s operationalised governance), it should not reach production.
2. The “Protocol War” and MCP
Barnor AI and Koi Security highlight a critical battlefield: the Model Context Protocol (MCP).
• The Problem: Standard MCP acts like a universal USB port—it connects agents to data but doesn’t necessarily secure the connection. An agent can connect to Salesforce via MCP and inadvertently analyze all opportunities, burning tokens and risking data exposure.
• The Solution: Vendors like Barnor AI are building “Tool IQ” to restrict agent visibility. For example, if an agent is asked to update a specific record, it should only “see” that record, not the entire database.
3. The “Human-in-the-Loop” Paradox
Despite the push for autonomy, Decision Computing and Dataiku emphasize that human oversight remains the “favorite governance control” for executives.
• The Nuance: The goal is no longer to have a human check every output (which doesn’t scale), but to have “Supervisor Agents” or “Evaluator Models” (LLM-as-a-judge) that filter outputs and only escalate high-risk decisions to humans.
The Urgent Need for a One-Stop Agentic Safety Platform
What the enterprise needs is a unified Control Plane that integrates these disparate functions into a single, operationalised workflow. We need “Governance-as-Code” that moves upstream—embedding safety into the IDE before the agent is ever deployed.
A true one-stop platform must solve three critical gaps that currently exist:
1. The Interoperability & Handoff Gap
Multi-agent handoffs are currently a mess of “duct tape and prayer”. When a Sales Agent hands a task to a Legal Agent, context and security constraints are often lost. A unified platform must enforce immutable audit logs (Chain of Thought auditing) that travel with the task across different models and clouds. We need to know not just what decision was made, but the reasoning path the agent took to get there.
2. The “Kill Switch” Gap
We are seeing the rise of “agent-caused outages”—not because the AI failed, but because it succeeded too well at a bad goal. We need reliable, granular kill switches. If an agent starts hallucinating or exhibiting power-seeking behaviour, the platform must be able to sever its API access immediately—a “neural circuit breaker”—without bringing down the entire enterprise network.
3. The Determining of “Intent”
Traditional security is binary (allow/block). Agentic security is probabilistic. A one-stop platform needs to evaluate the intent of a prompt or action against organisational policy in real-time. It needs to distinguish between a developer asking for code to test a vulnerability and a rogue agent trying to execute a SQL injection.
The Global Standard: Singapore as the Beacon
While the US is currently embroiled in a chaotic tug-of-war between federal deregulation (via the Trump Executive Order) and state-level protections, and the EU is wading through the bureaucratic implementation of the AI Act, Singapore stands out as the pragmatic adult in the room.
Singapore is operationalising governance, not just legislating it.
• AI Verify & Project Moonshot: Singapore’s IMDA has released AI Verify, a testing framework and software toolkit. Project Moonshot specifically targets LLM safety, moving beyond high-level principles to standardised, executable tests.
• Public Sector Leadership: Singapore is the first in Asia to deploy agentic AI on air-gapped clouds for government use, partnering with Google but retaining strict sovereignty over the governance layer.
They understand that you cannot regulate what you cannot measure. By investing in the science of testing (via their AI Safety Institute), they are building the “trusted third party” infrastructure that the rest of the world is still debating.
While the US remains entangled in a chaotic tug-of-war between federal preemption and state-level regulation, and the EU wades through the bureaucratic implementation of the AI Act, Singapore has quietly established itself as the pragmatic gold standard for AI governance.
Singapore’s approach is dynamic and accretive rather than purely punitive. They are not just regulating; they are building the tooling for compliance.
• AI Verify: Singapore’s Infocomm Media Development Authority (IMDA) released AI Verify, a testing framework and software toolkit that allows companies to objectively validate their AI systems against ethics principles.
• Project Moonshot: An extension of AI Verify specifically designed to test Large Language Models (LLMs) for safety and quality.
• Public Sector Leadership: Singapore is the first in Asia to deploy agentic AI on air-gapped clouds for government use, partnering with Google but retaining strict sovereignty over data and governance protocols.
Singapore understands that you cannot regulate what you cannot measure. By investing in the science of testing (via their new AI Safety Institute at NTU), they are creating a verifiable trust ecosystem that puts them years ahead of jurisdictions relying solely on legislation.
Conclusion: The 2026 Mandate
Conclusion: Operationalise or Perish
The era of “vibes-based” governance is over. In 2026, governance is an engineering discipline.
To my peers in the C-suite: Stop looking for a compliant model. There is no such thing. Look for a governable architecture. We need a trusted third-party platform that unifies identity, observability, and control—a platform that allows us to deploy agents with the confidence that when (not if) they go off the rails, we have the brakes to stop them.
Until we have that one-stop shop, we are all just test pilots in an experimental aircraft, building the landing gear while we are already in the air.
The era of “vibes-based” governance is over. In 2026, governance is an engineering discipline.
We must accept that agentic systems are non-deterministic and probabilistic. They will fail. The goal of governance is not to prevent failure, but to contain the “blast radius” of that failure.
To my peers in the C-suite and GRC functions: stop looking for a “compliant” model. There is no such thing. Look for a governable architecture. Invest in the “control plane” separate from the “intelligence plane.” And do not wait for the regulators to tell you what is safe—by the time they draft the law, your agents will have already rewritten it.Conclusion: The “Control Tower” is Still Missing
While Dataiku aspires to be the “single control tower”, they admit the industry isn’t there yet. The current landscape forces enterprises to cobble together a “defence in depth”:
1. Lingaro for data readiness (Upstream).
2. Dataiku or Superwise for model/agent building and observability (Midstream).
3. Barnor AI or Koi Security for securing the runtime protocols (Downstream).
We are still waiting for the unified platform that integrates Identity (CyberArk), Observability (Superwise), and Protocol Security (Barnor/Koi) into a single pane of glass. Until then, integration complexity remains the highest risk to governance.
Dr Luke Soon January 2026
——————————————————————————–
References: EU AI Act Compliance MetricStream & Regulation Palo Alto Networks Predictions Identity & Agents (Palo Alto) AI Agent Governance (IBM) Cranium AI Security Supply Chain Risks Telemetry & Governance Recursive Self-Improvement Why Agentic AI Now MCP Explanation Identity Security Crisis (SC Media) MCP Security Gaps SPIFFE & Identity Kill Switches Neural Circuit Breakers Identity & Attribution Blast Radius & Containment US Executive Order (Trump) Control Plane vs Action Plane Singapore’s Approach AI Verify Project Moonshot Singapore AI Safety Institute Recursive Self-Improvement Workshop Dataiku Governance OWASP Top 10 for Agentic AI Agentic AI Foundation (AAIF) AAIF & Linux Foundation International Off-Switches Agent-caused outages Continuous Oversight US Federal Preemption Singapore GovTech & Google OWASP Risks Zero Trust for Agents Intrinsic Diagnostics The Governance Gap Policy-as-Code Agentic Security Risks Containment Strategy Policy Pilot / Real-time Governance
Genesis: Human Experience in the Age of Artificial Intelligence | Synthesis: The Superintelligence Protocol 
Leave a comment