77% Wrote AI Policies. 26% Can Enforce Them. Three Products Closed the Gap.

77% of organizations updated their security strategy for AI. Only 26% have the architecture to actually enforce what they wrote.

That 51-point gap comes from the Check Point 2026 Cloud Security Report, and it is the most useful number I have seen for explaining why enterprise AI agent deployments keep failing. Not because the models are bad. Not because the agents are dumb. Because organizations are writing policies their infrastructure cannot enforce, deploying agents those policies cannot constrain, and then acting surprised when something goes wrong.

Three things happened in the last week of June 2026 that each attack a different part of that gap. Virtue AI shipped a discovery layer that finds the agents security teams cannot see. OPAQUE launched a verification platform that produces hardware-signed proof of what agents actually did. And Thoughtworks published a governance framework that maps what agents are legally authorized to do to centuries-old agency law. Discovery, verification, and authority. The three missing pieces between writing a policy and making it stick.

The gap is not theoretical

The Gravitee State of AI Agent Security 2026 report surveyed 750 senior technology leaders across the UK and US. Enterprise AI agent fleets roughly doubled in the four months between December 2025 and April 2026. Nearly 38% of organizations now run more than 100 agents. But 48% of production agents are running unsecured, and 54% of organizations have already had a confirmed security incident. Only 14.4% deployed their agents with full security and IT approval.

Gartner predicts that by 2027, 40% of enterprises will demote or decommission autonomous AI agents because governance gaps will surface only after deployment. The AI agent software market sits at $206.5 billion in 2026, up 139% from 2025. Deployment is accelerating. Enforcement is not.

The Nirmata blog put it bluntly: most enterprises have a policy document, an acceptable use framework, a model risk committee, and a dashboard showing token consumption. None of those things sit in the execution path of an AI agent making a decision right now. The policy tells people what to do. The dashboard tells you what already happened. Neither one stops a bad action before it executes.

Why prompt-level guards were never enough

The dominant approach to AI agent safety has been content filtering. Screen what goes into the model, screen what comes out. The OWASP LLM01:2025 advisory states explicitly that there are no foolproof methods for preventing prompt injection. Research published at ICLR 2025 demonstrated a 100% attack success rate against GPT-4o, Claude 3, and Llama-3 using adaptive attacks. Microsoft's own AI Red Team put it plainly: mitigations do not eliminate risk entirely.

The OWASP Top 10 for Agentic Applications 2026 identifies ten categories of failure that go well beyond prompt injection: goal misalignment, tool misuse, delegated trust exploitation, inter-agent manipulation, persistent memory poisoning, and emergent autonomous behavior. These are architecture problems, not prompt problems.

As Imran Siddique, the creator of Microsoft's Agent Governance Toolkit and now Chief Platform Officer at OPAQUE, said: "Screening what goes in and out of an agent was never going to be enough. You need a layer that decides what it is allowed to do, and a layer that enforces and proves it in hardware."

Virtue AI: finding the agents you cannot see

On June 23, Virtue AI launched Shadow AI, an extension of its AgentSuite-Blue platform. The problem it addresses is simple and uncomfortable. Employees are running AI agents inside their laptops, SaaS platforms, developer workflows, and browser extensions. Most of those agents were never reviewed by security. Many were never approved at all. Security teams know this is happening but cannot tell you where those agents exist, what permissions they hold, or whether they are operating within policy.

Shadow AI is an endpoint-level discovery and monitoring layer built specifically for AI agents. Unlike traditional EDR tools that treat agents as generic applications, it is designed around the agent lifecycle: how agents plan, act, call tools, and evolve over time. It detects commercial tools like ChatGPT, Claude, and Copilot, plus self-hosted models, browser extensions, IDE plugins, and informal agentic pipelines that generic security tools fail to classify as AI.

Wenbo Guo, Head of Agent Security at Virtue AI, said: "Across the enterprise, employees are using unapproved agents for things like coding, data analysis, and sales outreach. We built Shadow AI to find them."

The platform captures the full behavioral sequence of each agent: process activity, network behavior, file system changes. It maps this across the IT environment so teams can see how many agents are active, on what devices, and what policies they may violate. If an agent starts misbehaving, teams have a full record of its host, user context, tool calls, and action sequence. SiliconANGLE covered the launch independently, noting that Virtue AI is well-qualified to address the problem given its background in continuous security testing and real-time safety guardrails.

Shadow AI runs on Linux, Windows, and macOS as a light endpoint collector, compatible with existing EDR and XDR platforms including CrowdStrike Falcon and Microsoft Defender.

OPAQUE 3.0: proving enforcement with hardware

Also on June 23, at the Confidential Computing Summit in San Francisco, OPAQUE launched version 3.0 of its platform. The company, born from UC Berkeley's RISELab, made two open-source releases: Agent Manifest and Confidential MCP.

Agent Manifest gives every AI agent a cryptographic identity. Each agent gets an Ed25519 key pair that binds it to its governance policies, approved resources, and authorized actions. Organizations can cryptographically verify what an agent is, what resources it can access, who approved it, which governance policies apply, and whether those policies were enforced during execution. An altered or unauthorized agent can no longer masquerade as an approved one.

