// AI Deep Dive
One Agent Is a Pilot. A Hundred Is a Coin Flip.
A good agent that leaks 1% of the time is a 63% certainty of a leak across 100 agents. The strategic case for verifiable agent governance — and the open standards that deliver it.

EXECUTIVE SUMMARY
Every enterprise I talk to is holding the same comfort blanket: "we have guardrails and observability." That sentence describes one agent, on a good day, with someone watching. It does not describe a fleet — and a fleet is what you are actually deploying, whether you planned for it or not. The strategic answer is verifiable governance: cryptographic proof of what an agent ran, checkable by an outside party.
A one-percent failure rate is not one-percent risk at scale. If a well-built agent mishandles sensitive data just 1% of the time, the chance of at least one leak across 100 agents is 1 − (0.99)^100, or about 63% — at 1,000 agents it rounds to a certainty — and enterprise agent fleets roughly doubled in a single quarter. Fleets don't average out risk, they compound it.
Authentication answers who called, not what ran. A signed token proves an identity knocked on the door. It says nothing about which prompt, model, tools, or policy actually executed — and for an autonomous agent, that gap is where the incidents live.
The regulators already moved. The EU AI Act's transparency duties, DORA's ICT protection mandate for financial firms, and NIST's zero trust doctrine all assume you can produce evidence of what a system did. Most agent stacks cannot.
The posture for a decision-maker is simple: stop buying dashboards that describe agent behavior and start demanding evidence that proves it. Software-first now, hardware-backed as the fleet grows.
// The Hook
The Web Stopped Taking Our Word for It Once Before
I was on the phones at an ISP the day Yahoo went live, and I've watched every trust model on the internet get rebuilt at least once. The early web ran on a handshake. You typed your credit card into a form and hoped. What fixed it wasn't a bigger firewall or a prettier login screen. It was a verifiable trust layer — certificates, signed and checkable by a stranger's browser, that proved a site was what it claimed to be. Trust stopped being a promise and became evidence.
I've spent thirty years watching that cycle repeat. Netscape bolted SSL onto a web that was never designed to be secure. The open source movement won not because it asked for trust but because anyone could read the source and check it. Node.js scaled because the ecosystem could audit what a package did. Every durable leap in computing trust arrived the same way: somebody made verification cheap.
Agents are at exactly that moment. And most enterprises are still typing their credit card into the form.
// The Deep Dive
Deep Dive: The Case for Verifiable Agent Governance
Agents break the old trust model in a specific way. A human logs in once and does a handful of things you can reason about. An agent logs in and then reasons, calls tools, spawns sub-agents, and chains actions across a dozen systems at machine speed. The credential at the door tells you almost nothing about the behavior inside.
And we are not deploying one of them. Gravitee's research shows enterprise agent fleets roughly doubled in a single quarter, with nearly 38% of organizations already past 100 agents. The Cloud Security Alliance found that 65% of organizations had at least one agent-caused incident in the past year. Meanwhile 82% of executives say they're confident their policies cover it, and by the same survey's count only about 14% of organizations actually send agents to production with full security sign-off. That gap between confidence and control is the whole story.
Why "we have guardrails" fails at fleet scale
Guardrails, as most vendors ship them, are two things: filters on the way in and out, and a dashboard that logs what happened. Both are useful. Neither is governance.
The first problem is statistical. Guardrails reduce the probability of a bad action. They don't eliminate it, because the underlying model is probabilistic. Drive the failure rate down all you want — across a large enough fleet, the compounding math I opened with guarantees the tail event. A 1% slip at 100 agents is better than a coin flip that something leaks.
The second problem is evidentiary. A dashboard tells you what an agent did after it did it. It does not prove what the agent was allowed to do, which policy was in force at the moment of action, or that the model wasn't quietly swapped underneath you. The OWASP Top 10 for Agentic Applications for 2026 puts goal hijacking, tool misuse, and identity and delegated-privilege abuse as its top three risks. A filter can lower the odds of all three. It can't prove anything about any of them.
