The Enforcement Layer Just Got Commoditized. Now What?

In the first quarter of 2026, three things converged.

In March, AWS made Bedrock AgentCore Policy generally available across thirteen regions, with Cedar as its native policy language for agent governance. The same month, Google shipped agentic SOC capabilities with MCP support in Security Operations, extending governance tooling to security teams managing agent fleets.

Then in early April, Microsoft released the Agent Governance Toolkit — open source, MIT license, seven packages across five programming languages. Sub-millisecond policy enforcement covering all ten OWASP agentic AI risks. The toolkit’s policy engine supports YAML rules, OPA Rego, and Cedar, giving teams their choice of policy language for runtime governance.

Inside a single quarter, the three largest cloud providers made runtime agent governance enforcement free or near-free. The enforcement layer — the part that actually stops an agent from doing something it shouldn’t — is commodity infrastructure.

This changes the conversation.

The question that shifted

For the past eighteen months, the AI governance conversation has been stuck on enforcement. Can we stop an agent from executing an unauthorized action? Can we monitor what agents are doing? Can we detect when something goes wrong?

Those questions are answered. Microsoft’s AGT handles it at sub-millisecond latency. AWS Cedar policies execute in microseconds. Google’s SOC integration catches threats in real time. The enforcement machinery works.

But every one of these systems has the same architectural assumption: governance policies already exist. Every policy engine needs policy input. Every enforcement layer expects someone to have decided, in advance, what an agent should and shouldn’t do — under what conditions, with what escalation paths, within what boundaries.

That’s the part nobody built.

The numbers are uncomfortable

Gartner projects 40% of enterprise applications will embed task-specific AI agents by end of 2026, up from fewer than 5% in 2025. Enterprise Management Associates found that 79% of organizations without written agentic AI policies have deployed agents anyway — security be damned. Only 14.4% of teams have full security approval for their AI agents, despite 81% being past the planning phase.

The governance market is real — Gartner sizes it at $492 million this year, growing past $1 billion by 2030. But the spending is almost entirely on enforcement, monitoring, and discovery. In Q1 2026 alone, enforcement and security startups raised $279 million: Kai ($125M in agentic AI cybersecurity), Oasis Security ($120M in non-human identity management), JetStream ($34M in AI governance). All enforcement infrastructure. Zero methodology.

The gap is now architectural

This is no longer a market thesis. It’s an architectural pattern.

Every enforcement toolkit ships with a policy input slot — a place where governance rules get loaded before runtime. Microsoft’s Agent OS reads Cedar policies. AWS AgentCore reads Cedar policies. OPA-based systems read Rego. They all assume the hard part is enforcement. The hard part was always design.

Designing governance means answering questions that no policy engine can answer for you: What should this agent be allowed to do? Under what conditions should it escalate to a human? What data can it access, and what data is off-limits? How do you know if the boundaries you set are working? What changes when the context changes?

Those aren’t enforcement questions. They’re design questions. And they require a methodology — a structured way to work through them, one workflow at a time, with the people who actually understand the work.

What this means

The enforcement layer got commoditized. That’s good — it means the infrastructure is ready. The question now is what feeds it.

Organizations running agents in production — and most already are — have a choice: keep hoping governance policies materialize from somewhere, or do the governance work that creates something worth enforcing.

The toolkits are ready. The slot is empty. The work starts with one workflow.