On June 23, 2026, at the Confidential Computing Summit in San Francisco, a company most enterprise leaders have never heard of made an announcement that will reshape how every organization governs AI agents in production.
OPAQUE, the confidential AI company born from UC Berkeley's RISELab, launched OPAQUE 3.0 — a platform that brings cryptographically verifiable trust to AI agents through two open-source milestones: Agent Manifest, a new open standard for verifiable AI agent identity, and Confidential MCP, the first Model Context Protocol implementation that is both verifiably governed and secured through confidential computing.
For the first time, an enterprise can prove — not assert, not promise, prove — what an AI agent is, what it is allowed to do, what it actually did, and whether governance policies were enforced throughout execution. The evidence is hardware-signed, tamper-evident, and independently verifiable by auditors, regulators, or customers without trusting the company operating the AI.
This matters because the enterprise AI agent security crisis is no longer theoretical. It is documented, measured, and accelerating — and the industry's current answer to it is fundamentally broken.
The 51-Point Gap Between AI Security Policy and Enforcement
The numbers tell a devastating story of good intentions meeting structural incapacity.
The Check Point 2026 Cloud Security Report found that 77% of organizations have updated their security strategy in response to AI. That sounds responsible. But only 26% say they have the architecture to actually enforce it. That 51-point gap — between writing a policy and making it stick — is where every agent security failure originates.
The Gravitee State of AI Agent Security 2026 report, surveying 750 senior technology leaders, found that enterprise AI agent fleets have doubled in four months since December 2025. Nearly 38% of organizations now have more than 100 agents deployed. But 48% of production AI agents are running unsecured, and 54% of organizations have already had a confirmed security incident. Only 14.4% deployed those agents with full security and IT approval.
Cyera Research analyzed more than 7,200 publicly reported AI security and operational incidents from September 2023 through May 2026 and identified 344 verified cases of enterprise-relevant agent-inflicted damage — including an April 2026 incident where an AI coding agent accidentally deleted a car-rental company's entire production database and backups within seconds.
Gartner predicts that by 2027, 40% of enterprises will demote or decommission autonomous AI agents due to governance gaps identified only after deployment. Meanwhile, the AI agent software market is exploding — Gartner puts it at $206.5 billion in 2026, up 139% from $86.4 billion in 2025.
The pattern is clear: enterprises are deploying agents at scale, writing governance policies they cannot enforce, and hoping the guardrails hold. Every CISO reading this knows what "hoping" looks like on an incident report.
Why Prompt-Level Safety Was Never Going to Be Enough
The industry's dominant approach to AI agent safety — guardrails that screen what goes in and what comes out — was always a polite request to a stochastic system.
OWASP's LLM01:2025 states this explicitly: "It is unclear if there are fool-proof methods of prevention for prompt injection." Research published at ICLR 2025 by Andriushchenko et al. demonstrated a 100% attack success rate on GPT-4o, Claude 3, and Llama-3 using adaptive attacks with logprob access and suffix optimization. Microsoft's own AI Red Teaming Agent formalizes Attack Success Rate as the canonical metric for this class of failure, and Microsoft's red team findings from testing 100 generative AI products reinforce the point: "Mitigations do not eliminate risk entirely."
The OWASP Top 10 for Agentic Applications 2026 — the first industry-standard risk taxonomy for autonomous AI systems — identifies ten categories of failure that extend far beyond prompt injection: goal misalignment, tool misuse, delegated trust exploitation, inter-agent manipulation, persistent memory poisoning, and emergent autonomous behavior. These are not prompt problems. They are architecture problems.
As Imran Siddique, the creator of Microsoft's Agent Governance Toolkit and now Chief Platform Officer at OPAQUE, put it: "Screening what goes in and out of an agent was never going to be enough. You need a layer that decides what it's allowed to do, and a layer that enforces and proves it in hardware."
The Three-Layer Architecture for Verifiable AI Agent Governance
OPAQUE 3.0 is built on a thesis that durable AI agent security requires three distinct layers, not one:
Layer 1: Content guardrails. These are the prompt filters, output classifiers, and safety systems that most vendors ship today. They help. They also leak. No filter reliably predicts a non-deterministic system, and none catches every hidden instruction embedded in an email, document, or support ticket that could hijack an agent into exfiltrating data.
