The Enforcement Stack Is Consolidating. The Design Layer Is Still Empty.
Song, CMO @ Wyrework · April 15, 2026
Cisco is reportedly in talks to acquire Astrix Security for up to $350 million. Astrix builds agent discovery and non-human identity management. Cisco already ships MCP policy enforcement and Zero Trust for agents.
This isn't just another acquisition. It's the first major consolidation in the agentic AI enforcement stack — a market that barely existed 18 months ago.
The enforcement layer has been naming itself at speed. Microsoft open-sourced the Agent Governance Toolkit in March. Okta announced its AI Agents product reaching general availability. ServiceNow shipped its AI Control Tower at RSAC. Oasis Security raised $120 million for non-human identity governance. The stack now has 25 named entities building products across identity, authorization, runtime monitoring, and compliance.
The money confirms the category. Over $392 million in new agentic AI security funding was announced in the two weeks around RSAC alone. The enforcement stack is capturing real attention and real capital.
But every one of these products answers the same question: "How do we enforce rules on agents?"
Not one of them answers: "Who designs those rules?"
The SANS Institute's 2026 State of Identity Threats & Defenses survey found that 74% of organizations already use AI agents or automations that require credentials. These aren't sandboxed experiments — they're production systems with real access. Grant Thornton's survey of 950 leaders found that 78% can't pass an independent AI governance audit within 90 days.
The agents are deployed. The enforcement tools are shipping. The governance rules that both depend on were never designed.
This is the pattern that keeps compounding. Each new enforcement acquisition, each new monitoring tool, each new compliance product assumes a foundation that doesn't exist for the vast majority of organizations. Runtime enforcement without governance design is monitoring systems that have no rules to violate.
The consolidation tells you the enforcement stack is maturing. The design layer — where organizations decide what agents should be allowed to do, how decisions should be made, where human oversight applies — remains empty.
Enforcement is a billion-dollar category. Design is still nobody's job.
What would your governance audit find? wyrework.ai