# The agent-governance land-grab: who's buying the control plane URL: https://www.thedeepfeed.ai/posts/2026-06-03-agent-governance-land-grab/ Category: Business Published: 2026-06-03 Author: the-deep-feed Tags: ai-agents, agent-governance, security, non-human-identity, m-and-a, control-plane Kind: deep > In six weeks, Palo Alto bought Portkey, Cisco bought Astrix, Asana bought StackAI, and $340M flowed into agent-identity startups. The fifth wheel nobody shipped in open source is being bought, not built. A map of the five control-plane layers and the buyers racing to own each one. ## TL;DR - In a **six-week window** (Apr 30 – Jun 2, 2026), the agent-governance category went from thesis to acquisition target: **Palo Alto** closed **Portkey** (~$120-140M reported), **Cisco** reportedly bought **Astrix** (~$400M), **Asana** bought **StackAI** ($75M), and **Geordie** raised **$30M** led by Balderton. - The control plane is **five stacked layers**, not one market: gateway, observability, guardrails, identity/NHI, and the governance brain. Each has its own incumbents, startups, and now its own M&A. - The fastest-consolidating layer is **non-human identity** — **$340M+** flowed into NHI security in 12 months, because agents now outnumber human identities and **99% of them are ungoverned**. Palo Alto isn't improvising: it ran a **three-acquisition staircase** (Venafi → CyberArk → Portkey), against a price ceiling set by Google's **$32B Wiz** deal. - The threat is **not theoretical**: 30 MCP CVEs, an actively-exploited auth bypass (CVE-2026-32814), ~7,000 exposed MCP servers, and a documented chain from one unauthenticated server to **AWS credential theft**. The CVEs proved the governance gap was load-bearing. - This is the **fifth wheel** the open-source agent runtimes left as a TODO. The market's verdict: governance gets **bought by incumbents who own distribution**, not built by the runtimes that created the problem — and prediction markets have **no line** on any of it. Six weeks ago, "AI agent governance" was a slide in a vendor deck and a TODO in an open-source roadmap. As of June 2, 2026, it is an acquisition target with a price. **Palo Alto Networks** [completed its purchase of Portkey on May 29](https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-completes-acquisition-of-portkey-to-secure-ai-agents), folding an AI gateway that processes trillions of tokens a month into its Prisma AIRS security platform. Two days earlier, Asana [bought the no-code agent builder StackAI for $75 million](https://techcrunch.com/2026/05/28/asana-acquires-no-code-agent-builder-stack-ai/). In the same window, Cisco reportedly paid around $400 million for the agent-identity startup [Astrix](https://astrix.security/), Geordie [raised a $30 million Series A led by Balderton](https://www.securityweek.com/geordie-raises-30-million-for-ai-security-and-governance-platform/) to watch what agents actually do, and [Oasis Security](https://oasis.security/) closed a $120 million round to manage how agents authenticate. Add up the non-human-identity layer alone and, by the [RSAC 2026 field count](https://www.cremit.io/reports/rsac-2026-nhi), more than $340 million changed hands or got committed in a single year. This is not a coincidence of timing. It is a category forming in fast-forward, and the shape it is taking answers a question this publication left open a day ago. When [we mapped the open-source agent runtimes](/posts/2026-06-02-oss-agent-runtimes-five-wheels/), five hard problems kept recurring: memory, sandboxing, the skills-versus-MCP question, transport, and governance. Four of the five had at least one open-source project that took them seriously. The fifth was governance, the discipline of knowing what an agent is allowed to do and proving it didn't do anything else, and it was almost universally a TODO. Nobody shipped it because it is unglamorous, enterprise-shaped, and hard to monetize as a library. The market just decided how that wheel gets built. Not by a library. By acquisition. And the company moving fastest, Palo Alto, is not improvising — it is running a playbook it has run twice before, on a timeline that started months before Portkey. ![An agent figure holding a ring of keys inside an empty office floor plan: the privileged insider nobody is watching](/post-images/2026-06-03-agent-governance-land-grab/insider-threat-hero.jpg) # The insider-threat reframing that started the buying To understand why a cybersecurity company worth more than $100 