The Missing Layer
Where the Contract Ends and the Machine Begins: Governance Infrastructure in the Age of Agents
There is a document in your legal department that describes exactly what your vendors are allowed to do with your data. It specifies which records they can read, which fields they can write, under what conditions, and for what purpose. It was negotiated, reviewed, and signed.
It is also completely ignored at the moment it matters most — when the API call is made.
This is not a criticism of your vendors. It is a description of a structural absence — a gap in enterprise technology infrastructure that has existed for years, quietly, because the cost of ignoring it was manageable.
It is no longer manageable.
A Gap the Whole Stack Can See
In recent months, something worth noting has happened. From different stages and different vantage points, the people who build the foundational layers of the internet have begun describing the same problem.
On March 2, 2026, the Internet Engineering Task Force published an internet-draft on AI agent authentication and authorization. Internet-drafts are works in progress, not settled standards — but they are early and meaningful signals about where the technical community believes the internet needs to go. This one was precise: static API keys are a poor fit for AI agents. The internet needs context-bound validation. The credential model inherited from an earlier era was not designed for what is being built now.
Two weeks later, Jensen Huang stood on stage at NVIDIA’s GTC conference and said something that had rarely been said at that level, with that weight behind it:
“Agentic systems in the corporate network can access sensitive information, execute code, and communicate externally. Just say that out loud. This can’t possibly be allowed.”
He then said the ecosystem needed to bring the policy engine. He left the slot open.
At the RSA Conference in San Francisco, Cisco’s President and Chief Product Officer named the same shift in a single sentence: the agentic era requires a new governing model for how trust is established, how access is granted, and who is accountable when something goes wrong.
And Cloudflare’s CEO, speaking about infrastructure for the growing wave of autonomous agents, said it plainly: “The agents of the future will inherently have to pass through our network and abide by its rules.”
What each of them is pointing toward, from their respective layers of the stack, is the same gap at the application layer — between the credential that authorizes access and the contract that governs what that access is supposed to mean. None of them, from their respective layers, have supplied the execution layer that closes it.
The Gap Has Always Been There
The contract exists at the legal layer. The API key exists at the credential layer. There is nothing in between — no layer that reads the contract and enforces it at execution time.
Enterprise software has had security layers for decades. Firewalls guard the perimeter. Identity platforms control who can log in. Monitoring tools log suspicious behavior after the fact. But none of these tools can answer a simple question:
Is this vendor accessing data they are contractually permitted to access, right now, in this request?
The reason is structural. The contract lives in legal. The credentials live in IT. The data lives in the platform. These three worlds have never been connected at the execution layer. When a vendor is issued an API key, they are effectively handed a master key to the building. The contract says they may only enter one room. The credential lets them into every room.
Consider a practical example. A background screening vendor has a contractual right to access candidate records for one specific client. Their agreement specifies which record types are in scope, excludes compensation history and medical notes, and limits access to active placements. None of that is machine-readable. None of it is enforced at the moment the API call arrives. The vendor’s integration sees the full data model. What prevents overreach is not a technical control — it is the assumption that the vendor will comply with terms they were given in a PDF.
At human pace, with limited call volumes and periodic audits, this assumption was imperfect but survivable. At machine pace, with agents operating continuously, it is a different kind of problem.
What AI Changed
In the era of human-paced API calls, this gap was survivable. Vendor integrations were slow, discrete, and monitored by people. A compliance team reviewed logs. The blast radius of an overscoped credential was bounded by the pace of human action.
That era is over.
AI agents do not operate at human pace. They operate continuously, at machine speed, with persistent access to every system they are credentialed for. They do not make one API call and wait. They make thousands. They infer. They correlate. They retain context across sessions. The surface area of what a vendor can see and do is no longer bounded by human attention. It is bounded only by what the API technically permits.
The overscoped credential that was a theoretical risk in 2019 is a structural exposure in 2026. Every AI agent deployed — yours and your vendors’ — inherits the gap between what your contract says and what your API allows. That gap is now operating at machine speed, across every integration, continuously.
The most dangerous data exposure in the coming decade will not look like a breach. It will look like a vendor doing their job.
What the Missing Layer Is — and Is Not
The missing layer is not an API gateway. Gateways route traffic and apply rate limits. They do not understand contracts.
It is not an IAM platform. Identity and access management is built for employees, not for vendor-to-vendor integrations with contractual constraints.
It is not OAuth. OAuth handles delegation and consent flows. It does not enforce field-level access policies or entity scoping.
Components that address parts of this problem already exist — secrets managers, policy engines, data access governance tools, zero trust frameworks. The gap is not that no relevant component has been built. The gap is that no dominant execution layer has fused contract interpretation, runtime authorization, scoped credential mediation, per-vendor isolation, and auditability into a coherent control plane for third-party agentic access. Those things have remained separate. The moment they must work together is the moment the credential alone is no longer sufficient.
What is needed is a contract-aware runtime enforcement layer — something that sits between the credential and the data, compiles the machine-relevant terms of the vendor agreement into executable policy, and enforces them at the moment the API call is made. Before data moves, not after.
The contract contains the governing intent. The missing step is compiling the machine-relevant subset of that intent into live enforcement.
A word on the limits of this. Not every contractual term can be enforced at runtime. Some terms are ambiguous, some require human judgment, and some belong in post hoc audit rather than inline denial. The goal is not to replace legal governance with technical governance. The goal is to close the gap where technical enforcement is both possible and necessary — which is a large and increasingly important subset of it, and one that is not being systematically addressed today.
At the moment of the request, a contract-aware enforcement layer would do something straightforward: resolve vendor identity, verify the client tenancy the request concerns, check the permitted entity types and field scope, confirm the contract is still active and within its rate limits, and consult the revocation state before brokering the call. If any condition fails, the request is denied or the offending fields are redacted. The decision — allow, deny, or redact — is logged without exposing the underlying credentials. That is the primitive. It is not complex in concept. It is simply the piece that does not exist as a coherent control plane today.
Why Now
Three forces are converging.
First, AI agents are in production. This is no longer a forecast. Autonomous agents with persistent API access are running inside enterprise systems today. The same process that updates a candidate record, syncs notes, or enriches a profile can also traverse fields and entities no human intended it to touch — simply because the credential permits it. The gap is no longer theoretical.
Second, the regulatory direction of travel is toward demonstrable enforcement, not merely paper controls. In sector after sector, the question is shifting from “do you have a vendor agreement?” to “what did you actually enforce, and can you prove it?” That shift has not yet hardened into universal mandate, but its direction is clear.
Third, the vendor ecosystem has become too complex to govern manually. A mid-market enterprise may now carry dozens of vendor API integrations. Each one is a credential. Each credential is a gap. At some point, the assumption of compliance breaks under its own weight.
The IETF named it. Jensen pointed at the open slot. Cisco called it the governing model the agentic era demands. Cloudflare named the rules agents will have to abide by. What each of them is describing, from their respective layers of the stack, is the same structural absence.
Every generation of the internet has required infrastructure that did not exist until the moment it became necessary. The same way encryption became foundational. The same way identity management became foundational. The moment arrives not with a trumpet but with a quiet accumulation of problems that can no longer be individually contained.
The slot has been open for years. The difference now is that everyone can see it.
A. Michelle Petigny is the Founder and CEO of Kokomo Systems, building execution-time governance infrastructure for the AI era.
The contract was always the governing artifact. In an agentic environment, it is no longer enough unless its operative terms survive contact with the request. Kokomo is building the execution layer that makes that possible.