Why the 2026 buyer shifted from frameworks to control planes
Three forces drove the shift. The first is the cancellation curve. Gartner's projection that 40% of agentic AI projects will be cancelled by 2027 is now widely repeated, but the root cause inside enterprises is rarely model quality or framework choice. It is the absence of an answer when the security team asks "what can this thing actually do, and how do we prove that to an auditor?" Frameworks do not answer that question. Control planes do.
The second is platform consolidation. Microsoft Agent 365 went GA in May 2026 as an explicit control plane for Microsoft-stack enterprises — agent registry, Entra-bound identity, Defender and Intune integration. Based on Microsoft's published GA announcement on the Microsoft Security Blog, the product is positioned as application-level governance for agents inside the Microsoft trust boundary. That release alone reframed the category: if Microsoft is shipping a dedicated control plane, the category is real and table stakes.
The third is regulatory pressure. The EU AI Act's Articles 12, 13, and 14 — record-keeping, transparency, human oversight — translate directly into requirements a framework cannot satisfy on its own. Financial services regulators in the US and UK have started asking covered firms to describe their agent action controls in writing. Healthcare buyers under HIPAA need attestable decision logs that survive workload compromise. Each of these turns "which framework" into "which control plane that produces evidence my regulator will accept."
The result by mid-2026: framework choice is a developer experience decision, and control plane choice is a board-level decision. Most enterprise procurement teams have separated the two procurement tracks accordingly.
The 9-item buyer checklist
Every serious control plane evaluation in 2026 should answer these nine questions in writing before any vendor demo. The answers determine whether the product fits your deployment situation; demos confirm but should not lead.
- Deployment model. SaaS, customer-managed, or identity-provider-bound? This is the first cut. Customer-managed control planes live on your infrastructure; SaaS control planes ingest your agent telemetry into theirs.
- Agent discovery. How does the control plane know an agent exists in the first place? Registry-first systems (Microsoft Agent 365) require explicit registration; protocol-first systems (Cordum via CAP on NATS) discover agents as they connect.
- Policy enforcement point. Where in the agent's execution path is policy actually checked? Pre-dispatch (before the tool call) is strictly stronger than post-hoc observability, which only tells you what already happened.
- Identity model. Whose identity does the agent act as, and where is that identity issued? Microsoft Agent 365 binds to Entra. IBM ties to watsonx workspaces. Cordum issues agent identities at the CAP layer that map to your existing IdP.
- Audit evidence. Where do policy decisions get written? Can the auditor read them independently of the agent runtime? Out-of-process control planes produce audit data the workload cannot tamper with.
- Approval workflows. Can the control plane pause a high-risk action and route it to a human approver with the full context? Pre-dispatch approval is a different problem than post-hoc rollback, and most frameworks ship the latter.
- Source availability. Closed SaaS, closed enterprise, source-available, or open source? Source-available control planes let security teams audit the policy engine itself, not just its output. For regulated buyers this is increasingly non-negotiable.
- Runtime hardening. Does the control plane run in its own trust boundary or share a process with the agent? Trust-boundary separation is what survives a compromised agent runtime — and what auditors increasingly expect.
- Multi-tenancy. Can one control plane govern many teams, business units, or customers with isolated policy? In-process libraries push this into the integrating application; out-of-process control planes solve it once.
These nine items collapse into three buying dimensions: deployment model (items 1, 7, 8, 9), identity and discovery (items 2, 4), and audit and enforcement (items 3, 5, 6). The buyer-situation table below uses those three dimensions to map situations to products.
Microsoft Agent 365
Microsoft Agent 365 GA'd in May 2026 as Microsoft's commercial control plane for agents inside the Microsoft 365 estate. Based on the Microsoft Security Blog GA announcement (May 2026), it provides agent registry and discovery, Entra-bound agent identity, Defender for Cloud Apps integration, Intune device-and-data posture checks, and a management surface inside the Microsoft 365 admin experience. Agents register, get an Entra identity, inherit conditional access, and surface in the same security tools that govern human users.
Strength. For enterprises already standardized on Microsoft 365, Entra, Defender, and Intune, Agent 365 is the path of least resistance and arguably the most coherent option in market. Agents are governed by the same identity, conditional access, and posture machinery that already governs employees. Compliance teams get a single audit surface. Security operations gets agents in the same SIEM data they already analyze. The total integration cost across identity, posture, and audit is dramatically lower than assembling the same controls from third-party products.