billion spent money on a token-routing startup, start with the sentence the whole category now repeats. An autonomous AI agent, given credentials and a goal, behaves like a privileged insider that nobody hired, nobody monitors, and nobody can fire. Crunch Insight put it cleanly in its read of the Portkey deal: Palo Alto is "addressing the risk of autonomous AI agents functioning as privileged, unmonitored insiders within corporate networks." That is the spine of the entire land-grab. Every control-plane layer being bought maps to a question a security team would ask about a new employee with root access. Who is this thing? What is it allowed to touch? What did it actually do? Can I stop it mid-action? And can I prove all of the above to an auditor? For two years, the industry answered those questions with a shrug and a logging statement. Agents ran with static API keys minted by whoever built them, scoped to "everything the developer could reach," rotated never. Astrix, the identity startup Cisco reportedly bought, frames the scale of the problem bluntly: agents and non-human identities now outnumber humans by roughly 100 to 1, and 99% of them sit outside the IAM and audit cycles that govern human access. An enterprise that spent a decade building least-privilege access for its employees deployed a thousand agents with none of it. The reframing matters because it changes who buys. "Agent observability" sounds like a developer tool, something an engineering team expenses. "Privileged unmonitored insider" sounds like a CISO problem with a budget line and a board mandate. The moment the category crossed that semantic line, it stopped being a feature inside an SDK and became infrastructure a security incumbent needs to own. Palo Alto's CEO told CNBC that customer meeting requests "surged amid AI security concerns" — the demand signal that justifies a buying spree. > Palo Alto CEO says customer meeting requests have surged amid AI security concerns > > — [@CNBC](https://x.com/CNBC/status/2061946864396570818), Jun 2, 2026 The clearest one-sentence map of the whole wave came from an operator account watching the deals stack up in real time: > Enterprise agent stack being bought in pieces — Asana acquired StackAI $75M (execution layer, agents read/write Salesforce Oracle AWS without code) May 28 + Palo Alto Networks acquired Portkey $120-140M (security gateway, agent traffic visibility + runtime threat detection + token visibility) > > — [@Basemail_ai](https://x.com/Basemail_ai/status/2061320169100894572), Jun 1, 2026 "Bought in pieces" is exactly right. The agent control plane is not one product. It is five. But before the map, the precedent — because the speed of the Portkey deal only makes sense once you see what Palo Alto had already assembled. # Palo Alto's three-acquisition staircase The Portkey purchase looks impulsive in isolation and inevitable in sequence. On February 11, 2026, three and a half months before Portkey, Palo Alto [completed its acquisition of CyberArk](https://investors.paloaltonetworks.com/news-releases/news-release-details/palo-alto-networks-completes-acquisition-cyberark-secure--ai-era), the identity-security company, with a press release whose subtitle named the target directly: "the leading platform that delivers unified security for human, machine and agentic identity." CyberArk, in turn, had [completed its own acquisition of Venafi](https://www.cyberark.com/press/cyberark-completes-acquisition-of-machine-identity-management-leader-venafi/), the machine-identity-management leader, back in October 2024. By May 2026, Palo Alto [rebranded the combined identity stack as Idira](https://www.sdxcentral.com/news/palo-alto-networks-rebrands-cyberark-with-idira-platform-release/) and made the claim that anchors the whole thesis: machine identities now outnumber human identities. Stack the dates and the strategy is unmistakable. Venafi (2024) gave the stack machine identity — the certificates and keys that authenticate servers and services. CyberArk (February 2026) gave it the platform to govern human, machine, and agentic identity together. Portkey (May 2026) gave it the gateway that sees every agent's traffic. SDxCentral, noting Portkey was "yet another acquisition following Koi, Chronosphere, and CyberArk deals," is describing a company that has decided agent governance is not a product line but the next platform, and is buying the floors of it in order. Palo Alto is not the only incumbent running this play. Okta [made