Every System an Agent Touches Is Now a Governance Problem

Every system that once required a human to log in and click through a UI is now directly reachable by AI agents. MCP servers, REST APIs, CLI commands, SQL interfaces, headless SaaS platforms. The surface area where agents can act keeps expanding, and the controls governing what happens at that boundary have not kept up.

Three things shipped between June 10 and June 12 that target this gap from different angles. LangGuard launched Arbiter, a runtime enforcement engine that evaluates every agent action before it reaches the target system. Reco announced a Claude Security integration that maps which agents connect to which applications, API keys, and MCP servers. And ERP Today published an infrastructure checklist arguing the gap between wanting AI agents and having the infrastructure to run them safely is wider than most organizations have acknowledged.

LangGuard calls the problem the "agent action surface." The surface includes every tool, API, and system an agent can reach to do its job. As more enterprise SaaS platforms activate embedded agents by default, that surface grows without anyone deciding to expand it.

Your APIs were built for humans

The ERP Today checklist, published June 12, synthesizes four developments into one diagnosis. The sharpest comes from Jentic, whose API scoring tool evaluates enterprise APIs across six readiness dimensions: foundational compliance, developer experience, AI-readiness, agent usability, security, and AI discoverability. After analyzing 1,500+ APIs, Jentic found repeated gaps: server definitions missing, authentication details buried in human-facing docs, invalid OpenAPI specs, missing required parameters.

Jentic CEO Sean Blanchfield described the core issue: "Existing enterprise APIs were built for humans, not for AI. That's why so many organisations find themselves stuck in pilot purgatory."

The backdrop matters. Databricks hit a $5.4 billion revenue run rate growing 65% year-over-year, reportedly in talks for a $165-175 billion valuation. That growth tells you where enterprise AI spending is actually going: the data and infrastructure layer, not the model layer. Hanlin Tang, Databricks' CTO of Neural Networks, said companies are "already deriving real value from agentic AI," a claim he said he could not have made a year earlier.

On the security side, Anthropic expanded Project Glasswing to approximately 150 organizations across 15+ countries in early June, adding power, water, healthcare, and communications sectors. Existing partners have already found more than 10,000 high- or critical-severity vulnerabilities. Anthropic's warning was specific: if Mythos-class models are six to twelve months from general availability across multiple vendors, "organizations' current security posture is already obsolete."

Mapping what agents touch

Reco's Claude Security integration, announced June 12, targets a specific operational blind spot. Enterprises using Claude operate across two administrative surfaces: Claude Enterprise, where employees work day-to-day, and Claude Platform, where developers manage API keys, workspaces, and agent deployments. Reco connects activity across both and correlates it with identities, permissions, and data paths across 230+ applications.

The integration maps each agent's model, version history, tools, permission policies, and connected MCP servers. It then looks for what Reco calls "toxic combinations": an overpermissioned agent with access to sensitive data, an API key persisting beyond its intended use case, or an account retaining Claude access after an employee leaves.

Reco CEO Ofer Klein put the shift in context: "Claude is becoming part of the enterprise operating fabric, not just another AI tool. Security teams need to understand who is using it, what agents and applications it connects to, what permissions are involved."

Reco also lets security teams query its graph through Claude via an MCP server. A team can ask plain-language questions about access patterns, ownership, and anomalous activity, and get answers drawn from the Reco Graph. The same model running the agents becomes the investigation interface.

Saying no at the action surface

LangGuard Arbiter, announced June 10 at the Databricks Data and AI Summit, operates at the boundary between an agent's reasoning and the systems it tries to reach. Every action an agent attempts gets evaluated before it reaches the target. The outcome is deterministic: ALLOW, BLOCK, or ESCALATE to a human.

The motivation is concrete. In April 2026, an agent deleted a production database in nine seconds after reasoning its way to a destructive API call. The agent had valid credentials. No human was consulted. LangGuard's argument: the agent operated within its permissions. The architecture failed.

LangGuard also addresses what it calls the "lethal trifecta": a sequence of individually permissible actions that, combined, produce an outcome no one authorized. The product's Segregation of Duties policies apply the same controls that govern human workflows to agents, blocking conflicting actions in the same session.

Every policy LangGuard generates gets red-teamed against adversarial agent behavior before it takes effect. The ones that pass become verified entries in a policy ledger that traces from compliance intent to enforcement decision. That ledger is what auditors ask for and what enterprises have not been able to produce automatically.

Venkat Raghavan, LangGuard's co-founder, described the urgency in plain terms: "Every enterprise is just days away from an agent incident they can't explain to their board."

What to do about it

The three layers map to three practical steps. First, score your API estate. Jentic's CLI is free and evaluates APIs across six dimensions in minutes. If your APIs cannot pass an automated readiness check, your agents will fail in production, not in testing.

Second, inventory your agents. If you are running Claude Enterprise or Platform and cannot list every active agent with its permissions, tools, and connected MCP servers, you have a visibility gap. Reco's 230-application mapping covers the most common SaaS connections.

Third, enforce at the action boundary. If your current controls are prompt-level instructions or policy documents, they do not operate at machine speed. LangGuard's ALLOW/BLOCK/ESCALATE model is one approach. Microsoft's Agent Control Specification, announced at Build in early June, is another. The specific product matters less than having deterministic enforcement at the layer where agents act.

The action surface is not getting smaller. Every new MCP server, every API an agent discovers, every embedded agent a SaaS vendor activates by default adds to it. The organizations that will run agents reliably are the ones building the scoring, visibility, and enforcement infrastructure now, before the next nine-second incident is theirs.