AI Agents Are the New Control Plane: Governing Identity, Tool Access, and Observability Across Azure, AWS, Google Cloud, and VCF

Introduction

The first article in this series focused on multicloud control-plane sprawl.

Azure, AWS, Google Cloud, and VMware Cloud Foundation each bring their own identity model, policy engine, network architecture, observability stack, automation surface, and lifecycle model. That is already enough to create governance fragmentation.

AI agents add another layer.

An agent is not just a model call. An agent can receive instructions, reason over context, retrieve data, call tools, invoke APIs, trigger workflows, summarize sensitive information, and sometimes take action on behalf of a user or system.

That makes agent governance a control-plane problem.

If agents are built separately inside Azure, AWS, Google Cloud, SaaS platforms, and private cloud environments without a shared governance model, the enterprise will not just have cloud sprawl. It will have delegated decision-making sprawl.

This article focuses on how to govern agent identity, tool access, data boundaries, network egress, observability, human approval, and exceptions across Azure, AWS, Google Cloud, and VCF.

Why Agent Governance Changes the Multicloud Conversation

Traditional governance assumes a fairly predictable actor.

A human administrator signs in. A pipeline deploys infrastructure. A workload calls another service. A scheduled task runs a job. Those patterns can still be complex, but they are usually bounded by known identities, known permissions, and known workflows.

Agents blur those lines.

An agent might:

  • answer a user question
  • search enterprise knowledge
  • retrieve records from a database
  • call a ticketing API
  • summarize logs
  • recommend a remediation step
  • execute a runbook
  • create a firewall request
  • invoke a cloud API
  • trigger a deployment
  • hand off to another agent

That means agent governance cannot live only in the AI platform.

It has to connect to enterprise identity, cloud policy, observability, networking, data governance, automation, and change control.

Agent Control-Plane Model at a Glance

The diagram below shows the pattern. The agent runtime should not be the only place where policy lives. The agent should operate through controlled identities, tool brokers, policy checks, approval gates, and telemetry pipelines.

The key point is that the agent does not get direct, unlimited access to enterprise systems just because it can reason.

Reasoning is not authorization.

Treat Agents as Workloads With Additional Risk

A useful mental model is to treat agents as workloads with extra risk.

They need the normal workload controls:

Workload ControlAgent Equivalent
Runtime identityAgent identity and execution context
API permissionsTool permissions and API scopes
Network rulesAgent egress and tool access boundaries
LoggingPrompt, response, trace, tool-call, and policy-decision telemetry
Change controlAgent versioning, prompt updates, tool changes, and approval workflows
Data governanceRetrieval boundaries, memory controls, and data classification limits
Incident responseAgent disablement, session review, tool revocation, and audit trail

But agents also need controls that traditional workloads often do not:

Agent-Specific ControlWhy It Matters
Instruction governanceSystem prompts and developer instructions shape behavior
Tool selection policyThe agent may choose which action path to take
Retrieval policyThe agent may pull context from sensitive sources
Memory policyThe agent may retain session or user context
Human approval gatesSome actions require review before execution
Response safetyOutput may reveal sensitive or misleading information
Delegation limitsThe agent may act on behalf of a user, system, or workflow
Multi-agent boundariesAgents may call other agents or shared tools

The risk is not that every agent is dangerous.

The risk is that every agent is a new actor in the enterprise control model.

Define Agent Identity Before Tool Access

Agent governance should start with identity.

Before asking what tools an agent can use, ask what identity it runs as and whose authority it carries.

There are several common patterns:

Agent Identity PatternUse CaseRisk
Agent-owned identityThe agent runs with a dedicated service identityEasier to audit, but can become over-permissioned
User-delegated identityThe agent acts within the user’s approved scopeStronger least privilege, but harder to implement consistently
Workflow identityThe agent triggers approved automation through a pipeline or brokerGood for controlled operations, but requires strong workflow design
Break-glass identityThe agent participates in emergency operationsHigh risk and should require strict approval and review
Read-only identityThe agent retrieves knowledge or observability data onlyLower risk, but still needs data boundary controls

The worst pattern is shared invisible authority.