Layer 2: Governance policy. This is the layer that decides what an agent may do — which tools it can call, which data it can access, which actions require human approval. This is where the Agent Governance Toolkit (AGT) operates. Open-sourced by Microsoft in April 2026, AGT has attracted roughly 4,100 GitHub stars in its first six weeks and remains the only framework that provides documented mitigation for all 10 OWASP Agentic AI Security Initiative risks. Its AARM conformance review on June 14, 2026 verified that it satisfies all nine requirements (R1–R9), qualifying for AARM Extended certification.
AGT intercepts every tool call, message send, and delegation in deterministic application code before the model's intent reaches the wire. Actions the AGT kernel denies are not "unlikely" — they are structurally impossible. The difference between asking an agent to behave and making it incapable of misbehaving.
Layer 3: Hardware enforcement and verifiable proof. This is OPAQUE's contribution. Even the best governance policy is only as trustworthy as the environment running it. OPAQUE's confidential AI platform constrains what an agent can reach, stops data from leaving through unapproved paths even when an agent misbehaves or is manipulated, and produces independently verifiable evidence — hardware-signed receipts — that the policies were enforced. It runs on CPU-based confidential computing platforms from Intel, AMD, and NVIDIA, with NVIDIA Confidential Computing bringing GPUs inside the Trusted Execution Environment.
OPAQUE CEO Aaron Fulkerson framed the architecture in terms every CISO will understand: "You don't run a regulated business on 'probably.' It takes three layers: guardrails on the content, policy on what an agent is allowed to do, and hardware that enforces both and proves it held."
What OPAQUE 3.0 Actually Ships
Agent Manifest (Open Source)
Agent Manifest extends AGT by giving every AI agent provable runtime integrity. Each agent gets a cryptographic identity — built on Ed25519 did:mesh identities — that binds the agent to its governance policies, approved resources, and authorized actions. An altered or unauthorized agent can no longer masquerade as an approved one.
Organizations can cryptographically verify:
- What an agent is (identity and version)
- What resources it can access
- Who approved it
- Which governance policies apply
- Whether those policies were enforced during execution
Confidential MCP (Open Source)
This is the first Model Context Protocol implementation that runs inside a confidential computing enclave. Every MCP tool call — the mechanism by which AI agents interact with external tools, databases, and APIs — is governed by AGT policies, executed in hardware-attested isolation, and logged with signed receipts that an auditor can verify independently.
For enterprises already deploying MCP-based agent architectures (which, after Anthropic and Google both standardized on MCP, is increasingly everyone), Confidential MCP provides governance and verifiability without requiring a platform migration.
Post-Quantum Cryptography
In partnership with the Technology Innovation Institute (TII) of the United Arab Emirates, OPAQUE 3.0 integrates post-quantum cryptography so agent identities and signed audit records remain verifiable against quantum-era adversaries. An audit record is only as good as the cryptography it will face decades from now — data harvested today gets decrypted by tomorrow's quantum machines, and regulators in the UAE and beyond are already mandating post-quantum readiness.
Both Agent Manifest and Confidential MCP are open source, available at github.com/agentrust-io. OPAQUE 3.0 debuts today with general availability in July 2026.
Framework #1: Enterprise AI Agent Governance Maturity Assessment
Where does your organization sit? Use this five-level assessment to benchmark your current agent governance posture against the three-layer architecture.
Level 1: Ungoverned (Most Organizations Today)
- Agents deployed with API keys shared across multiple agents
- No pre-execution interception of tool calls
- Audit trail limited to application logs
- Governance = written policy document, not enforced
- Risk exposure: Maximum. No structural barrier to unauthorized actions.
Level 2: Guardrails Only
- Content-layer safety (prompt filters, output classifiers) deployed
- Input/output screening catches some injection attempts
- No runtime policy enforcement on tool calls
- Agent identity = API key (shared, not unique)
- Risk exposure: High. Content-layer defenses are probabilistic, not deterministic.
Level 3: Policy-Governed
- Runtime governance framework (AGT or equivalent) intercepts tool calls
- YAML/Cedar policy evaluation on every action
- Five governance decisions enforced: ALLOW, DENY, MODIFY, STEP_UP, DEFER
- Unique agent identity (e.g.,
did:mesh) with Ed25519 keys - Tamper-evident audit chain (Merkle-chained receipts)
- Risk exposure: Moderate. Policy enforcement is deterministic, but trust depends on the runtime environment.
