Thoughtworks just launched Agent/works, a governance platform for enterprises drowning in AI agent sprawl. The timing isn't coincidental.

According to Sonar's 2026 State of Code survey, 42% of committed code is now AI-generated or AI-assisted. AppSec Santa found that 25% of AI-generated code samples contain critical security vulnerabilities.

When nearly half your codebase comes from autonomous agents—and a quarter of it ships with exploitable flaws—governance stops being a compliance checkbox and becomes an architectural necessity.

Announced June 16, 2026 at Databricks Data+AI Summit, Agent/works gives enterprises a single control plane and governed runtime for every AI agent deployed across any cloud. The platform addresses what Thoughtworks calls "the high-stakes operational reality" of 2026: autonomous agents that can access data, invoke tools, and execute workflows without the governance frameworks enterprises need to scale them safely.

The Problem: Agent Sprawl Meets Production Reality

2025 was AI experimentation. 2026 is operational chaos.

Enterprises granted increasing authority to autonomous systems in 2025, letting developers ship AI-assisted code at scale. What worked in pilot mode is now creating governance nightmares in production.

The core issue: agent sprawl. Security, compliance, and governance teams can't track what agents exist, what data they access, what tools they invoke, or what they cost to run. Left unchecked, organizations risk:

• Data exposure: Agents accessing sensitive systems without proper permissions
• Compliance violations: Autonomous workflows that bypass regulatory controls
• Insufficient oversight: No audit trail for agent actions
• Runaway costs: AI operating expenses scaling faster than visibility

As one CISO put it in a peer conversation: "We know developers are using AI coding agents. We don't know which agents, what they're accessing, or whether they comply with SOC 2. That's a board-level risk."

Thoughtworks' platform treats this as an architectural problem, not a policy checklist. Agent/works builds governance into the runtime itself, giving teams the freedom to build with guardrails that accelerate rather than obstruct innovation.

How Agent/works Solves It: Governance at Runtime

The breakthrough: governance doesn't bolt on after deployment. It runs during execution.

Agent/works introduces five core capabilities designed for the agentic enterprise:

1. Provable Compliance Before Execution

Before an agent runs, Agent/works analyzes every path through its workflow and confirms at least one fully compliant path exists end-to-end. No guesswork. No post-deployment audits. Compliance is verified at design time.

This matters for regulated industries where "we think it's compliant" doesn't satisfy auditors. Agent/works provides audit-ready evidence that every workflow meets policy requirements before it touches production data.

2. Permissions Built for Agents, Not Borrowed from Humans

Traditional identity and access management (IAM) systems grant permissions designed for human users. An agent accessing public web data carries a different risk profile than one accessing internal finance systems.

Agent/works grants capability-based, scope-bound, and time-limited permissions that narrow automatically as an agent touches sensitive systems. Permissions travel with the agent across every handoff, ensuring least-privilege access throughout the workflow.

3. A Governed Runtime for Every Kind of Agent

From autonomous, end-to-end workflow agents to interactive coding agents (like Claude Code-style tools), Agent/works runs each agent in a governed environment with policies that adapt during execution.

This adaptive governance model is critical for enterprises deploying multiple agent types. A coding agent assisting developers has different risk controls than a finance agent reconciling invoices. Agent/works applies the right governance model to each use case without forcing a one-size-fits-all policy.

4. Composable and Portable by Design

Operating on a multi-model backend, Agent/works registers any model using a standard API, connects any tool, and delegates to a cloud's native services and trusted third-party agents.

Scoped permissions travel seamlessly with every handoff. This means an agent can invoke a third-party tool, call a cloud service, or delegate to another agent—and governance policies persist across the entire chain.

For enterprises avoiding vendor lock-in, this portability is non-negotiable. You're not locked into a single model provider, cloud, or agent framework.

5. A Single Source of Truth for the Fleet

A centralized registry provides comprehensive visibility, evaluations, usage analytics, and cost controls across every agent, model, tool, and policy in the enterprise estate.

CFOs care about this because it answers the question: "What are we spending on AI, and is it justified?" CTOs care because it provides real-time observability across the agent fleet. CISOs care because it gives audit-ready evidence of every action taken by autonomous systems.