Confidential MCP is the first Model Context Protocol implementation that runs inside a confidential computing enclave. Every MCP tool call is governed by AGT policies, executed in hardware-attested isolation, and logged with signed receipts that an auditor can verify independently. For enterprises deploying MCP-based architectures, this provides governance and verifiability without a platform migration.

The platform runs on confidential computing hardware from Intel, AMD, and NVIDIA. The Technology Innovation Institute of the UAE is a founding partner, contributing post-quantum cryptography so agent identities and audit records remain verifiable against future quantum adversaries.

OPAQUE CEO Aaron Fulkerson framed the problem in terms every CISO will recognize: "The more autonomous your AI agents become, the more your security posture has to keep pace. Capability without accountability is a liability. Organizations deploying AI agents are stuck on a question existing tooling cannot answer: can you prove what your AI did?"

OPAQUE 3.0 launches with general availability in July 2026. Both Agent Manifest and Confidential MCP are open source at github.com/agentrust-io.

Thoughtworks: the legal framework nobody wrote

On June 18, Thoughtworks published the Agentic Scope of Authority Framework, a governance blueprint designed to answer a question most enterprises have not asked: what is the exact scope of authority granted to each AI agent?

The framework draws on a distinction from corporate law that has existed for centuries. Actual authority is what the agent is explicitly permitted to do by its principal. Apparent authority is what a third party reasonably believes the agent is authorized to do based on its title and behavior. The disconnect between the two is, in the words of the framework's authors Jeremy Gordon and Matt Kamelman, "perhaps the most underappreciated source of enterprise exposure."

They open with a real example. In April 2026, an autonomous AI agent in San Francisco was given a commercial lease, a bank account with $100,000, and a single directive: make a profit. It opened a store, purchased inventory, and hired human staff. When it made operational errors, attempting to hire a painter in Afghanistan due to a botched vendor form and failing to schedule staff for opening day, there was no governance document, no designated principal, and no clear liability chain.

The framework argues that society does not need new legal systems to govern AI agents. The challenge is creatively applying established principles of agency law to digital agents. When an AI agent interacts with vendors, customers, or partners, the law views that interaction through the lens of representation. If your agent agrees to an unfavorable pricing tier, violates a data boundary, or hallucinates a discount, you bear the cost.

The convergence: discovery, authority, verification

Each of these announcements attacks the enforcement gap from a different angle, and the angles compose.

Virtue AI answers the first question: do you know what agents are running in your environment? You cannot enforce policies on agents you have not discovered. Shadow AI surfaces the hidden inventory.

Thoughtworks answers the second question: for the agents you do know about, what are they legally authorized to do? If you have not mapped actual versus apparent authority, your policy document is describing a different agent than the one your vendor, customer, or regulator is interacting with.

OPAQUE answers the third question: for the agents you have discovered and authorized, can you prove they followed the rules? Hardware-signed evidence is the difference between asserting compliance and demonstrating it.

The ARMO security firm published a five-rung "Enforceability Ladder" earlier this year that captures the same idea from a different direction. Most enterprise programs cluster at rungs two and three, where policies exist as documents and middleware claims enforcement. Almost none reach rung five, the only level that produces evidence an auditor cannot dispute, because rung five requires independent runtime observation captured outside the agent's process boundary.

A research paper on deontic policies for runtime governance, published on arXiv in June 2026, makes the academic case: current policy engines like XACML, Rego, and Cedar address only the permit and prohibit subset of governance. They do not handle obligation lifecycle management, policy conflict resolution, or dispensations that waive obligations in specific circumstances. The governance problem is richer than allow-and-deny.

What to do this week

If a regulator asked you today to prove, with independently verifiable evidence, that your AI agent followed its governance policy during a specific transaction, could you answer? If the answer involves a dashboard screenshot or an application log, you are operating at Level 1 or 2 of the governance maturity model. Your policy is a document. Your enforcement is aspirational.

The practical starting point is inventory. Before you deploy governance tooling, you need to know what is already running. The Gravitee report found that agent estates doubled in four months. Verizon's 2026 DBIR found shadow AI activity increased fourfold in DLP datasets year over year. If you have not scanned your endpoints for unapproved AI agents, you are governing the agents you know about while the ones you do not are operating with your employees' credentials.

From there, the sequence is: define authority scopes for each agent, deploy runtime governance that intercepts tool calls deterministically, and move toward hardware-attested enforcement where the regulatory or risk profile demands it. None of this requires waiting for new regulations. The frameworks, tools, and standards shipped this month.

Sources: Check Point 2026 Cloud Security Report; Gravitee State of AI Agent Security 2026; OPAQUE 3.0 launch (PR Newswire, June 23); Enterprise AI World coverage (June 24); SiliconANGLE coverage of Virtue AI Shadow AI (June 23); Virtue AI launch (PR Newswire, June 23); Thoughtworks Agentic Scope of Authority Framework (June 18); Gartner predictions via Gravitee report; Nirmata AI governance analysis (June 18); ARMO Enforceability Ladder analysis (May 2026).