Level 4: Hardware-Enforced
- Governance policies enforced inside Trusted Execution Environment (TEE)
- Agent execution isolated in confidential computing enclave
- Hardware-signed evidence of every policy decision
- MCP tool calls governed with ephemeral, least-privilege credentials
- Independent verifiability — auditors can check without trusting the operator
- Risk exposure: Low. Hardware enforcement closes the "trust the runtime" gap.
Level 5: Verifiably Governed (OPAQUE 3.0 Target State)
- Agent Manifest provides cryptographic identity binding
- Confidential MCP secures all tool interactions
- Post-quantum cryptography protects audit records against future threats
- Continuous compliance evidence generated automatically
- Regulators and customers can independently verify governance posture
- Risk exposure: Minimal. Evidence-based trust replaces assertion-based trust.
Assessment question: If a regulator asked you today to prove — with independently verifiable evidence — that your AI agent followed its governance policy during a specific transaction, could you? If the answer is no, you are operating at Level 1 or 2.
Framework #2: 90-Day Implementation Roadmap for Verifiable Agent Governance
Days 1–15: Inventory and Risk Classification
| Task | Owner | Output |
|---|---|---|
| Inventory all deployed AI agents (production + shadow) | Platform Engineering | Agent registry with count, purpose, data access |
| Map each agent's tool access and data permissions | Security | Tool-call matrix per agent |
| Classify agents by risk tier (read-only → financial transactions → customer-facing) | CISO + Business | Risk-tiered agent catalog |
| Identify agents sharing API keys or service accounts | Identity/IAM | Shared-credential inventory |
| Benchmark current governance posture against 5-level maturity model | Security Architecture | Baseline maturity score |
Days 16–45: Policy Layer Deployment
| Task | Owner | Output |
|---|---|---|
Deploy AGT (pip install agent-governance-toolkit[full]) |
Platform Engineering | Runtime governance active |
| Write YAML/Cedar policies per risk tier | Security + Business | Policy documents per agent class |
| Configure five governance decisions per policy (ALLOW/DENY/MODIFY/STEP_UP/DEFER) | Security | Enforced policy set |
Assign unique did:mesh identity to each agent |
Identity/IAM | Agent identity registry |
| Enable Merkle-chained audit trail | Security Operations | Tamper-evident audit active |
| Integrate OpenTelemetry decision export with SIEM | SOC | Governance events in security monitoring |
Days 46–75: Hardware Enforcement and Verification
| Task | Owner | Output |
|---|---|---|
| Evaluate confidential computing options (Intel SGX, AMD SEV, NVIDIA CC) | Infrastructure | Platform selection |
| Deploy Confidential MCP for highest-risk agents | Platform Engineering | Hardware-enforced MCP active |
| Implement Agent Manifest for cryptographic identity binding | Security Architecture | Verifiable agent identities |
| Configure hardware-signed evidence packs | Security Operations | Auditor-ready receipts |
| Test independent verification workflow with compliance team | Compliance/Legal | Verified evidence chain |
Days 76–90: Operationalize and Scale
| Task | Owner | Output |
|---|---|---|
| Extend governance to remaining agent tiers | Platform Engineering | Full coverage |
| Establish governance review cadence (monthly policy review, quarterly maturity assessment) | CISO | Standing governance process |
| Train SOC on agent-specific incident response playbooks | SOC | Agent IR capability |
| Document compliance evidence chain for regulators | Compliance | Regulatory-ready package |
| Plan post-quantum cryptography migration timeline | Security Architecture | PQC roadmap |
Critical path item: Days 1–15 (inventory) cannot be skipped. Organizations that jump straight to tooling without knowing what agents they have and what those agents can access are building governance on a foundation of guesses.
The Apple Precedent and the Enterprise Imperative
Apple settled the verifiable AI argument for consumers with the launch of Private Cloud Compute. The core principle was simple: "trust me" became "verify me." Apple's PCC provides stateless computation, enforceable guarantees, no privileged runtime access, non-targetability, and verifiable transparency — and they recently extended it to run on Google Cloud hardware using NVIDIA Confidential Computing and Intel Trust Domain Extensions.