Limitation. Per Microsoft's own description in the GA announcement, Agent 365 is application-level governance — it lives inside the Microsoft trust boundary and is bound to Microsoft identity. That is the right architecture for an enterprise inside the Microsoft stack. It is not the right architecture for buyers who need a control plane independent of Microsoft identity, or who need to run governance on infrastructure Microsoft does not operate, or who require source availability for internal audit of the policy engine itself.
The honest read: if your enterprise is a Microsoft enterprise, Agent 365 is the default and a strong one. If it is not — or if you operate across multiple identity providers — the fit is weaker.
IBM watsonx.governance
IBM watsonx.governance is IBM's broad enterprise AI governance suite. Per the IBM product page, it covers AI lifecycle governance, model risk management, regulatory compliance reporting, and integration with IBM's broader GRC tooling. It is sold primarily to large regulated buyers — banks, insurers, healthcare networks, government — that want a single vendor across the AI oversight stack, frequently as part of a wider watsonx commitment.
Strength. The breadth. IBM watsonx.governance addresses risks at the model, dataset, prompt, and outcome layers; integrates with audit and GRC tools enterprise risk teams already operate; and brings IBM's field-services muscle for large regulated deployments. For a CRO who needs to defend AI use to a regulator across an entire institution, the surface area IBM covers is hard to match. Procurement risk is also lower — IBM is a known counterparty most regulated buyers already have on paper.
Limitation. watsonx.governance is heavier than what most teams building agentic workflows want. It is enterprise GRC-shaped, not developer-first. It is less specifically focused on pre-dispatch action governance for agents — the moment-by-moment ALLOW/DENY decision on a tool call — than on lifecycle governance of models and outcomes. For a fintech engineering team that wants policy-as-code enforcement in front of agent actions on customer-managed infrastructure, the watsonx.governance shape is a poor fit. For a tier-one bank's model risk function, it is exactly the shape.
The honest read: IBM watsonx.governance is the right answer when the buyer is enterprise risk and the requirement is breadth. It is the wrong answer when the buyer is engineering and the requirement is execution-time policy on agent actions.
Cordum
Cordum is a source-available, out-of-process execution governance plane for AI agents. The Safety Kernel runs as a separate gRPC service behind mTLS — the agent calls it before dispatching any tool action, the kernel returns ALLOW, DENY, REQUIRE_APPROVAL, or ALLOW_WITH_CONSTRAINTS, and the decision is signed and logged outside the agent process. The Cordum Agent Protocol (CAP) carries agent traffic over NATS; Redis holds session and policy state; the entire platform runs on infrastructure the customer operates. There is no SaaS dependency by construction.
Strength. Trust-boundary separation. The policy decision lives in a different process from the agent, with its own identity and its own log stream. That is the same pattern enterprises already accepted for HSMs over in-process keys and for Kubernetes admission controllers over in-pod policy. For regulated workflows where the auditor will ask "could the workload have tampered with the audit trail," out-of-process governance answers no by construction. Source availability lets internal security teams audit the policy engine itself — not just its output — which is increasingly a procurement requirement at financial services and healthcare buyers. Deployment-model independence means Cordum can govern agents written in any framework, running on any cloud, bound to any identity provider.
Limitation. Cordum is not a SaaS quick-win. It requires running infrastructure — NATS, Redis, the Safety Kernel, the Workflow Engine, the Context Engine — that the customer operates. For teams without a platform engineering function, that is real overhead. Cordum is also not the right answer for enterprises whose entire estate is inside Microsoft 365 and whose security model is already Entra-centric; Agent 365 is a better fit for that buyer. And Cordum does not replace broad enterprise GRC — it complements but does not substitute for an IBM-shaped governance stack at a tier-one bank.
The honest read: Cordum wins on the "customer-managed, source-available, out-of-process, deployment-independent" axis. It loses on "zero-ops SaaS" and on "already a Microsoft shop." Pick accordingly.
Temporal, LangGraph, CrewAI, AutoGen
Three adjacent products show up in nearly every control plane evaluation and should be named clearly so the buyer does not confuse them with the category.
Temporal solves durable workflow execution — retries, state, time-travel, deterministic replay. Agentic deployments increasingly use Temporal as the orchestration substrate, and that is a real and important fit. Temporal does not, on its own, solve policy-as-code, identity binding, pre-dispatch action governance, or attestable audit. A production deployment that needs durable workflow and action governance usually runs both: Temporal for the workflow tier, a control plane for policy.
LangGraph, CrewAI, AutoGen are agent frameworks. They solve graph construction, multi-agent coordination, tool calling, and reasoning patterns. They are excellent for prototyping and for production agent logic. They do not solve governance — by design, they run inside the agent process and cannot offer the trust-boundary separation a regulated audit requires. The right pattern is to build agents in one of these frameworks and govern them with a separately-deployed control plane.
