Agent Governance Split Three Ways in One Week
F5, Anjuna, and Tigera each launched agent security platforms from different infrastructure layers in one week. Which layer do you already own?
By SpringVanta
F5 launched an AI security platform this morning and bought a company called SurePath AI to power it. Anjuna Security launched something different at the same time: a control layer for autonomous agents that runs inside a Trusted Execution Environment, enforced by the CPU itself.
A week ago, Tigera shipped Lynx, which does the same thing but from inside Kubernetes.
Three infrastructure companies. Three control planes. Three completely different answers to the same question: where should agent governance physically live?
The honest answer is that none of them is wrong. They just start from different places, and the layer you already own is probably the one you will deploy first.
F5: the network layer
F5 (NASDAQ: FFIV) has been delivering and securing enterprise applications for 30 years. Their new AI Security Platform sits where their existing Application Delivery and Security Platform already sits: in front of every API call, every model request, every agent action.
The platform has five components. AI Discovery maps every AI application, agent, and MCP tool call across the enterprise, sanctioned or not. AI Security Testing stress-tests systems against 140,000 attack patterns before production. AI Governance translates risk tolerances into enforceable boundaries. AI Runtime Protection blocks prompt injection and data leakage at 98.2 percent efficacy in independent testing. AI Observability provides audit trails.
F5 also acquired SurePath AI, a Colorado company that does network-based discovery of AI usage. SurePath deploys passively through network redirects, no application integration required. It detects unauthorized AI activity and traces agent tool calls and MCP server connections without touching application architecture.
The stat that matters: F5's 2026 State of Application Strategy Report found that 98 percent of organizations are preparing for agentic AI. The same report found 88 percent have already hit at least one AI-related operational or security challenge.
Kunal Anand, F5's Chief Product Officer, had this to say: "Most AI security today is a wrapper around a chatbot. That is not security." He pointed out that enterprises run AI inside regulated networks, behind APIs, and across agents that authenticate and act on their own. F5's bet is that the network layer is the right place to catch all of that traffic because it already passes through F5's infrastructure.
Anjuna: the silicon layer
Anjuna takes a different position. Their argument is that any governance system built in software can be subverted by the agents it governs. If the supervisor runs as a normal process, a sufficiently capable agent can compromise it.
So Anjuna Overwatch runs inside a Trusted Execution Environment (TEE), a hardware-isolated enclave in the CPU that even the host operating system and cloud administrators cannot access. The control layer is attested cryptographically before it loads. Agents are governed by a system that is, in Anjuna's framing, incorruptible.
This is a strong claim. Whether it holds up in practice depends on your trust model for confidential computing. TEEs have been attacked through side channels before. But the architectural argument is real: if you move the governance layer to hardware, you eliminate an entire class of software-based subversion.
Ayal Yogev, Anjuna's CEO, framed the problem: "As enterprises deploy and scale autonomous AI agents across their most sensitive infrastructure, two questions become critical: Can you trust what the agent is doing? And can you trust the control layer that governs it?"
Troy Leach, Chief Strategy Officer at the Cloud Security Alliance, backed the approach: "As organizations delegate more responsibility to AI agents, they will need a new control approach that provides visibility, policy enforcement, accountability, and oversight of autonomous actions."
Anjuna is already deployed at banking and government customers and is presenting at the Confidential Computing Summit on June 23. The company is targeting regulated industries where air-gapped and on-premises deployment is non-negotiable.
Tigera: the Kubernetes layer
Tigera, the company behind Calico Open Source, shipped Lynx on June 17. Lynx sits in the path of every agent call inside a Kubernetes cluster: agent-to-agent, agent-to-tool, agent-to-LLM. It authenticates, authorizes, mediates, and audits each interaction without requiring changes to agent code.
Five capabilities: discovery (eBPF-powered auto-discovery finds agents nobody registered), posture management (AI-CSPM evaluates agents against baselines), identity (cryptographic identities through SPIFFE/SPIRE or existing identity providers), policy enforcement (Cedar policy language, default-deny), and anomaly detection.
One detail from Tigera's engineering blog stands out. When Lynx scans a cluster for the first time, it almost always finds agents the platform team did not know existed. Someone on the data team wires up an agent to summarize tickets. Someone in platform builds one to triage alerts. A few call out to OpenAI directly with a key pasted into an environment variable on a pod nobody registered. Security finds out when the bill arrives or when something breaks.
Lynx is already in production at major global banks.
Where governance belongs depends on where you already stand
Here is what makes this week interesting. All three platforms address the same problem: autonomous agents acting in unpredictable ways across enterprise systems. But they disagree on where the control point should be.
F5 says the network. Every API call passes through F5's infrastructure anyway, so intercepting agent traffic there requires no new plumbing for F5's existing customers.
Anjuna says the silicon. A software governance layer can be compromised by the agents it watches. Move it to hardware and you remove that attack path.
Tigera says the orchestration layer. Kubernetes already runs the workloads. Govern agents where the pods live.
Each argument is self-consistent. Each one also happens to place the control point exactly where that vendor's existing product portfolio already operates. That is not a coincidence. It is also not a criticism. The practical reality for buyers is that agent governance will probably deploy at whatever layer you already control.
What this means for you
If you run F5 infrastructure (and a lot of regulated enterprises do), the AI Security Platform is a natural extension. The 140,000-pattern threat database and SurePath acquisition mean you get discovery and runtime protection without adding a new vendor.
If you operate in air-gapped environments or regulated industries where software-based governance is not trusted enough, Anjuna's hardware-enforced approach is the only one that moves the trust boundary below the operating system. The CSA endorsement and banking customer base give it credibility.
If your agents run on Kubernetes, Tigera Lynx catches them at the platform level. The shadow-agent discovery problem alone is worth the deployment. Most teams do not know how many agents are already running.
The question is not which layer is correct. The question is which layer you already own, and whether that layer gives you the visibility, enforcement, and audit trail your compliance team needs before approving more agents for production.
F5's own data says 98 percent of organizations are preparing for agentic AI. The same data says 88 percent have already hit problems. The gap between those two numbers is where governance lives. Pick the layer you can deploy fastest.
Sources: F5 AI Security Platform announcement (June 22, 2026); Anjuna Overwatch press release (June 22, 2026); Tigera Lynx announcement (June 17, 2026); Help Net Security coverage of Tigera Lynx (June 17, 2026); Techzine coverage of F5 (June 22, 2026).