Okta for AI Agents generally available on April 30](https://www.okta.com/blog/ai/okta-for-ai-agents-general-availability/), the same day Palo Alto announced its intent to buy Portkey, built on a "blueprint for the secure agentic enterprise" whose opening premise is that [every agent needs an identity](https://www.okta.com/blog/ai/okta-ai-agents-early-access-announcement/). CyberArk, even mid-acquisition, [shipped its own Secure AI Agents solution](https://www.cyberark.com/resources/all-blog-posts/cyberark-secure-ai-agents) extending its Identity Security Platform to non-human identities. The two largest pure-play identity vendors and the security platform buying one of them all reached the same conclusion in the same quarter: the agent is a new identity class, and whoever governs identity governs agents. ![Three stacked building-block steps rising into a platform with a red flag on top: Palo Alto's acquisition staircase](/post-images/2026-06-03-agent-governance-land-grab/palo-alto-staircase.jpg) There is a precedent for the precedent, and it sets the price ceiling everyone in this market is implicitly bidding against. In 2026 Google [completed its $32 billion acquisition of Wiz](https://www.forrester.com/blogs/google-to-acquire-cnapp-specialist-unicorn-wiz-for-32bn/), the largest deal in cybersecurity history, for a company that had created the cloud-native-application-protection category from nothing and [hit $100M ARR in 18 months](https://openviewpartners.com/blog/category-creation-wiz-hit-100m-arr-in-only-18-months/). The Wiz outcome is the proof every agent-governance founder and acquirer has internalized: a security category that goes from non-existent to must-have inside two years can be worth tens of billions to the platform that owns it. Agent governance is following the same arc on a faster clock — and that is the multiple the $400 million Astrix and $140 million Portkey prices are reaching toward. # The five layers of the control plane A request leaves an agent and travels to the outside world — to a model provider, a database, a SaaS API, a payment rail. Between the agent's intent and the world's response, there are five places to insert control. Each is a distinct technical problem, each has a distinct set of vendors, and each is now a distinct M&A market. The land-grab makes sense only when you stop treating "governance" as one word. | Layer | The question it answers | What it controls | Lead buyers / rounds (2026) | |---|---|---|---| | 1. Gateway | Where does the traffic go? | Spend caps, routing, PII redaction, token visibility — *before* the request leaves | Palo Alto → Portkey | | 2. Observability | What did the agent do? | Tracing, monitoring, replay of multi-step runs | Arize:Observe; LangSmith; standalone | | 3. Guardrails | Should this action happen? | Runtime enforcement, output validation, kill switches | NVIDIA NeMo, Guardrails AI, GuardionAI | | 4. Identity / NHI | Who is this agent? | Credentials, scoped permissions, rotation, discovery | Cisco → Astrix; Oasis $120M; Entro, Clutch | | 5. Governance brain | Is this allowed, and can I prove it? | Action-surface mapping, segregation-of-duties, human authority | Geordie $30M; LangGuard; Operant | Read top to bottom, the layers form a pipeline. A request hits the gateway, gets traced by observability, gets checked by guardrails, is attributed to an identity, and is authorized by the governance brain. Read as a market, they form five separate fights — and the acquirers are picking which one they want to own. ![Five stacked control layers between an agent at top and the world at bottom, middle layer in red: the control plane as a checkpoint pipeline](/post-images/2026-06-03-agent-governance-land-grab/five-layer-stack.jpg) ## Layer 1 — The gateway, or the traffic chokepoint The AI gateway is the most defensible position in the stack for the same reason a tollbooth is more valuable than the road: everything passes through it. An agent that wants to call a model has to send the request somewhere, and if that somewhere is a gateway, the gateway sees and can shape every call before it leaves the building. Spend limits, PII redaction, provider routing, and per-token accounting all live here, and they all happen at the source rather than in a log you read after the damage is done. **Portkey** built exactly this. Its open-source gateway (`Portkey-AI/gateway`, just under 12,000 GitHub stars, TypeScript, last pushed May 25) handles, by Palo Alto's own description, trillions