What attestation actually proves
The missing primitive is attestation. Authentication proves who is calling. Attestation proves what actually ran — the specific prompt, model, tool set, and policy, bound into a record a third party can verify without trusting your word. It's the certificate model applied one layer down: proof that this agent did exactly what it claims, under the rules you set.
This is the same doctrine NIST codified as zero trust in SP 800-207 — never trust, always verify — aimed at the agent's actions instead of the network perimeter. The news is that it's leaving the whiteboard. A set of open specifications has appeared under the agentrust-io project, describing itself as runtime policy enforcement, hardware-attested agent identity, and TEE-secured tool calls.
Full disclosure before I go further: the most complete implementation of these standards comes from OPAQUE, a company that is a consulting client of mine. I'm going to describe the architecture on its merits and name the alternatives, because the pattern matters more than any one vendor — and because you should never accept a governance pitch, including this one, without asking for the evidence.
There are four moving parts. The first is Agent Manifest, an open standard that binds the artifacts defining what an agent is — its identity, system prompt, model, tool manifest, and policy bundle — into one signed, verifiable declaration. The second is Confidential MCP, which takes the Model Context Protocol every agent now uses to call tools and runs those calls inside a trusted execution environment, so the tool invocation is enforced and attested rather than merely logged. The third is TRACE, which produces the verifiable compliance evidence — the receipt an auditor actually reads. The fourth is the root of the stack: the open source Agent Governance Toolkit, created at Microsoft, the runtime layer that enforces policy while the agent is running, with mechanisms like trust-score decay and delegated authority for sub-agents.
The design choice that makes this adoptable is conformance levels. The Agent Manifest spec defines four levels, 0 through 3, each a strict superset of the one below. Level 0 is a plain software-signed manifest with no special hardware. Higher levels add hardware-rooted attestation inside a TEE, up to the strongest guarantees. You start at the bottom this quarter and climb as the stakes rise. That gradient is the entire reason this is a real option and not a research paper.
Is this real, or is it vendor theater?
Fair question, and genuinely contested, so here are both sides.
The bull case: the primitives are real and open. Confidential computing — running a workload inside hardware that even the cloud operator can't inspect — is a shipped technology from AMD, Intel, and NVIDIA, not a slide. The Confidential Computing Consortium under the Linux Foundation has been building this for years, and the agent-governance specs are being published openly so competitors can implement them. Standardizing "prove what ran" is exactly the kind of boring infrastructure that becomes table stakes, the way TLS did.
The bear case: it's early, and honesty requires naming the gaps. Attestation proves what ran at the moment of execution. On its own it does not prove the governance still held later — policy and delegation can drift across a long-running task. Nobody has shipped mature behavioral anomaly detection or automatic agent quarantine as part of this stack yet. And it isn't the only approach — Visa's Trusted Agent Protocol attests agent intent at the HTTP layer for payments, Stanford's authenticated-delegation research comes at it from the identity side, and SPIFFE-style frameworks solve part of the same problem.
My read: the winning brand is undecided, the direction is not. Verifiable execution beats logged execution the same way certificates beat "trust me." Bet on the pattern, not the logo.
How to implement verifiable governance
You don't need a moonshot budget — you need a sequence. Here's the three-phase version I'd put in front of a leadership team.
Phase 1: Inventory the fleet you actually have (this month)
You can't govern a population you haven't counted.
List every agent in production or pilot, who owns it, and which systems it can touch
Pick your three highest-risk use cases — the ones handling customer data, money, or production systems
For each, write down whether you can prove the five artifacts of a run: identity, prompt, model, tools, and policy
Phase 2: Go software-first (this quarter)
Level 0 requires no special hardware — the point is building the evidence habit before the stakes rise.
Adopt software-signed manifests for those three highest-risk agents
Put a named owner on the evidence — one person who can hand an auditor the record
Add "show me the receipt" to procurement: require manifest conformance language in every new agent contract and renewal
Phase 3: Climb to hardware-backed proof (before the fleet crosses 100)
Move agents that touch regulated data into TEE-backed execution with attested tool calls
Tie the deadline to fleet size, not to standard maturity — the math, not the roadmap, sets the pace
Re-run the fleet-math calculation quarterly and report it to the board alongside the incident count
Three things determine whether this sticks: executive ownership (fund it as compliance you already owe, not a new cost center), fleet-level thinking from day one (design controls for agent 100, not agent 3), and evidence an outsider can check (if verification requires your own dashboard, it isn't verification).
