Something happened in the last thirty days that the industry hasn’t quite processed yet.
The agent security stack went from scattered announcements to a named, layered architecture. Not because anyone planned it. Because eight companies shipped products in six weeks and the pattern became undeniable.
Here’s what the stack looks like right now:
Policy enforcement: Microsoft open-sourced the Agent Governance Toolkit on April 2. Runtime policy checks, sub-millisecond enforcement, Cedar policy language. It addresses all ten OWASP agentic AI risks. Open-source. Free. The enforcement layer is commoditized before most companies have agents to enforce.
Agent identity: Okta ships “Okta for AI Agents” on April 30. Agent discovery, registration, access management, shadow agent detection. Their framing: “Where are my agents? What can they connect to? What can they do?” The identity layer treats agents as first-class principals, not background processes.
Action monitoring: ServiceNow debuted the AI Control Tower at RSAC. Agents as “a new type of identity — not machines, not humans, somewhere in between.” Least-privilege enforcement. Action tracing. Drift monitoring.
Agent discovery: Astrix Security expanded their Agent Control Plane at RSAC with a four-method discovery architecture. They find agents across Microsoft Copilot, Amazon Bedrock, Google Vertex, OpenAI, Salesforce Agentforce. They also find the shadow agents — the ones nobody registered, the ones running on service accounts and stolen API keys. Their policy engine evaluates rules before an action executes, scoped by user, department, platform, and resource type.
Endpoint security: CrowdStrike shipped new agent controls at RSAC. Bold Security emerged from stealth with $40 million from Bessemer Venture Partners. Cisco extended Zero Trust Access to agents with MCP policy enforcement in their security service edge.
Intent detection: Proofpoint launched AI Security — intent-based detection across multiple control surfaces. A five-phase maturity model from discovery through runtime enforcement.
The stack is real. It’s funded. Bessemer calls agent security “the defining cybersecurity challenge of 2026.” A Dark Reading poll found 48% of cybersecurity professionals identify agentic AI as the single most dangerous attack vector.
And here’s the part nobody’s talking about.
Every layer in this stack enforces something. Microsoft enforces policies. Okta enforces identity boundaries. ServiceNow enforces action limits. Astrix enforces access rules. CrowdStrike and Cisco enforce perimeter security. Proofpoint enforces intent thresholds.
Not one of them designs what gets enforced.
The question isn’t whether your agents will be governed. The enforcement infrastructure is being built at extraordinary speed. The question is whether anyone in your organization has designed the governance those tools will enforce.
Policy enforcement without policy design is a padlock on an unlocked door. You have the mechanism. You don’t have the decision about what it protects.
That design layer — where a team sits down with their actual workflow, their actual risk surface, their actual agents, and decides what rules should exist — is the layer nobody’s building. Not Microsoft. Not Okta. Not the $392 million in RSAC-window funding. Not the $40 million Bessemer just deployed.
The enforcement stack just named itself. The design layer is still empty.