of tokens a month for enterprise customers. When Palo Alto [announced its intent to acquire on April 30](https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-to-acquire-portkey-to-secure-the-rise-of-ai-agents), it described the AI gateway as "the mission-critical control plane for autonomous agents" — language that tells you the gateway is not being bought as a feature but as the foundation the other four layers will be sold on top of. The price tells its own story. Palo Alto declined to disclose terms, but the Economic Times reported the deal [valued Portkey at roughly $140 million](https://economictimes.indiatimes.com/tech/startups/palo-alto-networks-to-acquire-elevation-capital-backed-ai-app-infra-startup-portkey/articleshow/130668555.cms), "may double" from its prior mark. For a company whose product is, at its core, a routing proxy, that is a control-point premium: you are not paying for the code, you are paying for the position between every agent and every model. Portkey is not alone at this layer, which is what makes the acquisition urgent rather than optional. **LiteLLM** (`BerriAI/litellm`, over 49,000 stars, pushed daily) is the open-source gateway giant, and **LangChain** shipped its own [LangSmith LLM Gateway](https://www.langchain.com/blog/introducing-llm-gateway) in 2026, pitching "runtime governance built into the agent lifecycle" — spend limits and PII redaction enforced "at the source rather than just logging them after the fact." When the open-source option has 49,000 stars and the framework company is building its own, a security incumbent that wants the chokepoint cannot wait. It buys the commercial leader before the category commoditizes. ## Layer 2 — Observability, the flight recorder If the gateway is the tollbooth, observability is the black box. It does not stop anything; it records everything, so that when an agent does something inexplicable across fourteen tool calls and two sub-agents, someone can replay the trace and find the turn where it went wrong. This is the layer with the most players and the least consolidation, because it grew out of the developer-tools world rather than the security world, and developer tools resist being bought. The roster is deep. **Arize Phoenix** (`Arize-ai/phoenix`, nearly 10,000 stars, pushed daily) anchors an Arize platform whose Arize:Observe conference landed June 4. **LangSmith** offers tracing and monitoring for any framework via Python, TypeScript, Go, and Java SDKs. **AgentOps**, **Traceloop's OpenLLMetry** (over 7,000 stars), Langfuse, Helicone, Braintrust, and Galileo round out a field that the comparison-matrix sites now list eleven deep. The category is real, the tooling is good, and almost none of it has been acquired — because observability alone does not answer the security buyer's question. Knowing what an agent did is necessary; it is not the same as controlling what it can do. That distinction is why observability sits in the middle of the stack and why its standalone companies are, for now, staying standalone. They are too useful to engineering to be folded into a security platform, and not yet controlling enough to command a control-point premium. Watch this layer for the next wave: the moment one observability vendor adds real-time enforcement (not just recording but intervening) it crosses into the guardrails layer and becomes acquisition bait. ## Layer 3 — Guardrails, the kill switch Guardrails are where recording becomes intervention. A guardrail sits in the execution path and makes a decision: this output contains a prompt injection, block it; this tool call would exfiltrate a customer record, redact it; this agent has looped on the same call three times, kill the session. The defining property is that a guardrail acts before the consequence, which is also what makes it hard — you are now in the latency-critical path of every action, and a wrong block is as damaging as a missed threat. **NVIDIA NeMo Guardrails** and **Guardrails AI** (`guardrails-ai/guardrails`, nearly 7,000 stars) are the open-source anchors. The interesting motion is at the protocol level. **GuardionAI** bills itself as "the Agent and MCP Security Gateway," sitting in the execution path to "discover, redact sensitive data, and enforce protection" at the protocol layer across OpenAI, Gemini, Anthropic, and the open frameworks. **LangSight** (self-hosted, Apache-2.0) reframes guardrails as reliability engineering: loop detection, budget circuit-breakers, MCP health checks. "Agent