If multiple agents use the same privileged identity, and that identity can call cloud APIs, ticketing systems, code repositories, and VCF automation endpoints, the enterprise has created a new privileged control plane without the normal review discipline.

Each production agent should have:

  • a named owner
  • a business purpose
  • a runtime identity
  • an approved user population
  • an approved tool list
  • an approved data boundary
  • an approved network boundary
  • an observability requirement
  • an exception process
  • a disablement path

That list may look heavy, but it is lighter than trying to explain an unbounded agent after an incident.

Tool Access Is the Real Governance Boundary

The most important agent design decision is not the model.

It is the tool boundary.

A model that can only answer questions has one risk profile. A model that can call APIs, update tickets, change firewall rules, create cloud resources, or trigger automation has a very different risk profile.

A practical agent tool model should classify tools into tiers:

Tool TierExampleDefault Control
Tier 0: No external toolGeneral response generationStandard logging and content review
Tier 1: Read-only knowledgeSearch documentation, retrieve approved KB articlesData classification and query logging
Tier 2: Read-only operationsQuery logs, metrics, inventory, configuration stateIdentity scoping and observability
Tier 3: Workflow initiationCreate ticket, request change, open approvalHuman review and workflow evidence
Tier 4: Controlled executionRun approved remediation, restart service, update configApproval gate, rollback path, full audit
Tier 5: Privileged platform actionModify IAM, networking, policy, production deploymentDeny by default; exception and break-glass only

This tiering matters across all platforms.

An Azure-hosted agent might call an AWS API. A Google Cloud agent might retrieve information from a VCF-hosted application. A private AI workflow on VCF might call a SaaS API or public cloud service. The policy cannot stop at the runtime boundary.

The tool is where intent becomes action.

Use a Tool Broker Instead of Direct Platform Access

For production agents, direct access to sensitive APIs should be the exception.

A better pattern is a tool broker or gateway.

The broker sits between the agent and enterprise systems. It enforces tool policy, validates inputs, applies rate limits, checks data boundaries, records tool calls, handles approvals, and sends evidence into the observability pipeline.

The broker pattern gives the enterprise several advantages:

Broker CapabilityGovernance Value
Tool registryShows which tools exist and who owns them
Policy checkValidates whether the agent can use the tool
Input validationReduces malformed or risky tool calls
Approval gateStops sensitive actions until a human approves
Credential boundaryPrevents the agent from directly handling secrets
Network mediationControls where agent traffic can go
Audit trailRecords who asked, what happened, and why
RevocationAllows fast removal of a tool without rebuilding the agent

This is especially important in multicloud environments because every platform has different API semantics and permission models.

A broker can present a controlled enterprise tool surface while platform teams translate the back-end implementation into Azure, AWS, Google Cloud, VCF, ITSM, Git, or monitoring systems.

Observability Must Capture Decisions, Not Just Messages

Agent observability needs to go beyond input and output.

A normal application trace shows request flow, latency, error state, and dependency calls. Agent traces need that, but they also need decision context.

A useful agent telemetry record should include:

Telemetry FieldWhy It Matters
agent_idIdentifies the agent that acted
agent_versionShows which version of instructions, tools, and code was active
user_contextCaptures the requesting user or system context
runtime_identityShows which identity executed the action
tool_nameIdentifies the tool selected
tool_tierMaps the action to risk
policy_decisionShows allow, deny, approval required, or exception used
data_sourcesIdentifies retrieval sources used for context
model_endpointShows model/provider boundary
approval_idConnects action to human approval when required
exception_idConnects deviation to approved exception
downstream_actionRecords what changed or was requested
correlation_idLinks agent activity to logs, traces, tickets, and cloud events

Without this, the enterprise may know that an agent responded, but not why it acted, what it touched, or which policy allowed it.

That is not enough for production operations.

Policy-as-Intent for Agent Controls

Agent policy should be written as enterprise intent first, then mapped into the runtime, broker, identity, and platform enforcement layers.

