When Control Plane Tools Don't Stop AI Agents from Acting: The Execution Plane Gap

Enterprise security teams are quickly adopting control plane tools to manage the explosion of AI agents in production environments. Platforms like Microsoft Entra Agent ID, Saviynt, and ServiceNow provide discovery, inventory, and lifecycle management for agents that would otherwise operate in shadow IT.

These tools solve critical problems. They answer the question: which agents exist, who owns them, and when were they created? Without this visibility, governance becomes impossible.

But control plane tools operate at the registration layer. They track identity at the moment an agent is created and assign ownership to a responsible human.

Another layer is needed to intercept what the agent does three months later, when it autonomously decides to call a tool, access a database, or provision infrastructure.

That layer exists at the execution plane.

What control plane tools do (and why they matter)

Control plane tools were built to solve the agent sprawl problem, addressing this blindspot by scanning for agent activity, identifying which agents are running, and mapping them to owners.

They also track agent lifecycles from creation to decommissioning, flag orphaned agents when employees leave, and provide dashboards that give security teams visibility into what would otherwise be invisible automation.

Every agent gets an identity lifecycle

Ownership assignment sits at the core of this model. When an agent is created, the control plane records who created it and assigns that person as the responsible party. If that human leaves the organization, the control plane triggers a workflow to reassign ownership or decommission the agent.

Giving non-human identities a directory

This governance model solves a problem that traditional identity systems were never designed to address. Human-centric IAM platforms assume every identity belongs to a person with a badge and an onboarding date. Control plane tools extend that logic to non-human identities, giving agents a place in the directory and a lifecycle tied to organizational processes.

Without this foundation, agents proliferate uncontrolled. Teams spin up automation to solve immediate problems, then move on. The agents keep running. Credentials persist. No one knows who owns them or what they have access to. Control plane tools prevent that chaos.

Why control plane governance falls short for autonomous agents

The problem with control plane governance becomes visible the moment an agent starts making autonomous decisions.

Deterministic workflows vs. non-deterministic AI

Traditional machine identities like service accounts and API keys execute deterministic workflows. A script runs on a schedule, calls a defined set of APIs, and stops. The behavior is predictable. Permissions can be scoped tightly because the script will never deviate from its programmed path.

An agent doesn't work the same way; it receives a prompt like "wake up infrastructure," reasons about what that means, and decides which tools to call and what parameters to use. The agent might query a configuration database, retrieve credentials, and invoke a provisioning API without human oversight.

The real-time authorization gap

This non-deterministic behavior breaks the assumptions behind control plane governance. Ownership is assigned at creation, but ownership does not validate whether a specific action three months later was authorized. The control plane knows who created the agent. What it cannot answer is whether the agent should be allowed to execute a database deletion command right now, under current business conditions, with no human approval.

The PocketOS incident from April 2026 illustrates this gap. A Cursor AI agent deleted an entire production database in under ten seconds after autonomously discovering an API token with broader authority than its assigned task.

Two different planes, two different jobs

We've used this analogy many times: the control plane functions like a DMV. It registers your car, assigns you as the owner, and tracks the vehicle's lifecycle.

The execution plane functions like an ignition interlock. It validates whether you should be allowed to drive right now, at this moment, under these conditions.

Both layers are necessary. Registration without runtime validation leaves agents free to act beyond their authorized scope, and runtime validation without registration creates an accountability gap where actions cannot be traced back to a responsible human.

The execution plane: Where agents actually act

The execution plane is the moment an agent calls a tool, invokes an API, or modifies data. This is where autonomous decisions turn into actions with real consequences.

The validation gap at the MCP layer

When an agent attempts to execute a command, the request passes through the Model Context Protocol (MCP), which serves as the standard tool access layer across agent frameworks. The MCP routes the request from the agent to the tool without validating whether the specific action the agent is attempting falls within authorized scope.

This creates a structural gap. The agent presents a valid credential, the tool receives a valid request, and the action executes without any policy engine sitting between the two to evaluate whether this particular action, under these conditions, should be allowed at all. The tool has no concept of identity and no mechanism to refuse a request that arrives with a valid key.