The Databricks Partnership: Data Governance Meets Agent Governance

Thoughtworks partnered with Databricks to extend governance models enterprises already use for data across agent workflows.

David Nasi, director of product management for AI and agentic platform at Databricks, explained: "The organizations moving fastest with agents are extending the same governance models already used for enterprise data across agent workflows themselves. This shift matters because it turns governance from a bottleneck into an enabler."

Databricks provides the underlying data and ML infrastructure. Agent/works delivers the agentic governance and production-ready platform to operationalize it. The integration means enterprises can apply the same Unity Catalog governance policies they use for data access to agent workflows.

This is a forcing function for AI governance maturity. If you've already invested in Databricks governance, Agent/works lets you extend that investment to agents without rebuilding your compliance framework.

What This Means for Enterprise Leaders

For CISOs: Agent Governance Is No Longer Optional

With 42% of code AI-generated and 25% containing critical vulnerabilities, agent governance is now a board-level risk. Agent/works gives you:

• Audit-ready evidence of compliance before agents execute
• Real-time visibility into what agents access and what they do
• Provable compliance paths for SOC 2, GDPR, NIST AI RMF, and industry regulations

Action: Evaluate Agent/works against your current agent governance strategy. If you don't have one, this is the forcing function to build it.

For CTOs: Runtime Governance Enables Faster Development

The traditional governance model—manual reviews, post-deployment audits, periodic compliance checks—can't keep pace with autonomous systems shipping code daily. Agent/works shifts governance left, verifying compliance at design time and enforcing it at runtime.

This means developers can ship faster because governance is automated, not manual. The platform provides the guardrails that let teams move fast safely.

Action: Pilot Agent/works with one high-risk agent workflow (e.g., agents accessing PII, financial data, or production systems). Measure time-to-production vs manual governance processes.

For CFOs: AI Spend Visibility Prevents Runaway Costs

Every AI-powered workflow carries an operating cost. Without runtime controls, costs scale as quickly as the agents themselves. Agent/works provides centralized visibility into AI spend across every agent, model, and tool.

You get real-time cost analytics, budget controls, and the ability to tie AI spend to business outcomes. This matters when you're defending a $10M AI budget to the board and need to show ROI.

Action: Use Agent/works' cost controls to set budgets at the team, project, or workflow level. Track AI spend per business unit and measure it against productivity gains.

The Competitive Landscape: Who Else Is Solving This?

Agent governance platforms are emerging fast, but most focus on monitoring, not runtime enforcement.

• LangSmith (LangChain): Observability and debugging for LLM apps, but governance is manual
• Weights & Biases: ML ops platform with governance features, but not agent-specific
• Databricks Unity Catalog: Data governance, now extending to agents via partnerships like Agent/works
• Azure AI Content Safety: Post-deployment monitoring, not pre-execution compliance

Agent/works differentiates by treating governance as a runtime capability, not a monitoring layer. Policies enforce before execution, not after. This prevents compliance violations instead of detecting them after they happen.

The Bottom Line

Thoughtworks Agent/works shifts AI governance from a compliance checklist to a runtime capability.

With 42% of code AI-generated and agent sprawl accelerating, enterprises need governance frameworks that scale as fast as autonomous systems. Agent/works provides:

• Provable compliance before execution
• Runtime enforcement of policies across any cloud
• Cost visibility across every agent, model, and tool
• Portability to avoid vendor lock-in

The partnership with Databricks signals a broader trend: data governance models are extending to agent governance. Enterprises that already invested in Unity Catalog can now apply the same policies to autonomous workflows.

If your organization deployed AI agents in 2025, you need an agent governance strategy in 2026. Agent/works is the first platform to treat governance as an architectural requirement, not a bolt-on afterthought.

The window to govern agent sprawl before it becomes a regulatory crisis is closing. The question isn't whether you need agent governance—it's whether you'll build it yourself or adopt a platform that's already production-ready.

Sources

• Thoughtworks Press Release - Agent/works platform launch announcement
• Thoughtworks Databricks Partnership - Data+AI Summit 2026 collaboration
• Sonar 2026 State of Code Developer Survey - 42% AI-generated code statistic
• AppSec Santa Research - 25% AI-generated code vulnerability data