The following YAML is not meant to be pasted directly into one vendor tool. It is a governance contract that platform and AI teams can translate into their native controls.

control_id: AGENT-TOOL-004
name: Require approval for privileged platform actions
owner: Enterprise AI Governance
risk_domain: Agentic Operations
applies_to:
  environments:
    - production
    - regulated
  platforms:
    - azure
    - aws
    - google-cloud
    - vcf

intent:
  description: >
    AI agents must not execute privileged platform actions directly
    without an approved workflow, scoped identity, policy decision,
    and human approval record.
  default_action: deny
  exception_required: true

agent_requirements:
  required_metadata:
    - agent_id
    - agent_owner
    - business_purpose
    - runtime_identity
    - tool_tier
    - data_classification
    - environment
    - approval_id
    - correlation_id

tool_policy:
  tier_1_read_only_knowledge:
    default_action: allow_with_logging
  tier_2_read_only_operations:
    default_action: allow_with_scoped_identity
  tier_3_workflow_initiation:
    default_action: allow_with_ticket_evidence
  tier_4_controlled_execution:
    default_action: require_human_approval
  tier_5_privileged_platform_action:
    default_action: deny_without_exception

platform_mappings:
  azure:
    examples:
      - Microsoft Foundry Agent Service policy and tool configuration
      - managed identity or workload identity boundary
      - Azure Monitor and Log Analytics telemetry
      - Azure Policy or deployment pipeline validation

  aws:
    examples:
      - Amazon Bedrock Guardrails or AgentCore policy boundary
      - IAM role scoping for agent and tool execution
      - CloudWatch, CloudTrail, and workflow evidence
      - AWS Organizations controls where appropriate

  google_cloud:
    examples:
      - Gemini Enterprise Agent Platform governance and observability
      - service account or workload identity boundary
      - Cloud Logging, Cloud Trace, and Cloud Monitoring evidence
      - Organization Policy where applicable

  vcf:
    examples:
      - VCF Automation catalog and approval policy
      - NSX or vCenter role boundary
      - VCF Operations evidence
      - change record and rollback validation

approval:
  required_for:
    - firewall_rule_change
    - iam_change
    - production_deployment
    - vcf_lifecycle_action
    - privileged_runbook_execution
  approver_role: Platform Risk Approver
  max_approval_duration_minutes: 60

observability:
  required_events:
    - agent_invocation
    - policy_decision
    - tool_selection
    - tool_invocation
    - approval_result
    - downstream_action
    - exception_use
  retention_class: regulated_operations

exception_model:
  max_duration_days: 30
  requires_risk_owner: true
  renewal_requires_review: true

The value of this artifact is not the syntax.

The value is that it separates enterprise policy from runtime-specific configuration.

Map Agent Patterns to Default Controls

Not every agent needs the same governance model.

The enterprise should define common agent patterns and assign default controls before teams start building one-off agents.

Agent PatternExampleDefault Governance
Knowledge assistantAnswers questions from approved documentationRead-only retrieval, content logging, no privileged tools
Operations analystSummarizes logs, alerts, and inventoryRead-only observability access, scoped identity, trace logging
Ticket assistantDrafts or updates ticketsITSM tool broker, user context, change evidence
Workflow assistantStarts approved workflowsHuman approval for sensitive workflow classes
Deployment assistantGenerates or validates infrastructure changesCI/CD integration, no direct production write access
Incident triage agentCorrelates telemetry and recommends actionRead-only by default, controlled runbook execution
Remediation agentExecutes approved corrective actionsStrong approval, rollback, audit, and kill switch
Platform admin agentPerforms privileged operationsDeny by default; highly restricted exception model

This prevents every team from negotiating governance from scratch.

It also helps architecture review boards ask better questions. Instead of asking “Is this agent safe?” they can ask “Which approved agent pattern does this follow, and where does it deviate?”

Human Approval Should Be Designed Into the Workflow

Human approval is often bolted on too late.

For agentic systems, approval should be part of the architecture.

A good approval design should define:

  • which actions require approval
  • who can approve them
  • what context the approver sees
  • how long approval remains valid
  • whether approval is single-use or reusable
  • what happens when approval expires
  • how the approval is recorded
  • how rollback is triggered
  • how the agent behaves after denial

This matters because agents can generate plausible action plans.

A plausible action plan is not the same as an approved change.