CyberArk and Palo Alto Networks show up adjacent to the category through CyberArk's Secure AI Agents Solution (now inside Palo Alto post-acquisition). That product runs identity and authorization out-of-process for agents inside the CyberArk identity boundary. It is a strong fit for enterprises already running CyberArk PAM. It is not a general-purpose agent control plane independent of that boundary.
Buyer-situation table
This is the table to send to the procurement committee. It collapses everything above into one mapping: what situation you are in, what product fits.
| Buyer situation | Better fit |
|---|---|
| Enterprise already deep in Microsoft 365 / Entra / Defender / Intune | Microsoft Agent 365 |
| Team needs source-available, customer-managed control plane | Cordum |
| Regulated workflow needs policy-before-dispatch outside the agent process | Cordum |
| Need broad enterprise AI governance across models, risks, and lifecycle | IBM watsonx.governance |
| Need durable workflow orchestration more than agent governance | Temporal |
| Need prototyping or agent framework | LangGraph, CrewAI, AutoGen |
| Need governance over coding agents and local tool execution | Cordum or Microsoft AGT depending on stack |
A reasonable enterprise often picks two: one control plane for the in-stack agents (Microsoft Agent 365 if the stack is Microsoft) and one for the out-of-stack or customer-managed governance surface (Cordum). Pretending one product covers every situation is a procurement mistake that the 40% cancellation curve will eventually catch.
When Cordum is not the right answer
The four cases where a buyer should pick something else, said honestly so the buyer can self-disqualify quickly.
SaaS-only buyers. If you do not want to run infrastructure and your procurement team has banned customer-managed software, Cordum is the wrong fit. A SaaS control plane — or in many cases the SaaS portions of Microsoft Agent 365 — is the right pick. Cordum's wedge is customer-managed deployment; turning that off undoes the wedge.
Microsoft-deep enterprises. If your entire stack is Microsoft 365, your identity is exclusively Entra, your endpoint posture is Intune, and your SOC runs on Defender and Sentinel, Microsoft Agent 365 is the lower-friction answer for the in-stack agents. Cordum still makes sense for any agents outside that boundary — coding agents on developer laptops, agents in a non-Microsoft cloud, governance independent of Entra — but for the in-stack workload Agent 365 is hard to beat.
Teams without compliance pressure on action governance. If no one in your organization has asked for a written description of agent action controls — no auditor, no regulator, no security committee — you may not yet need a dedicated control plane. Frameworks plus observability may be sufficient until the pressure arrives. Cordum is over-investment for that buyer.
Pure workflow durability use cases. If the actual problem you are solving is "our agent workflow loses state and restarts dump everything," the answer is Temporal, not a control plane. Cordum addresses policy and audit, not workflow durability. Buying the wrong category is worse than buying nothing.
How to decide
A three-step decision process that takes less than a week if the right people are in the room.
Step 1 — Write down the audit boundary requirement. Ask your audit, risk, or compliance lead one question: "If you had to defend our agent use to a regulator or external auditor tomorrow, what evidence would you need, and where would it need to live?" The answer collapses to one of three boundaries: inside the agent process is enough; inside our tenant is enough; outside the workload trust boundary is required. That single answer eliminates two of the three control plane categories immediately.
Step 2 — Write down the identity model already in production. Whose identity does the agent act as today, and who issues it? Entra-only shops trend toward Microsoft Agent 365. Multi-IdP shops or shops with custom identity trend toward Cordum. Workspace-bound shops on IBM trend toward watsonx.governance. The identity model is the second cut and frequently the deciding factor.
Step 3 — Match to the buyer-situation table above. With audit boundary and identity model written down, the table almost always identifies one or two viable products. Run the demos on those, not on the whole category. The procurement teams that get this wrong usually do it by running too many demos before deciding what they actually need.
The buyers who win in 2026 are the ones who pick a control plane before their auditor picks it for them.
FAQ
Frequently Asked Questions
What is an AI agent control plane?
Is Microsoft Agent 365 a control plane or a framework?
How is Cordum different from IBM watsonx.governance?
Do I need a control plane if I use Temporal?
What does 'out-of-process governance' actually mean for a buyer?
Can I run Cordum on AWS / GCP / on-prem?
What is the buying signal that says I'm ready for a control plane?
Is 'control plane' still a useful product category in 2026?
May 15, 2026 by Yaron Tal. Sources checked: Microsoft Security Blog (May 2026 Agent 365 GA announcement), IBM watsonx.governance product page, Cordum architecture docs at /docs/architecture. This article is buyer guidance, not a security audit or legal advice.