The Agent Control Plane: Security's Third Sprawl
June 2026
Every major platform vendor is shipping an agent control plane this year, and most of them are selling it as an entirely new frontier. The entity is new, and engineering the controls to govern something that reasons and acts on its own is a real problem. The discipline those controls draw on is not new. Security has met this shape of problem twice before, and the way out was the same both times.
Identities sprawled across the enterprise in the 2000s. Devices followed in the 2010s. Now it is agents, and the fix is the playbook that worked the first two times. Agent sprawl is the third sprawl enterprise security has faced after identity and devices, and the control planes shipping across Microsoft, Google and IBM in 2026 govern it with the same four controls that tamed identity and devices before it: distinct identity, inventory, least privilege, and audited enforcement.
An agent control plane is the governance layer that applies those controls to non-human principals: giving agents identities, inventorying them, constraining their access, and enforcing policy on their actions.
The methodology has not changed. What it has to govern has. Agents have been multiplying unchecked, and only now are there controls emerging to keep up.
Why AI Agent Sprawl Is the Third Sprawl
The first sprawl was identity. Unmanaged user accounts multiplied faster than anyone could track them, and the answer was identity and access management: give every user a managed identity, govern what they can reach, audit what they do.
The second sprawl was devices. BYOD and mobile put unmanaged endpoints on the network faster than IT could approve them, and the answer was the same shape: enrol every device, enforce policy on it, revoke it when it goes bad.
Agents are the third turn of the same wheel. Nobody approves them and nobody counts them, so they grow in the gaps: a copilot switched on inside a SaaS tool that already passed procurement, a workflow agent someone in finance built last Tuesday, a coding agent with a token that outlives the project it was made for. Gartner expects the average Fortune 500 enterprise to run more than 150,000 AI agents by 2028, up from fewer than 15 in 2025 (Gartner, 2026). In the same research, only 13% of organisations believed they had the right governance in place (Gartner, 2026).
What makes this principal different is what it does, not what it is. In identity terms a principal is anything that can be given an identity and granted access: a user, a service account, a device, and now an agent. An agent is not an anonymous process borrowing a user's token. It is a non-human principal that observes systems, holds credentials, calls tools and takes action on its own. A chatbot answers a question and stops. An agent decides and acts, often with standing access to the systems it acts on. For the fuller anatomy of what these agents are and how they go wrong, see our AI Agent Security Risks guide.
Shadow AI already meant the tools people use without approval. Agents are the same problem with hands: a leak exposes data, an agent changes it. The governance lessons from shadow AI apply directly.
What Is an Agent Control Plane
An agent control plane is the layer that governs what agents are allowed to do. It sits above the agents themselves, which run in the data plane, and it is where identity, policy and enforcement live.
This is where identity becomes load-bearing. The control plane's first job is to give each agent a distinct, attributable identity, and every other control hangs off that. Without it you are guessing: access cannot be scoped, actions cannot be traced to the agent that took them, and pulling one rogue agent means breaking the rest.
Get identity right and the other controls have something to attach to. None of them is being invented from scratch.
The Four Controls a Good Control Plane Runs
A control plane worth the name does four things, and each one maps onto a discipline security teams have run for two decades.
Distinct identity. Every agent is a managed principal with its own identity, separate from the human who runs it, never a borrowed token. This is agent identity management, and it is the same discipline as user identity management with a new kind of account. Microsoft's Entra Agent ID and Google's Agent Identity both start here (Microsoft, 2026; Bain, 2026).
Inventory and visibility. A real-time registry that answers the basic questions: how many agents exist, who created them, what they connect to, what data they can reach. Only 18% of organisations keep a complete AI inventory in the first place, according to the IBM Institute for Business Value (IBM IBV, 2026), and agents are the newest and least-counted part of that estate. If those answers are unclear, control does not exist. This is asset inventory pointed at a new class of asset.
Least privilege and lifecycle. Access scoped to what the agent needs, that expires when it no longer needs it, with a named human accountable for it. Microsoft's model reassigns an agent's sponsor automatically when that person leaves the organisation, which is lifecycle governance applied to a non-human account (Microsoft, 2026).
Audited enforcement. Policy that executes at runtime and blocks at the point of action, not a document in a wiki. Every action logged, reversible, and fed into the SIEM and GRC tooling the security team already runs.
Access management, asset inventory, least privilege, audit logging. The four controls that have anchored every serious security programme for twenty years, wearing a new name. Most of what is being sold as a new category is the old discipline pointed at a new kind of principal. That is not a criticism. It is the reason this works, and the reason the whole industry reached for it at once.
What is genuinely new is not the controls but their maturity. The fast way to ship is to treat an agent as a strange user or a strange device and bolt it onto the existing stack. Bolted-on is also where the old controls break. A user logs in and acts at human speed; an agent reasons, chains a dozen tool calls, and acts in milliseconds, so a conditional-access policy written for a person checks the wrong things at the wrong moment. Native agent control planes are built the other way round: they treat the agent as its own kind of principal from the start, with policy that understands an entity which decides and acts on its own. Bolted-on ships first. Native is what the next two years are a race to build.
← Scroll to see full table
| Existing control | Why the human-era version breaks for agents | What an agent-native control plane adds |
|---|---|---|
| IAM | Authenticates who logged in, not what the agent does after | A distinct agent identity, plus governance over its chained actions |
| RBAC | Roles grant standing access and cannot govern a decision made at runtime | Access scoped to the task and expired when the task ends |
| Conditional access | Written for human login speed, so it checks the wrong things at agent speed | Policy evaluated against the agent's actual action, in real time |
| SIEM | Records events after they have already executed | Enforcement that blocks at the point of action, not after it |
| API gateway | Controls the request, not the reasoning that produced it | Each request tied to an attributable agent identity and policy |
That right-hand column is what every major platform is now racing to build.