Execution plane governance closes this gap by intercepting the MCP call before it reaches the tool, so the tool is never reached until identity, scope, and authorization have all been validated.

The risks of implicit trust

In March 2026, security researchers at CodeWall ran an authorized offensive exercise against McKinsey's internal AI platform, Lilli, and found 22 unauthenticated API endpoints that exposed 46.5 million chat messages, 728,000 files, and 57,000 user accounts.

The platform had no execution plane controls in place. Any request that reached those endpoints was executed without verifying who or what was making it.

Agent platforms built on this model operate on implicit trust: if the credential is valid, the action proceeds.

What execution plane governance looks like

Runtime authorization intercepts agent requests before they reach the target tool. When an agent attempts to call an API, the request passes through a policy engine that validates the agent's identity, checks the requested action against allowed scope, and confirms credential validity before execution proceeds.

This validation happens at the MCP layer. Because MCP functions as the common tool access interface across agent frameworks, a policy engine operating at this layer can enforce consistent authorization regardless of whether the agent was built with LangChain, Relevance AI, or Microsoft Copilot Studio.

Verifiable credentials replace static API keys

Instead of static API keys that remain valid until manually revoked, execution plane governance uses verifiable credentials that carry:

• Issuer identity (the human who authorized the credential)

• Cryptographic binding to the specific agent

• Validity window (automatic expiration)

• Permitted scope (specific actions allowed)

• Environmental context (where and under what conditions the credential is valid)

What Know Your Agent (KYA) means in practice

The execution plane controls described in this article are the operational expression of a broader identity framework called Know Your Agent (KYA). KYA is the principle that every AI agent action must be tied to a verified human authorizer at the moment of execution, not assumed to be safe because a credential was issued days or weeks earlier at registration.

The framework follows the same logic as Know Your Customer (KYC) in financial services, which established that identity must be verified at the point of consequence rather than assumed from a prior check. Know Your Agent applies that same principle to autonomous AI agents that can take consequential actions at machine speed across enterprise systems.

The MCP interception layer, verifiable credentials, and human-in-the-loop authorization described below are the technical mechanisms through which KYA is enforced at runtime.

If you want a full treatment of the framework, including how it extends KYC and KYE principles, how verifiable credentials work, and how it addresses the ghost agent problem, our Know Your Agent explainer covers all of it.

Human-in-the-loop authorization for high-risk actions

Policy thresholds determine when human approval is required. Routine operations that fall within predefined parameters, such as a purchase below a defined spend limit or a read-only data query, execute automatically once the agent's verifiable credential is validated.

When an agent attempts an operation that exceeds those thresholds, such as provisioning infrastructure, moving money above a defined amount, or accessing sensitive data stores, the policy engine halts execution before the tool is reached and sends a push notification to the human owner's mobile wallet.

This mechanism uses Client Initiated Backchannel Authentication (CIBA), a protocol that decouples the authorization decision from the execution flow, so the agent waits for human input rather than proceeding on its own.

The notification includes the agent's identity, the action it is attempting, and the proposed validity window. The human reviews the request and approves or denies it with biometric verification.

Closing the accountability gap

If the human approves, the agent receives a verifiable credential scoped to that specific action with a short validity window, often minutes to hours. The system logs the approval with cryptographic proof linking the action to the human who authorized it.

This mechanism addresses a critical accountability gap: In traditional models, an agent with valid credentials can take any action those credentials permit, regardless of risk level or business context. Know Your Agent governance applies graduated controls instead, so low-risk actions flow without friction while consequential actions receive explicit, real-time human approval before the tool is ever reached.

Control plane + execution plane: How they work together

Control plane tools and execution plane tools solve different problems at different layers.

The control plane manages identity

The control plane handles discovery, inventory, and lifecycle management. Platforms like Microsoft Entra Agent ID register agents at creation, assign ownership, and track lifecycle events. When an employee leaves, the control plane flags their identity and triggers workflows to reassign or decommission agents tied to that person.

