There is a question almost no enterprise can answer today, and it is far more basic than the ones their AI governance committees are arguing about: how many agents are running in your company right now, and what is each one allowed to do?
Not "is our AI ethical." Not "did the model hallucinate." Just: how many, and what can they touch. Most organizations cannot produce the list — and this week's product news quietly admits it.
The week vendors started selling the census
Look at what shipped in the last few days. Tigera introduced Lynx, a control plane whose headline feature is giving enterprises "a single place to find every agent" in their Kubernetes estate. Atlassian made AI agents first-class teammates you can assign and @-mention directly on a Jira board, then introduced a dedicated Claude Agent for Jira. Security tooling is folding in autonomous agents that, as one vendor's framing of the new threat landscape put it, can "autonomously uncover previously unknown vulnerabilities" — a capability that now points in both directions. And Corporate Compliance Insights stated the situation in a headline: your new colleague is already making decisions — approving transactions, sending communications, executing multi-step workflows — while the oversight frameworks meant to watch it are "several steps behind."
Read those announcements together and a pattern jumps out. The marquee feature is no longer the agent's intelligence. It is finding the agents you already have. When a vendor's pitch is "one place to see every agent," that is a tacit confession from the entire market: nobody has the list.
Inventory is the zeroth governance primitive
The agent-governance conversation in 2026 has been stuck on a speed metaphor — agents act faster than humans can review, so how do we keep up? That framing is real, but it skips a step. You cannot oversee, rate-limit, or hold accountable a thing you have not enumerated. Inventory is not a governance feature; it is the precondition for every other control. A policy that applies to "all agents" is vapor if "all agents" is an unknown set.
Security learned this twenty years ago: the asset inventory came before the firewall rules, because you cannot protect hosts you cannot name. The agent era is replaying that arc at compressed speed — except agents are not static hosts. They are spun up inside SaaS tools by individual employees (a Jira board here, a coding assistant there), they call other agents, and they accumulate permissions no one centrally granted. The shadow-IT problem you spent a decade taming just learned to take actions on your behalf.
A control plane is not a governance plane
Here is the trap hiding in this week's launches. A control plane that "finds every agent" is necessary and not sufficient. Network-level discovery tells you an agent exists and what it talks to. It does not tell you what that agent was authorized to do, who owns the consequences when it does something wrong, or what commitments its operator made about its behavior. Those are governance facts, and they do not live in a service mesh.
The distinction is easy to blur, so it is worth drawing sharply:
| A control plane shows you… | Governance also needs… |
|---|---|
| Which agents exist and what they connect to | Which actions each agent is permitted to take |
| Traffic, latency, and runtime health | A named human owner accountable for each agent |
| That an action happened | What the operator committed the agent would and would not do |
| Real-time enforcement at the network edge | A durable, auditable record an outsider can verify |
Discovery answers "what is here." Governance answers "what was it allowed to do, who is on the hook, and can we prove it after the fact." You need both — but only one of them survives a regulator's question or a post-incident review.
The three columns of an agent record
If inventory is the floor, the useful version of it has three columns, not one:
- Identity — a stable name for the agent, independent of where it happens to run. Not "the bot in that workflow," but a durable identifier you can reference in a policy, an audit log, and an incident report.
- Charter — the explicit set of actions this agent may and may not take, plus the human owner who answers for it. "Read the repo, comment on pull requests, never merge to main" is a charter. "It's an AI assistant" is not.
- Attestation — a verifiable claim binding the agent to the rules it operates under, with evidence. Not a promise in a slide deck, but a record another party can check: this agent committed to this constraint, and here is the proof.
Identity makes the agent addressable. The charter makes its authority legible. Attestation makes the whole thing accountable to someone outside the team that built it. Strip any one column and you are back to trust-me governance.
This is also why "context" keeps surfacing as a governance problem. As one sharp data-engineering essay argued this week, "your AI's context has a floor — most teams have never measured theirs." An agent's context is, functionally, its situational authority: what it can see shapes what it can decide. A census that ignores context measures the org chart and misses the actual blast radius.
Where this goes
The infrastructure layer has already conceded the point. Cursor, GitLab, and Zed are openly arguing that the developer platform itself needs rebuilding around agents, and even databases are having their "agent moment." When the substrate gets rebuilt for agents, the governance layer cannot stay a quarterly committee meeting. It has to become a live system of record that knows, at any moment, which agents exist, what they may do, and what they have committed to.
So the honest first move for any governance program this quarter is unglamorous: run the census. Enumerate every agent — including the one a marketing manager spun up in a SaaS tool last Tuesday. Give each one an owner and an explicit charter. Then make the commitments verifiable, so "we govern our agents" becomes a claim you can prove rather than assert.
Bottom line —
The 2026 agent-governance gap is not that machines move too fast for oversight. It is that they are being deployed faster than anyone is writing down their names. You cannot govern what you cannot count — and right now, most enterprises cannot count.
Further reading
- When AI Decides First and Asks Permission Never — what happens after the agent acts
- The Ownership Vacuum: When Nobody's in Charge Anymore — why every agent needs a named owner
- Agentic governance documentation — identity, charters, and attestation in practice
Sources
- Meet Your New Colleague. It's Already Making Decisions. — Corporate Compliance Insights
- Tigera Lynx Provides a Unified Control Plane for Kubernetes-Native AI Agents — Database Trends & Applications
- Your Jira Board Just Got a New Kind of Teammate — Atlassian
- Introducing Claude Agent for Jira — Atlassian
- Azul Launches Free JVM Vulnerability Risk Assessment — SD Times
- Cursor, GitLab and Zed Agree GitHub Is Breaking — The New Stack
- DuckDB's Agent Moment — Analytics Engineering Roundup
- The Godfather Problem — Context & Chaos