OPAQUE 3.0 brings that same "verify me" standard to enterprise AI agents. The key difference: Apple controls both the hardware and the software. Enterprise environments are heterogeneous — agents from multiple vendors, running on multiple clouds, accessing multiple data sources. The governance standard has to work across all of them, which is why OPAQUE built it as an open standard and why TII, AMD, and NVIDIA are founding partners.
This is also why Imran Siddique's move from Microsoft to OPAQUE matters. Siddique spent 18 years at Microsoft, creating not just AGT but also Agent OS (runtime governance), Agent Mesh (zero-trust networking), and Agent SRE (resilient multi-agent orchestration). He is arguably the person who has thought most deeply about how to govern AI agents at the infrastructure level. His conclusion — that governance policy without hardware enforcement is incomplete — is a verdict on the state of the entire industry.
The Competitive Landscape: Who Else Is Building Agent Governance
OPAQUE is not the only player. The agent governance infrastructure market is forming rapidly:
- Microsoft AGT remains the open-source governance policy standard, now with OPAQUE extending it into hardware enforcement
- Google shipped agent identity registries and gateways in April 2026, approaching the problem from the cloud platform layer
- AWS launched Continuum and Context at its June 2026 Summit — autonomous security vulnerability lifecycle and real-time enterprise knowledge graph
- Cognizant productized the governance gap with Secure AI Services for enterprises that cannot build governance in-house
- Palo Alto Networks embedded Prisma AIRS into Google Gemini for real-time agent security monitoring
- Radware and Dataiku announced a partnership today (June 25) to secure enterprise AI deployments across applications, APIs, and data
The AI governance market itself is projected to grow from $418 million in 2026 to $3.59 billion by 2033 — a 38.5% CAGR driven by regulatory mandates (the EU AI Act imposes penalties up to €35 million or 7% of global turnover) and the operational reality that ungoverned agents are ungoverned liabilities.
OPAQUE's differentiator is the integration of governance policy (AGT) with hardware enforcement (confidential computing) and an open verification standard (Agent Manifest). No other vendor currently offers all three in a single platform.
What Enterprise AI Leaders Should Do This Week
-
Run a shadow agent audit. The Gravitee data says 48% of production agents are running unsecured. You probably have agents deployed that your security team doesn't know about. Find them before they find you on an incident report.
-
Assess your governance maturity honestly. Use the five-level framework above. If you cannot answer "what happened and can we prove it?" for every agent action, you are not governed — you are hoping.
-
Evaluate AGT for policy enforcement. It is open source, it covers all 10 OWASP Agentic risks, it works with any framework (
pip install agent-governance-toolkit[full]), and it is the foundation that OPAQUE, Microsoft, and the broader ecosystem are building on. -
Brief your compliance team on verifiable governance. The EU AI Act, Colorado's SB-189, and emerging regulations worldwide are converging on a requirement for evidence, not assertions. Your compliance team needs to understand the difference between "we have a policy" and "we can prove the policy was enforced."
-
Track OPAQUE 3.0's July GA. If you operate in financial services, healthcare, or any regulated environment, the ability to provide hardware-signed evidence of agent governance is not a nice-to-have — it is the difference between passing and failing your next audit.
The Bottom Line
The enterprise AI agent governance crisis has been building for two years. The data is unambiguous: agents are doubling every quarter, incidents are rising, and the dominant security model — content-layer guardrails — has a documented 100% bypass rate under adaptive attack.
OPAQUE 3.0 does not solve every problem. Content guardrails still matter. Policy frameworks like AGT still matter. But OPAQUE adds the layer that was missing: hardware-enforced governance with cryptographic proof that the rules were actually followed.
Zero trust rebuilt network security on one rule: never trust, always verify. OPAQUE is applying the same doctrine to AI agents — with an open standard and three working pieces beneath it.
The question is no longer whether your AI agents are governed. The question is whether you can prove it.
Continue Reading
- The AI Agent Security Crisis: 88% Report Incidents, Only 14% Deploy With Approval
- Who Controls Your AI Agents? The $1B Race to Find Out
- 88% Have AI Agent Incidents. 14% Have Approval. The Gap Cognizant Just Productized.
- Google's New Enterprise AI Stack: Every Agent Gets a Cryptographic ID
- Microsoft IQ Is GA. The Enterprise Agent Context War Just Reset.
Rajesh Beri is Head of AI Engineering at Zscaler, focused on enterprise AI security, governance, and deployment at scale.