stuck in a loop? Killed after three repeat calls. Session burning budget? Auto-stopped at your dollar limit." The most telling guardrails move of the period came not from a startup but from Microsoft, which open-sourced an agent-governance toolkit and earned the most-engaged tweet in our entire research sweep: > MICROSOFT OPEN-SOURCED A GOVERNANCE LAYER FOR YOUR AI AGENTS and it's exactly what agentic ai has been missing. here's what agent governance toolkit does: intercepts every tool call in deterministic code before it hits the wire. denied actions aren't unlikely, they're structural > > — [@_vmlops](https://x.com/_vmlops/status/2059207888393138556), May 26, 2026 "Denied actions aren't unlikely, they're structural" is the whole guardrails thesis in five words. A probabilistic model cannot be trusted to refuse a forbidden action reliably; a deterministic interceptor in front of it can. Microsoft's Agent Framework (`microsoft/agent-framework`, nearly 11,000 stars, pushed daily) shipping this in the open is a signal that the platform vendors intend to give the guardrails layer away to win the layers above and below it — the classic commoditize-your-complement move that should worry every standalone guardrails startup. ## Layer 4 — Identity, or who the agent actually is This is the layer consolidating fastest, and it is worth understanding why. Every agent needs credentials. An API key for the model. An OAuth token to read a Slack channel. A service account to write to the production database. In the human world, a decade of identity engineering (single sign-on, least privilege, credential rotation, access reviews) governs who gets which keys. In the agent world, the developer who built the agent minted the keys, scoped them to whatever was convenient, and moved on. Nobody tracks them, most never rotate, and the security team cannot even enumerate how many exist. The non-human-identity category formed to fix this, and the money confirms it has arrived. The [RSAC 2026 field report](https://www.cremit.io/reports/rsac-2026-nhi) tallied more than $340 million in NHI-security funding across twelve months — Astrix, Oasis, Entro, Clutch, GitGuardian, and Cremit. Two moves anchor the period. **Cisco** reportedly acquired **Astrix Security** for around $400 million, buying an [identity-first platform](https://astrix.security/product/secure-ai-agents/) that, at RSAC 2026, announced a [four-method agent-discovery architecture](https://astrix.security/learn/blog/what-were-announcing-at-rsac-2026-discovery-across-every-layer-and-control-over-what-agents-can-do/) and a real-time policy engine that evaluates allow, flag, and block rules before any action executes. **Oasis Security** raised a [$120 million Series B](https://oasis.security/) for "Agentic Access Management," pitching short-lived, just-in-time, precisely-scoped credentials in place of the static keys that are the root of the problem. The identity layer consolidates fastest because it is the layer with the clearest existing buyer. Cisco, Palo Alto, CyberArk, and Okta already sell identity to enterprises; an agent is just a new kind of identity to govern, and the incumbents have the distribution to sell it the day the deal closes. Astrix's framing, that agents outnumber humans 100 to 1 with 99% ungoverned, is precisely the kind of total-addressable-market math that turns a security platform's M&A committee into a buyer. When the problem is "you have a hundred times more ungoverned identities than you thought," the platform that already owns your human identities is the obvious acquirer. ## Layer 5 — The governance brain, the newest layer The fifth layer is the one that did not exist as a category a year ago, and it is the one closest to what the open-source runtimes meant when they wrote "governance: TODO." It is not about traffic, recording, blocking, or credentials. It is about policy: mapping the complete set of actions every agent in the business can take, detecting when an agent is about to violate a separation-of-duties rule (the same control that stops one bank employee from both creating and approving a payment) and inserting a human at the moment a high-risk action is attempted. **Geordie** is the clearest pure-play, and its $30 million Series A led by Balderton is the funding event that signals the layer has graduated from idea to category. Geordie's pitch is continuous behavioral understanding of every agent, with a "First agent visible in 10 minutes" promise, and its metaphor