RSAC 2026: Every Major Vendor Just Shipped Agent Governance. Here's the Map.
AWS, Microsoft, Okta, Singulr, AvePoint, and Mimecast all launched agent governance products in the same week. Here's what each does, where they overlap, and what's still missing.
The Week Agent Governance Became a Product Category
RSAC 2026 (March 23-27, San Francisco) will be remembered as the conference where AI agent governance graduated from whitepaper topic to shipping product. In the span of a single week, every major cloud provider and security vendor announced or shipped agent governance capabilities.
This isn't a coincidence. It's a market responding to a crisis that's been building for months: enterprises are deploying AI agents faster than they can govern them. And with the EU AI Act's high-risk requirements going live in August 2026, the compliance clock is ticking.
Here's the complete landscape — what shipped, what it does, and what's still missing.
The Product Map
AWS: Bedrock AgentCore Policy (GA, 13 Regions)
What it does: Centralized governance layer that sits outside agent code. Security teams write policies in natural language ("Agents cannot access customer PII without manager approval"), which are automatically converted to AWS's open-source Cedar policy language. An AgentCore Gateway intercepts all agent-tool traffic and evaluates every call against policies before execution.
Key design decision: Policies operate outside the agent's code. Developers build agents. Security teams write governance rules. Neither modifies the other's work.
Also shipped: AgentCore Memory Streaming — push notifications for long-term memory changes via Amazon Kinesis, enabling real-time audit trails for agent memory mutations.
Layer: Runtime/Agent governance (tool-call interception)
Microsoft: Foundry IQ + Purview
What it does: Permission-aware retrieval and sensitivity labeling for AI agents. Agents inherit document-level permissions — if an agent tries to access a file the requesting user can't see, the retrieval is blocked.
Layer: Data/Knowledge governance (permission-filtered retrieval)
Okta: Okta for AI Agents (GA April 30)
What it does: Identity-based agent governance. Every AI agent gets an identity in Okta's identity fabric, with scoped permissions, session management, and audit trails. Answers the question: "Who is this agent, and what is it authorized to do?"
Layer: Identity governance
Singulr AI: Agent Pulse
What it does: Runtime governance and MCP server monitoring. Watches agent behavior in real-time and enforces operational boundaries.
Layer: Runtime monitoring
AvePoint: AgentPulse
What it does: Shadow agent discovery and kill switch. Finds AI agents deployed across the organization that IT doesn't know about, and provides the ability to shut them down.
Layer: Discovery and containment
Mimecast: Guardian Runtime
What it does: Per-user adaptive policies for agent actions. Policies change based on who triggered the agent, what data is involved, and what the organizational context is.
Layer: Context-aware policy enforcement
Kiteworks: Private Data Network + Secure MCP Server
What it does: Data-layer governance with FIPS 140-3 validated encryption, tamper-evident audit trails, and regulatory mapping (HIPAA, CMMC, PCI DSS, SEC, SOX). Authenticates agent identity, enforces attribute-based access control on file operations.
Layer: Data compliance and encryption
The Three-Layer Model
What's emerging from RSAC 2026 is a clear three-layer governance architecture:
Layer 1 — Compute/Execution: Where models run, inference routing, hardware security. Owned by NVIDIA (DGX, NemoClaw), cloud providers.
Layer 2 — Runtime/Agent: Tool invocation controls, sandboxing, policy enforcement, permission boundaries. Owned by AWS AgentCore Policy, OpenShell, Cisco AI Defense, CrowdStrike.
Layer 3 — Data/Compliance: Which data agents access, under what authorization, with what encryption, mapped to which regulations, with audit-ready documentation. Owned by Kiteworks, Microsoft Purview, Okta.
The critical insight: No single vendor covers all three layers. Enterprises need a stack, not a product. And someone needs to help them assemble, configure, and operationalize that stack.
What's Still Missing
Despite the flurry of product launches, significant gaps remain:
1. Agent Identity Standards
Okta is building identity for agents within their ecosystem, but there's no cross-platform agent identity standard. Luffa's Decentralized Identifier (DID) approach — giving agents cryptographic, verifiable identities — is the most ambitious attempt, but it's early. Most enterprises have no way to uniquely identify and authenticate their agents across platforms.
2. Cross-Platform Governance
An agent governed by AWS AgentCore Policy at the tool level still needs identity management (Okta) and data governance (Purview) to be fully controlled. Nobody is shipping the integration layer that makes these platforms work together.
3. Compliance Documentation
Every platform generates logs. None of them generate the compliance documentation regulators actually ask for: control catalogs, compliance matrices, risk classification reports, human oversight protocols. That's still a manual, expertise-intensive process.
4. Shadow Agent Discovery at Scale
AvePoint's AgentPulse addresses discovery, but shadow AI agents are fundamentally harder to find than shadow IT. Agents are built, not bought — there's no procurement trail. They run on cloud APIs — there's no infrastructure footprint. A comprehensive discovery approach requires multi-signal analysis across API spend, code repositories, network traffic, and team surveys.
5. Governance Strategy
The hardest question isn't "which tool do I buy?" — it's "what governance framework do I need for my specific agent fleet, regulatory exposure, and organizational structure?" That's a strategy question, not a product question.
What This Means for Your Organization
If you're deploying AI agents (and statistically, you are — even if you don't know about all of them), the RSAC 2026 wave means:
- Agent governance tooling is real and shipping. This is no longer a future consideration.
- You need a governance strategy before you buy tools. Without clarity on your risk profile, agent inventory, and regulatory exposure, you'll buy the wrong things.
- The compliance clock is ticking. EU AI Act high-risk requirements go live August 2, 2026. Five months.
- No single vendor solves the full problem. You need a stack — and someone to help you build it.
Our Agent Governance Audit starts with the foundation: discovering what agents you have, classifying their risk, assessing your compliance gaps, and recommending the right governance architecture for your specific situation. Seven days, fifteen pages, and a clear path forward.
The tools are shipping. The question is whether your governance program is ready for them.
CloudAI Enterprise helps organizations build governance-first AI operations. View our governance services →
Ready to Put This Into Practice?
Our AI Cost Audit gives you a concrete, custom action plan for your specific business — delivered in 5 business days for $497.