The Agent Control Plane

Three Breaches, One Architecture Gap

The Vercel breaches are worth reading closely because they share a structural feature. Neither was caused by a vulnerability in Vercel's own code. The first was traced to a third-party AI tool that customers had integrated into their workflows. The second attack vector combined an unrelated game cheat with an AI tool to bring the platform down. The pattern: agent-adjacent software is becoming a supply chain attack surface, and the tools organizations adopt to accelerate development are the same tools attackers are exploiting to accelerate compromise.

The Firebase billing incident is a different flavor of the same problem. A developer lost €54,000 in 13 hours because a browser-side Firebase key with no API restrictions was discovered and used to make Gemini calls. Traditional cloud security guidance already warned against unrestricted keys. What is new is the blast radius. When the API on the other end of the leaked key is a frontier LLM, the attacker's cost to weaponize the credential approaches zero and the victim's bill climbs at wall-clock speed. Credential hygiene has always mattered. With agent-accessible APIs, it is the difference between an inconvenient leak and a five-figure overnight loss.

The third incident is not an incident at all, but a research result that defines the threat model. Anthropic's own Opus wrote a functional Chrome exploit for $2,283 in compute. The marginal cost of producing a novel zero-day is collapsing. Defenders who budgeted for a threat landscape where exploit development took months of human expert time are now facing one where an attacker with a modest budget can generate bespoke exploits on demand. Every production agent that can run code, browse the web, or orchestrate APIs is a potential delivery vehicle for this kind of payload.

A Layered Picture, Not a Single Product

Across the week, the largest vendors all shipped something agent-specific, and the pieces line up as layers of a control plane rather than a single product. Oracle launched mission-critical availability tiers specifically for agent workloads in AI Database 26ai, which reads as recognition that agent traffic is different from request-response application traffic and needs its own failover semantics. Cloudflare positioned its AI Platform as an inference layer designed for agents, colocating inference near the edge proxy where agent traffic is already being shaped. Huawei Cloud introduced a Token Service in Asia Pacific at its AI Boost Day, focused on agentic practices. Three different infrastructure companies, three different parts of the stack, all saying the same thing: treating agent workloads like generic API traffic no longer works at scale.

At the identity layer, World ID shipped an upgrade that replaces device trust with human continuity. The reframing is deliberate. Device-bound identity made sense when a user was a laptop plus a phone. In an agent world, a single human operator spawns dozens of agents, each with its own session, its own tokens, and its own network footprint. Trusting the device signs off on all of them. Trusting the human does not. The distinction becomes load-bearing the moment an agent is hijacked and continues to present valid device credentials.

At the commerce layer, SolvaPay raised 2.4 million euros to build a payment layer specifically for agents. Existing card rails assume a human at the point of purchase. Agents transact without that assumption, and fraud systems trained on human behavior misfire against them. A dedicated payment rail for agents is not a convenience product. It is the prerequisite for any commerce flow where an agent needs authorization to spend without a human in the loop.

The layers are forming roughly like this: identity and delegation at the top, traffic shaping and inference in the middle, payment and data egress at the bottom. Every layer has a different vendor trying to own it. Every layer is currently missing standard APIs. The enterprises that architect around this emerging stack now will avoid the migration cost of retrofitting it in 2027.

Judge, Scan, and Clean Up

The most telling signal this week came from a single company pivot. Charlie Labs announced Daemons, explaining that they pivoted from building agents to cleaning up after them. Read that sentence again. A team that raised money and shipped code on the assumption that agents were the product discovered the actual product was the remediation layer. That is not a messaging choice. It is an admission that the downstream cost of unreliable agents is large enough to support a venture-scale business on its own.

Brex approached the problem from a different angle. CrabTrap is an LLM-as-a-judge HTTP proxy that inspects every outbound call an agent makes, applies a policy evaluated by a second model, and gates the request. The architecture borrows a pattern from service meshes. A sidecar that understands the semantics of the traffic flowing through it, except the understanding is probabilistic rather than regex-based. When an agent tries to hit an unexpected domain, exfiltrate data, or call a finance API it has no business calling, the judge model sees the intent before the packet leaves the perimeter. The Brex internal use case is agents that handle corporate spend. The generalizable pattern is a policy engine for natural-language-driven network behavior.

Upstream of both, a free scanner launched that rates whether a website is ready for AI agents to use it. The scanner checks things like structured data, predictable navigation, and rate limits. It is a diagnostic, not a defense, but it describes a posture shift. Web operators who spent two decades thinking about bots as adversaries to block are now grading themselves on whether agents can use them well. The assumption is that agent traffic is going to happen with or without cooperation. The practical question is whether to earn the transactions or shed them.

Inside the security operations center, the consensus is moving the other direction. Practitioners are calling the fully autonomous SOC a dangerous illusion and pulling back to human-led configurations with agent assistance, not agent authority. Traditional security tools are struggling against AI-driven attacks that target model behavior rather than system infrastructure. Together these two signals suggest the defender-side agent story is headed for a tight loop: agents do retrieval and triage, humans make the call on remediation, and a dedicated control-plane product mediates between the two. Lloyds Banking Group's move to expand its responsible AI function is the enterprise-side analog. Regulated institutions are staffing a permanent role whose job is to govern the agents the other teams are shipping.

Even the guardrails inside the models are proving leakier than expected. Models marketed as uncensored still exhibit persistent refusal patterns inherited from pre-training data. The implication for the control plane is that relying on the model alone to enforce behavior is a mistake in both directions. The model will refuse when you want it to comply, and it will comply when you need it to refuse. External enforcement at the proxy and identity layers is the only durable answer.

The most interesting thing in this week's data is what is missing. The agent pitches from the largest enterprise software vendors still lead with capability: autonomous workflow orchestration, multi-step reasoning, vertical depth. The security and reliability layer shows up, when it shows up at all, as a bullet near the bottom. Oteemo's AXIOM framework is an exception that proves the rule. It is pitched as enterprise AI delivery built for organizations where failure is not an option. The implicit framing is that most AI delivery today is built for organizations where failure quietly is an option, because the governance layer has not caught up.

The data-side story is similarly lopsided. Meta announced a mandatory program to capture employee keystrokes and mouse movements to train agent models. The goal is better agents. The method is the most invasive kind of worker surveillance. The backlash was immediate and internal. The more interesting observation is that the data Meta is trying to scrape off its own employees is the same data the agent control plane will ultimately need to capture anyway, but captured at the right layer: in the proxy, in the audit log, in the identity service. Done at the control plane, it is telemetry. Done at the keyboard, it is surveillance. The companies that get the architecture right will not need to choose between the two.

The investment flow confirms the gap. NeoCognition closed a $40 million seed for self-learning agents. That is a large seed by any measure. The comparable round for a startup whose whole pitch is agent security and reliability has not happened yet at this scale. The opportunity is unclaimed. Builders who see the control plane as their wedge will be competing mostly with in-house efforts for the next 12 to 18 months, which is an unusually long runway for a category this obviously necessary.