The Sovereign AI Control Plane Landscape, 2026
Who owns which layer of AI governance — and the layer nobody owns. A fair map of what every major vendor actually ships today, and where the sovereign, cross-vendor, runtime whitespace really sits.
The Sovereign AI Control Plane Landscape, 2026
Who owns which layer of AI governance — and the layer nobody owns.
Enterprises deploying autonomous AI in 2026 face a paradox. There have never been more governance products. There has never been less of a governance layer.
Every major platform now ships agent identity, agent security, or agent oversight. Analysts have begun formalizing the category: Forrester defined the "agent control plane" in late 2025 as infrastructure that inventories, governs, orchestrates, and assures heterogeneous agents across vendors and domains. The industry press has reached the same conclusion more bluntly: control is now the product.
But a category being named is not the same as a category being filled. This map describes what each class of vendor actually ships today, what each genuinely owns, and where the structural gap remains. The assessments below are meant to be fair. The credibility of any landscape depends on being accurate about everyone on it.
Layer 1 — The hyperscalers and model labs
What they own: agent identity and runtime inside their own estates.
Microsoft has gone furthest. Entra Agent ID gives every agent a first-class identity — conditional access, lifecycle governance, a per-agent kill switch — and Agent 365 is explicitly positioned as "the control plane for agents," with SDK paths for non-Microsoft frameworks. It is genuinely capable work. Its boundary is architectural: agent identities can only be issued tokens in the Entra tenant where they are created. Microsoft governs the Microsoft estate, and governs it well. That is the design, not a flaw. It is also the limitation.
AWS shipped Bedrock AgentCore to general availability in late 2025: runtime with session isolation, agent identity as workload identity, a governed gateway, and a policy engine (in preview) that compiles natural language to Cedar. It is the most complete first-party agent platform in production. Sovereignty appears as a data-residency feature. Governance is strongest for agents that route through AWS — which is, again, the point.
Google owns the inter-agent communication standard. A2A, donated to the Linux Foundation in 2025 with fifty-plus partners, is the closest thing to a lingua franca for agent-to-agent interaction. A protocol, however, standardizes how agents talk. It does not decide what they are permitted to do, and it enforces nothing.
Anthropic's MCP has become the de facto standard for tool access — the plumbing through which agents reach systems. Like A2A, it standardizes connection, not governance. The specification includes OAuth, but as identity vendors themselves have noted, it does not address the dynamic, delegated, impersonation-prone nature of agent access. Standards create the surface that governance must cover. They are not the governance.
OpenAI ships a capable build layer. Its enterprise governance and sovereignty story is the thinnest of the group.
The pattern: each hyperscaler has built an identity and runtime control plane for its own ecosystem. None has an incentive to govern its competitors' agents, and none can credibly offer a control layer the customer owns outright. Tenant-bound governance is real governance — of the tenant.
Layer 2 — The security and identity incumbents
What they own: runtime threat enforcement and machine identity — above the traffic, inside their platforms.
Palo Alto Networks has made the most aggressive incumbent move. Prisma AIRS spans AI supply chain, posture, runtime protection, and identity, with an agent gateway in preview. Its partnership with Deutsche Telekom — "Sovereign Cortex with T Security" — is notable for a different reason: it is an admission that sovereignty cannot be delivered from a US security cloud alone. The sovereignty comes from the telco. The product remains a security platform: it detects, inspects, and blocks threats. It does not reason about business decisions, and it is not a neutral interoperability layer.
Okta positions itself as the neutral identity fabric, and Auth for GenAI plus the Cross App Access protocol are serious contributions to agent authentication. Both remain early — developer preview and limited availability respectively. Okta governs who an agent is and what it may access. It does not govern what an agent decides, and it is a cloud identity service, not a sovereign deployment.
CyberArk understood the problem earliest, reframing AI agents as privileged machine identities, and its research produced the number the whole industry now quotes: 82 machine identities for every human. Its strength is privilege and secrets. Its scope ends where execution begins.
Cisco, CrowdStrike, Zscaler each see part of the traffic — network, endpoint, or edge. The candid assessment applies to the whole class: these platforms sit above the traffic layer or beside it; each sees a different part of the same interaction, and none sees the whole.
The pattern: the security incumbents are converting agent risk into features of existing platforms. That is valuable, and enterprises should deploy it. It is also, structurally, partial: security platforms answer the access question and the threat question. The execution question — should this decision be carried out — is not theirs to answer.
Layer 3 — The reasoning and governance platforms
What they own: enterprise decision-making, or compliance oversight — rarely both, never sovereign.
Palantir is the most important company on this layer, because it proved the thesis that the ontology — the model of an enterprise's decisions, not merely its data — is where durable value lives. AIP's architecture and its governance controls are the reference implementation of a "system of intelligence." Its limitations are equally well documented: a proprietary ontology, opaque pricing, deep specialist dependency, and jurisdictional identity that makes it structurally unavailable to buyers for whom "sovereign" excludes "operated by a US defense contractor." An entire European market segment now defines itself as the sovereign alternative to Palantir. That segment exists because the demand is real and Palantir cannot serve it.