The execution plane governs behavior

The execution plane handles runtime authorization. A policy engine operating at the MCP layer intercepts every tool call, validates the agent's identity and scope at the moment of action, and enforces human-in-the-loop requirements for high-risk operations.

Microsoft's positioning of Entra Agent ID alongside execution plane controls follows this model. Entra registers the agent at birth and manages its identity throughout its lifecycle. The execution plane validates every action the agent takes at runtime. One layer tracks identity. The other layer governs behavior.

Why enterprises need both layers

Compliance frameworks increasingly require human review of automated decisions with significant individual or business impact. Key frameworks that apply include:

• GDPR Article 22 mandates human review of automated decisions affecting individuals

• SOC 2 requires access to be reviewed and approved by responsible parties

• OWASP Agentic Top 10 catalogs specific failure modes auditors reference when evaluating AI agent security

Meeting emerging compliance requirements

Meeting these requirements demands more than ownership assignment. Audit trails must link every consequential action to a verified human authorizer at the moment of execution. Control plane tools provide the ownership record. Execution plane tools provide the runtime approval record.

Containing misbehaving agents in milliseconds

Security teams need the ability to stop an agent action before it executes.

According to Saviynt, 47% of CISOs have observed AI agents exhibiting unintended or unauthorized behavior, but only 5% felt confident they could contain a compromised agent. Kiteworks reports that 60% of organizations cannot terminate a misbehaving agent quickly.

The control plane can decommission an agent, but decommissioning takes time. The execution plane can block an action in milliseconds by rejecting the agent's request at the policy engine before it reaches the tool.

Operational confidence comes from the combination of both layers. Financial services organizations deploying agents with access to payment systems need assurance that no agent can autonomously move money without human approval. Enterprise IT teams managing hundreds of agents need visibility into what those agents can do and the ability to intervene before a mistake becomes a production crisis.

How to evaluate your current AI agent governance

Two questions reveal whether you have gaps in your governance model:

1. Can you see which agents are running?

If you can enumerate every agent in your environment, identify its owner, and track its lifecycle, your control plane is functioning.

2. Can you stop an agent action before it executes?

If an agent attempts an unauthorized action, can your system intercept and block it at runtime without waiting for manual intervention?

If you can only answer the first question, you have visibility but not control. The agent might be registered and assigned to an owner, but nothing prevents it from acting beyond its authorized scope.

Control plane tools give you the inventory. Execution plane tools give you the circuit breaker.

See how 1Kosmos fits into the KYA framework

Visibility into your AI agents is an important first step, but not quite enough to protect your enterprise from autonomous risks. Registration and lifecycle management should be directly paired with runtime execution controls to guarantee that every automated action is authorized at the exact moment it occurs.

As your organization continues to scale its artificial intelligence initiatives, closing the execution gap should be a primary strategic priority.

Visit our AI Agents page to see how 1Kosmos authorizes agents at the moment of execution.

Contact us for a demo.

FAQs

What is the difference between a control plane and an execution plane in AI agent security?

A control plane manages the identity lifecycle of an AI agent by handling registration and ownership assignments when the agent is first created. The execution plane operates entirely at runtime by intercepting specific tool requests to validate identity and authorization before any action takes place. While the control plane provides visibility into which agents exist across the enterprise, the execution plane acts as a real time circuit breaker that prevents unauthorized operations.

Why are traditional API keys insufficient for autonomous AI agents?

Traditional API keys present a significant security risk for autonomous agents because they rely on implicit trust and remain valid until they are manually revoked by an administrator. When an AI agent uses a static key, the target system cannot verify if the current action is appropriate for the given context or if it exceeds the intended scope of the automation. Replacing static keys with verifiable credentials ensures that every request is cryptographically bound to a specific agent and restricted by strict validity windows and scoped permissions.

How does the Model Context Protocol (MCP) relate to AI agent authorization?

The Model Context Protocol serves as the standard interface that routes requests from an AI agent to its required external tools and data sources. Because this layer sits directly between the agent and the system it wants to interact with, it provides the perfect integration point for execution plane governance. By applying a robust policy engine at the protocol layer, security teams can consistently enforce runtime authorization and block unauthorized requests before they ever reach the target application.