For production systems, the agent should not be allowed to convert reasoning directly into impact without the right control gate.

Network Egress Is an Agent Safety Control

Agent governance often focuses on prompts, models, and guardrails.

Those matter, but network egress is just as important.

An agent that can reach arbitrary internet endpoints, SaaS APIs, internal APIs, and cloud control-plane endpoints has a large blast radius. Even if the model is behaving correctly, the access path may be too broad.

A production agent should have a defined egress profile:

Egress ProfileUse Case
No external egressOffline or tightly controlled internal reasoning
Approved retrieval onlyKnowledge agent with approved search or document access
Approved SaaS APIsTicketing, collaboration, or workflow integration
Private API onlyInternal service integration through private endpoints
Tool broker onlyAgent cannot call systems directly
Privileged platform APIsException-based, tightly monitored, approval required

For high-risk agents, the safest design is often simple:

The agent talks to the broker. The broker talks to the enterprise systems.

That creates a clean enforcement point.

VCF and Private AI Need the Same Agent Discipline

Private AI does not remove agent governance requirements.

Running models, retrieval systems, or automation workflows closer to VCF may improve locality, data control, latency, or operational alignment. But the agent still needs identity, tool policy, observability, network boundaries, approvals, and exception handling.

In a VCF-connected agent design, pay special attention to:

AreaVCF Governance Question
VCF AutomationCan the agent request or execute catalog items?
vCenterCan the agent read inventory, modify VMs, or affect clusters?
NSXCan the agent request firewall or segment changes?
VCF OperationsCan the agent query alerts, capacity, or compliance evidence?
IdentityWhich role mapping allows agent or broker access?
LifecycleCan the agent influence upgrades, certificates, passwords, or maintenance workflows?
EvidenceWhere are agent actions correlated with VCF events and change records?

The private cloud does not get a weaker control model because it is private.

If anything, agent access to private infrastructure needs a stronger one because the blast radius often includes core enterprise systems.

A Practical Implementation Sequence

The operating model should start small and become enforceable.

Phase 1: Build the Agent Inventory

Document all known agents, assistants, copilots, workflow bots, automation helpers, and model-driven tools.

Track owner, runtime, identity, users, tools, data sources, model endpoints, environment, and business purpose.

Phase 2: Define Agent Risk Tiers

Classify agents by action capability, not by branding.

A chatbot with no tools is different from an incident agent that can run remediation. A knowledge assistant is different from a deployment assistant.

Use tool tier and data classification as the first risk signals.

Phase 3: Create the Tool Registry

Create a registry of approved tools and APIs.

Each tool should have an owner, risk tier, allowed agent patterns, required identity, approval requirement, logging requirement, and revocation path.

Phase 4: Add the Broker Pattern for Sensitive Tools

Do not let early agents connect directly to high-impact APIs.

Start with a broker for ITSM, observability queries, deployment workflows, and platform operations. Add stricter controls for identity, networking, production change, and VCF automation.

Phase 5: Standardize Agent Telemetry

Make prompt, response, trace, tool call, policy decision, approval, and downstream action telemetry part of the production requirement.

Do not wait for an incident to discover that no one can reconstruct what the agent did.

Phase 6: Review Exceptions and Drift

Agent exceptions should expire.

Review agents regularly for new tools, broadened permissions, changed instructions, new data sources, model endpoint changes, and unreviewed workflow paths.

Agent drift is real. Treat it like platform drift.

Conclusion

AI agents are becoming a new enterprise control plane.

They do not just generate content. They can retrieve data, choose tools, call APIs, initiate workflows, and influence production operations. That makes them part of the same governance conversation as identity, policy, observability, networking, automation, and lifecycle management.

The right answer is not to block every agent or trust every platform default.

The right answer is to define enterprise intent, classify agent patterns, control tool access, standardize telemetry, require approval for high-impact actions, and map the model into Azure, AWS, Google Cloud, and VCF using native capabilities.

Agents should make operations faster.

They should not make authority invisible.

External References

Leave a Reply

Discover more from Digital Thought Disruption

Subscribe now to keep reading and get access to the full archive.

Continue reading