The AI governance pure-plays — Credo AI, Fiddler, and a fast-growing cohort — are the most direct claimants to the "AI control plane" name. Most of this class is observability, gateway, or GRC tooling: US-centric, SaaS-delivered, cloud-resident by default. They oversee AI. They do not run in the customer's sovereign environment, they do not carry a deterministic reasoning layer, and most cannot enforce — only observe and report.
The pattern: the reasoning platforms are not neutral or sovereign. The governance platforms observe rather than execute. The two halves of the answer exist — on opposite sides of a gap.
Layer 4 — The sovereign infrastructure providers
What they own: the substrate — compute, cloud, and connectivity under national control.
The Gulf has moved fastest. National champions operate sovereign AI cloud at scale with hyperscaler backing; operators have launched sovereign cloud programs and sovereign agentic-AI platforms; the first sovereign clouds certified by national cybersecurity authorities are live. In Europe, Deutsche Telekom's billion-euro Industrial AI Cloud with NVIDIA — thousands of Blackwell GPUs in Munich — is the template: national AI capacity, made for Germany. Türk Telekom frames data sovereignty as a cornerstone of national digital power. Indonesia's operators are building sovereign AI capacity as explicit national policy.
These providers are sometimes miscast as competitors to a control plane. They are the opposite. They supply sovereign compute, sovereign connectivity, and national trust. What they do not manufacture is the software layer that governs autonomous execution on top of that substrate — which is why the most sophisticated of them are importing it through partnership. The telco brings sovereignty and distribution. The missing layer brings control.
The pattern: the substrate is being built, at national scale, on every continent. The governance layer that should run on it is the open position.
The missing layer
Lay the four layers side by side and the gap draws itself. The missing layer must satisfy four conditions simultaneously:
Sovereign by architecture. It runs entirely inside infrastructure the customer controls. No call-home, no operational dependency on the vendor, no jurisdiction problem. If the vendor disappears tomorrow, the control plane keeps running. None of the hyperscalers or SaaS governance vendors can offer this; their business models forbid it.
Neutral across vendors. It governs any agent, from any provider, against any system — because it belongs to none of them. A control plane owned by one of the governed platforms is a conflict of interest with an API.
Enforcing at runtime. Policy is evaluated at the moment of execution, before the action occurs — not reconstructed from logs afterward. Governance that is documented but not technically enforced is, as the Cloud Security Alliance put it, not governance.
Able to prove. Every governed action produces evidence — what acted, on whose authority, under which policy, to what effect — as a native property of execution. Observation describes. Proof withstands audit, regulation, and dispute.
Identity inside one tenant: taken. Runtime threat security: taken. Agent protocols: taken. Enterprise reasoning: taken, but neither neutral nor sovereign. Sovereign compute: being built at national scale, waiting for its control layer.
The intersection — sovereign, neutral, runtime, provable — is empty.
What to watch
Three developments would reshape this map.
First, whether any hyperscaler breaks its own gravity and ships genuinely tenant-independent, customer-owned governance. The economics argue against it; the regulatory pressure argues for it.
Second, whether the security incumbents move from inspecting execution to governing it — from the threat question to the decision question. Palo Alto's telco partnership suggests they understand where this is heading.
Third, how fast the sovereign mandates arrive. The EU AI Act's high-risk regime, Gulf critical-infrastructure requirements, and localization rules across Turkey and Indonesia are converting sovereignty from preference to law. Every mandate enlarges the empty intersection.
The last three eras of computing each produced a control plane, and in each case the company that built it was not the company that built the thing being controlled. Kubernetes did not come from Docker. Identity platforms did not come from the network vendors.
There is no reason to expect the autonomous era to be different.
Frequently asked
- What is the "AI control plane"?
- The AI control plane is the layer of infrastructure that governs what autonomous AI agents are permitted to do — inventorying them, enforcing policy on their actions, coordinating them across systems, and producing evidence of what happened. Forrester formally defined the category in late 2025.
- Don't Microsoft, AWS, and Google already provide this?
- Each provides a capable control plane for agents inside its own ecosystem — Microsoft within the Entra tenant, AWS for agents routing through Bedrock, Google via the A2A protocol. None governs agents across all vendors, and none offers a control layer the customer owns and runs independently. Their governance is real, but bounded by their own estate.
- What is the "missing layer" in AI governance?
- It is a control plane that is simultaneously sovereign (runs in infrastructure the customer owns, with no vendor dependency), neutral (governs any agent from any vendor), runtime-enforcing (decides before an action executes, not after), and provable (produces audit-ready evidence as a property of execution). No current vendor occupies all four positions at once.
- Why can't a hyperscaler or security vendor simply build the missing layer?
- Structurally, a control plane that governs everything cannot belong to any of the platforms it governs — that is a conflict of interest. And a sovereign, customer-owned control plane runs against the business model of vendors whose value depends on remaining operationally indispensable. The requirements are architectural, not just feature gaps.