Every Major Platform Is Building an Agent Control Plane
This is not one vendor's idea. Trace the launches across 2026 and the same abstraction shows up at five companies that rarely agree on anything.
Microsoft made Agent 365 generally available on 1 May 2026, governing agents through Entra, Defender, Purview and Intune. Its own pitch says the quiet part plainly: an agent gets managed like a laptop or a login, run through the same controls the company has pointed at devices and identities for a decade (Microsoft, 2026).
Google used Cloud Next 2026 to put Agent Identity, Agent Gateway and Agent Registry at the centre of its platform rather than around the edges, building the governance in rather than bolting it on (Bain, 2026).
IBM used Think 2026 in May to recast watsonx Orchestrate as an agentic control plane, now in private preview, built around governing the agents teams have already deployed rather than helping them build more (IBM, 2026).
Galileo released Agent Control, an open-source control plane, in March 2026, with AWS among its launch partners (The New Stack, 2026).
Cisco arrived last, with Cisco Cloud Control positioning its network and security estate as the substrate agents act on. That a network and security incumbent has reached this point is itself the signal: the pattern has now touched every domain in the enterprise.
Five vendors, one abstraction, weeks apart. The analysts have already named it as the decisive layer. Futurum's position is that by the end of 2026, agent control planes will determine whether agent deployment moves from experimentation into production scale (Futurum, 2026).
The Risk Hiding Inside the Control Plane
Consolidating control into one plane is a real improvement over the chaos it replaces. It also puts the keys to the whole estate in one room.
The trade-off is documented. A shared control point concentrates configuration, policy and enforcement into one critical component, and that component becomes a single point of failure if it is not engineered as one (arXiv, 2025). This is not a reason to avoid it. It is the same constraint that applied to every identity and device-management consolidation before it, and the answer is the same as it was then: redundancy, failover, and treating access to the control layer as the most sensitive access you grant.
The lock-in and the security benefit are the same architecture. The more of one vendor's estate you run, the more powerful its control plane becomes, which reads as a feature on the slide and a dependency on the risk register. Both readings are correct. Pretending only the first one is true is how teams sleepwalk into concentration risk.
An open alternative is taking shape, and it is the thing that decides whether the lock-in lasts. Standards for agent identity are moving through the IETF, NIST stood up an AI Agent Standards Initiative in early 2026 with open-source protocol maintenance as one of its pillars, and the Model Context Protocol is already the de facto open way agents connect to tools. The proprietary planes have a head start and none of it is settled, but if agent identity ends up running on open standards the way logins run on OAuth today, agents become portable, and switching control planes stops being a rebuild.
At the largest scale, widespread reliance on a few dominant systems across critical sectors creates correlated failure risk, where one flaw surfaces in many places at once (International AI Safety Report, 2025). The answer is not to avoid the control plane but to build it like the infrastructure the whole estate depends on: name the concentration risk up front and engineer for it. The same exposure-management discipline that governs the rest of the estate applies to the control plane itself.
The teams that internalise this pattern now will shape how it lands. The ones that wait will inherit whatever the vendors decide for them.
Getting ahead of this is not learning a new discipline. It is running one you already know, before the agents outnumber the controls. What security governs has widened once a decade: first the people on the network, then the devices in their hands, and now the agents acting on their behalf. The controls are the same ones you run today. The only question is whether you point them at agents now or after the first incident.
References:
- Gartner, "Gartner Identifies Six Steps to Manage Artificial Intelligence Agent Sprawl" (28 April 2026): https://www.gartner.com/en/newsroom/press-releases/2026-04-28-gartner-identifies-six-steps-to-manage-artificial-intelligence-agent-sprawl
- IBM Institute for Business Value, "AI in motion" / AI orchestration layer report (24 April 2026): https://www.ibm.com/thought-leadership/institute-business-value/report/ai-orchestration-layer
- Microsoft, "What is Microsoft Entra Agent ID?" and Microsoft Agent 365 documentation (GA, 2026): https://learn.microsoft.com/en-us/entra/agent-id/what-is-microsoft-entra-agent-id
- Bain & Company, "Google Cloud Next 2026: The Agentic Enterprise Control Plane Comes Into View": https://www.bain.com/insights/google_cloud_next_2026_the_agentic_enterprise_control_plane_comes_into_view/
- IBM, "Think 2026: IBM Delivers the Blueprint for the AI Operating Model" (watsonx Orchestrate agentic control plane, 5 May 2026): https://newsroom.ibm.com/2026-05-05-think-2026-ibm-delivers-the-blueprint-for-the-ai-operating-model-as-the-ai-divide-widens
- The New Stack, "Galileo Agent Control, Open Source" (March 2026): https://thenewstack.io/galileo-agent-control-open-source/
- Futurum Group, "Futurum Agent Control Plane Framework: A Reference Model for Production AI Agents" (2026): https://futurumgroup.com/press-release/futurum-agent-control-plane-framework-a-reference-model-for-production-ai-agents/
- IETF, Agent Identity Protocol Internet-Draft (March 2026): https://www.ietf.org/archive/id/draft-aip-agent-identity-protocol-00.html
- NIST / NCCoE, "Accelerating the Adoption of Software and AI Agent Identity and Authorization" concept paper (February 2026): https://www.nccoe.nist.gov/projects/software-and-ai-agent-identity-and-authorization
- NIST, AI Agent Standards Initiative: https://www.nist.gov/artificial-intelligence/ai-agent-standards-initiative
Member discussion