is the one worth keeping: > Deploying AI agents across your org but have no idea what they're actually doing? Geordie AI gives security teams continuous visibility into agent behavior, permissions, and drift — without slowing agents down. > > — [@EveryDevAi](https://x.com/EveryDevAi/status/2060351860736012763), May 29, 2026 The company's own framing on its site sharpens it: "We're seeing the iceberg that rocked the Titanic — weeks in advance rather than the moment it appears on screen." That is the governance-brain promise — not a log you read after the incident, but a model of normal agent behavior precise enough to flag the drift before the collision. [**LangGuard**](https://langguard.ai/) builds the same shape from the controls side: it "maps and classifies the complete action surface of every AI agent," detects segregation-of-duties violations in real time, and "enforces human authority when a high-risk action is attempted." [**Operant AI**](https://operant.ai/) approaches from the protocol side with an MCP Gateway and AI Gatekeeper, claiming to be the only vendor featured across all five of Gartner's critical AI-security categories in 2025. The governance brain is the least consolidated layer precisely because it is the newest and the hardest. Mapping an agent's full action surface and reasoning about policy violations in real time is a genuinely unsolved problem, which is why this layer is still raising Series A rounds rather than getting acquired. It is the layer to watch: whoever solves it credibly becomes the most valuable acquisition target in the entire stack, because it is the layer a CISO can actually take to an auditor. # The threat is not theoretical, and that's why the buying is real A security category does not attract $400 million acquisitions on a hypothetical. The reason the insider-threat framing landed with CISOs is that the agent attack surface stopped being a thought experiment sometime in early 2026, and the incident log is now long enough to read as a pattern. The core flaw is structural, and it is the same flaw the guardrails layer exists to contain: a language model does not distinguish data from instructions. When an MCP tool returns a result, the agent reasons over that result as trusted context. If the result contains text that reads like a command, the agent may [execute it as one](https://policylayer.com/attacks/prompt-injection-via-tool-results). This is indirect prompt injection, and it turns every external surface an agent reads (a web page, a support ticket, a GitHub issue) into a potential command channel. The most insidious version, data exfiltration via tool chaining, [needs no single malicious call at all](https://policylayer.com/attacks/data-exfiltration-via-tool-chaining): the attacker induces the agent to read from a privileged source and write to a sink the attacker controls, where each individual tool call is authorized and the breach lives entirely in the composition. Least-privilege on any single tool does not stop it. Only a governance layer that reasons about the *sequence* does. ![A chain of tool nodes from a locked database to a red outbound envelope: exfiltration where every single link is authorized](/post-images/2026-06-03-agent-governance-land-grab/tool-chain-exfil.jpg) The transport itself has been found vulnerable. On April 15, 2026, OX Security disclosed a [systemic flaw in the MCP STDIO transport interface](https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-rce-design-vulnerability-20260423-csa/) that allows arbitrary shell-command execution, a design vulnerability rather than a bug in one server. By the time the Cloud Security Alliance catalogued the state of MCP security, the tally was stark: [thirty CVEs, a North Korean npm hijack, and roughly 7,000 exposed MCP servers reachable on the open internet](https://lorikeetsecurity.com/blog/mcp-supply-chain-attacks-ai-agent-security). One MCP SDK authentication bypass, [CVE-2026-32814](https://ringsafe.in/mcp-sdk-authentication-bypass-under-active-exploitation-cve-2026-32814-patch-now/), was reported under active exploitation. In May, Ars Technica reported a critical vulnerability in a single open-source package that [imperiled millions of AI agents](https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package/) at once, exposing credentials to third-party accounts. CloudSEK documented a real case where [an unauthenticated MCP server chained into SSRF, local file inclusion, and AWS credential