Common Missteps
Mistaking observability for governance. A dashboard that shows what your agents did is not a control that proves what they were allowed to do. Observability is the rear-view mirror. Governance is the steering. Buying the first and calling it the second is the most common and most expensive error I see.
Governing one agent and deploying a hundred. Pilots get careful human review. Fleets get none, because you can't put a person behind every agent. The controls that felt sufficient at agent number three are the ones that produce a 63% leak probability at agent number 100.
Treating authentication as the finish line. Issuing every agent a strong identity is necessary and nowhere near sufficient. If your security review stops at the login, you've secured the doorknob and left the house open.
Waiting for the perfect standard. The specs are early and the top conformance levels are aspirational for most shops. Start at Level 0 software signing now, build the muscle memory, and climb. The companies that wait for a finished standard will be adopting it under duress, right after their first public incident.
What this buys you with the regulators
This is not compliance theater. The rules already point here. The EU AI Act requires high-risk systems to be transparent enough for a deployer to interpret their output, to support effective human oversight, and to meet accuracy, robustness, and cybersecurity standards. You cannot demonstrate any of those for an agent whose behavior you can't prove.
For financial firms, DORA Article 9 requires protecting the authenticity and integrity of data in use, at rest, and in transit — and "in use" is precisely what a TEE-backed attestation covers. NIST's AI Risk Management Framework organizes the work into govern, map, measure, and manage, and every one of those functions gets easier with verifiable evidence instead of a self-reported dashboard. Attestation is how you turn a framework obligation into an artifact you can hand an auditor.
There's a competitive edge hiding in the paperwork, too. The first vendors and enterprises that can answer an RFP's "prove what your agents did" question with a signed record — instead of a slide about guardrails — will win deals on evidence while everyone else is still writing policy documents.
// Key Takeaways
Key Takeaways
Do the fleet math before you approve the fleet. Take your honest estimate of an agent's failure rate and run it across the number of agents you'll really deploy. A 1% rate at 100 agents is a 63% chance of an incident. If that number scares you, more guardrails aren't the fix — verifiable governance is.
Demand attestation, not just authentication. On every agent purchase and every internal build, require proof of what ran — prompt, model, tools, policy — in a form an outside auditor can verify. Make "show me the receipt" a standard line in procurement.
Start software-first and climb the conformance levels. Adopt Level 0 signed manifests this quarter so the practice is in place, then move to hardware-backed attestation as agents touch more sensitive data. Don't let the maturity of the top level become an excuse to do nothing at the bottom.
Map your controls to the regulation you already owe. Tie agent governance directly to the EU AI Act, DORA, and the NIST frameworks that already apply to you. Compliance you already owe survives the budget meeting; a new cost center doesn't.
// What This Means for Your Planning
What This Means for Your Planning
Put a line item called verifiable agent governance in the next budget cycle, and size it against the incident you're implicitly accepting without it. The fleet math is the budget argument: at your real deployment numbers, the annual probability of an agent-caused leak is not a tail risk you can wave at — it's better than a coin flip. The cost of Level 0 signing across your three riskiest agents is a rounding error next to that.
Then challenge the assumption your board is probably holding right now. The same survey found 82% of executives confident their policies cover agent risk while about 14% actually ship agents with full security sign-off. Odds are your organization lives in that gap. The uncomfortable planning question is not "do we have a policy" — it's "could we hand an auditor proof of what any given agent ran last Tuesday."
For the coming cycle: fund the Phase 1 inventory now, get Level 0 manifests on your three riskiest agents this quarter, and set a hardware-backed attestation date pegged to the size of your fleet. Ask every agent vendor in your renewal pipeline which conformance level they meet, and put the answer in the contract.
The web made this shift once already — trust became something you could check, and the companies that moved early set the terms for everyone else. So bring one question to your next leadership meeting: when your first agent incident lands on your desk, will you be holding a dashboard or a receipt?