theft](https://www.cloudsek.com/blog/aivigil-mcp-security-case-study) — the full kill chain, from a misconfigured agent tool to stolen cloud keys. This is the demand curve under the deal flow. Help Net Security's read of the moment, enterprises wiring agents into "ticketing systems, source code repositories, chat platforms, and cloud dashboards" and then [racing to secure what they had already deployed](https://www.helpnetsecurity.com/2026/02/23/ai-agent-security-risks-enterprise/), describes a market that built the exposure first and is now buying the controls second. That ordering is why the acquisitions are clustered and urgent rather than spread and speculative. The agents are already in production. The governance was not. The CVEs proved the gap was load-bearing, and the security incumbents are buying their way across it before the next breach has their customer's name on it. # Following the money: three patterns in the deal flow Step back from the individual deals and three patterns explain the whole wave. ![A split: heavy anchor blocks on the left for incumbents buying chokepoints, red-tipped rising arrows on the right for venture funding](/post-images/2026-06-03-agent-governance-land-grab/buyers-vs-funders.jpg) The first is that **incumbents buy chokepoints, growth capital funds frontiers.** The acquisitions cluster at the two layers with the clearest control position, the gateway (Palo Alto/Portkey) and identity (Cisco/Astrix), because those are the layers where owning the position is worth more than the technology. The venture money, by contrast, flows to the governance brain (Geordie) and agentic access (Oasis), the layers where the problem is still unsolved and the prize is becoming the eventual acquisition target. You can read the maturity of each layer directly off whether it is being acquired or funded. The second pattern is **the execution layer and the security layer are being bought by different kinds of buyers for different reasons.** Asana's $75 million purchase of StackAI is not a security deal. It is a productivity company buying the ability to let agents read and write Salesforce, Oracle, and AWS without code. Palo Alto's Portkey purchase is a security company buying the ability to watch and shape that same traffic. The same agent action, "write to Salesforce," is a feature to Asana and a threat to Palo Alto, and both are paying to own their side of it. That divergence is the clearest sign the agent stack is maturing: when the same capability is simultaneously a product and a risk, the market splits into builders and governors. The third pattern is the quietest and the most important: **the open-source runtimes that created this problem are not capturing the value of solving it.** The frameworks that gave developers easy agents, the ones [we mapped yesterday](/posts/2026-06-02-oss-agent-runtimes-five-wheels/), left governance as a TODO, and the TODO is being filled by a separate set of companies that the framework vendors will not own. Microsoft giving away its guardrails toolkit is the exception that proves the rule: a platform vendor can afford to commoditize one layer to sell the others, but a pure framework cannot. The lesson for anyone building an agent runtime is that the hard, unglamorous wheels (governance most of all) are where the durable enterprise value accrues, and it accrues to whoever owns distribution, not whoever wrote the framework. # What the prediction markets can't see There is one more tell, and it is an absence. Across the entire research sweep, the prediction markets had nothing to say about any of this. Polymarket's active AI markets in early June 2026 were all about model rankings — whether Claude opus-4-6-thinking would be the best model on June 6 (84% yes), which company would hold the top model at the end of the month (a $10 million market). There was not a single line on agent governance, on which security incumbent would buy the next gateway, on whether the NHI category would consolidate. Governance is invisible to the betting public. That invisibility is the opportunity the acquirers are pricing. The crowd bets on which model is smartest because that is the visible, legible question. The security incumbents are buying the layer that decides whether any of those models can be trusted to act, because that is the question every enterprise will be forced to answer the moment its agents touch production. The gap between what the market watches and what the market needs is exactly the arbitrage Palo Alto and Cisco are running. Nirmata, watching the Portkey deal, [called it "validation at the highest level"](https://nirmata.com/2026/05/19/the-ai-governance-market-is-here-most-of-the-problem-remains-unsolved/) while noting that "most of the problem remains unsolved." Both halves are true. The validation is the six weeks of deals. The unsolved part is the governance brain — layer five, the one still raising Series A rounds because mapping an agent's full action surface and proving it stayed inside the lines is genuinely hard. The agent-runtime field reinvented five wheels and shipped four. The fifth, governance, it left on the table. The market just walked over, picked it up, and put a price on it. The runtimes built the agents. The incumbents are buying the right to govern them. And the company that finally solves the governance brain, the layer the prediction markets cannot see and the open-source projects would not build, is the one every security platform on this list will be writing a nine-figure check for next. ## Sources - [Palo Alto Networks — completes acquisition of Portkey to secure AI agents](https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-completes-acquisition-of-portkey-to-secure-ai-agents) - [Palo Alto Networks — intent to acquire Portkey (Apr 30)](https://www.paloaltonetworks.com/company/press/2026/palo-alto-networks-to-acquire-portkey-to-secure-the-rise-of-ai-agents) - [Economic Times — Palo Alto to acquire Portkey; valuation may double to $140M](https://economictimes.indiatimes.com/tech/startups/palo-alto-networks-to-acquire-elevation-capital-backed-ai-app-infra-startup-portkey/articleshow/130668555.cms) - [SDxCentral — Palo Alto completes Portkey acquisition](https://www.sdxcentral.com/news/palo-alto-networks-completes-portkey-acquisition-adding-ai-gateway-to-flagship-platform/) - [TechCrunch — Asana acquires no-code agent-builder StackAI](https://techcrunch.com/2026/05/28/asana-acquires-no-code-agent-builder-stack-ai/) - [SecurityWeek — Geordie raises $30M for AI security and governance](https://www.securityweek.com/geordie-raises-30-million-for-ai-security-and-governance-platform/) - [Tech.eu — Geordie raises $30M to bring security and governance to agentic AI](https://tech.eu/2026/05/29/geordie-raises-30m-to-bring-security-and-governance-to-agentic-ai/) - [Cremit — RSAC 2026 NHI field report (Astrix, Oasis, Entro, Clutch, GitGuardian)](https://www.cremit.io/reports/rsac-2026-nhi) - [Oasis Security — $120M Series B to accelerate secured agentic access](https://oasis.security/) - [Astrix Security — AI agent security & NHIs](https://astrix.security/product/secure-ai-agents/) - [LangChain — LangSmith LLM Gateway: runtime governance](https://www.langchain.com/blog/introducing-llm-gateway) - [Operant AI — secure your AI](https://operant.ai/) - [Nirmata — the AI governance market is here](https://nirmata.com/2026/05/19/the-ai-governance-market-is-here-most-of-the-problem-remains-unsolved/) - [Palo Alto Networks — completes acquisition of CyberArk (Feb 11)](https://investors.paloaltonetworks.com/news-releases/news-release-details/palo-alto-networks-completes-acquisition-cyberark-secure--ai-era) - [CyberArk — completes acquisition of Venafi (machine identity)](https://www.cyberark.com/press/cyberark-completes-acquisition-of-machine-identity-management-leader-venafi/) - [Okta — Okta for AI Agents is now generally available](https://www.okta.com/blog/ai/okta-for-ai-agents-general-availability/) - [Forrester — Google to acquire Wiz for $32 billion](https://www.forrester.com/blogs/google-to-acquire-cnapp-specialist-unicorn-wiz-for-32bn/) - [Cloud Security Alliance — MCP STDIO design flaw enables RCE](https://labs.cloudsecurityalliance.org/research/csa-research-note-mcp-rce-design-vulnerability-20260423-csa/) - [Lorikeet Security — MCP is the new supply chain: 30 CVEs](https://lorikeetsecurity.com/blog/mcp-supply-chain-attacks-ai-agent-security) - [Ars Technica — millions of AI agents imperiled by critical vulnerability](https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package/) - [CloudSEK — unauthenticated MCP server to AWS credential theft](https://www.cloudsek.com/blog/aivigil-mcp-security-case-study) - [Help Net Security — enterprises racing to secure agentic AI](https://www.helpnetsecurity.com/2026/02/23/ai-agent-security-risks-enterprise/) --- Canonical: https://www.thedeepfeed.ai/posts/2026-06-03-agent-governance-land-grab/ Site: https://www.thedeepfeed.ai Full corpus: https://www.thedeepfeed.ai/llms-full.txt