You are not building for the agents you have today. You are building for the agents you will have in two years. The numbers are not on your side.
By Justin Gane, 1Digit
Last week we wrote about what a frontier cyber-capable model will find inside your existing infrastructure. The conversations that have come back from CTOs, CIOs and audit committee chairs in the days since publication have not been about whether the article overstated the case. They have been about whether the case can be defended in board papers, in regulator submissions, in audit committee minutes. Several of those conversations did not start with the word Mythos at all. They started with the question that sits behind it: if not this model, the next one, and how do we measure whether we are ready.
That shift is the point. A week ago the conversation about frontier cyber capability was theoretical. Today it is operational. Mythos is the named hook, but the underlying concern has moved past any single model. Boards are not asking whether Mythos can do what Anthropic says it can do. They are working from the assumption that something can, and acting accordingly. The certainty has gone up. So has the risk.
The Mythos piece was about defects already in the code. This piece is about defects already in your operating model. They are not the same problem, but they compound on each other, and the compounding is what makes the architecture question urgent rather than interesting.
A CISO would frame what follows as a security gap. I am not writing this as a CISO. I am writing it as an enterprise architect, because the question I want to put in front of the C-suite is not whether you have shadow agents. Every enterprise we audit has shadow agents. The question is whether your governance plane is sized for the agents you are about to have. That is not a security question. It is an architecture question. And it is the next thing the board has to deal with.
Start with what is true today.
In a survey of 1,879 IT leaders published earlier this year, 95 per cent of organisations reported that they now run AI agents that autonomously perform IT or security tasks. That is not pilots. That is not lab experiments. That is production. In the same population, only 14.4 per cent of agents reach production with full security or IT approval. The remaining 85.6 per cent are running on the estate without a complete governance review.
A separate dataset puts the average enterprise at 37 deployed agents today, more than half of which run without security oversight or logging. OutSystems' latest research has 94 per cent of organisations reporting that AI sprawl is increasing complexity, technical debt and security risk. CyberArk's 2025 Identity Security Landscape survey put the ratio of machine identities to human identities at 82 to 1.
Eighty-two to one. That is the architectural primitive your IAM stack was not designed for, your audit framework does not contemplate, and your org chart has no role to govern. Today.
The board reads numbers like these and asks the obvious question: how big is the gap, and how do we close it. The answer most CISOs will give is "we are working on it." The answer the architect should give is harder. The gap is not the gap you think it is. The gap is the trajectory.
Gartner's central forecast, published by Senior Director Analyst Max Goss at the Digital Workplace Summit in London, is the single number that should be sitting on every audit committee agenda this quarter. By 2028, the average global Fortune 500 enterprise will be running over 150,000 agents. The same Fortune 500 enterprise was running fewer than 15 in 2025.
Read that ratio carefully. Fifteen to one hundred and fifty thousand. That is not 10x. That is not 100x. That is approximately ten thousand times the agent population in three years. The market is not growing. The market is detonating.
Two corroborating data points sit underneath that forecast. Gartner separately predicts that 40 per cent of enterprise applications will feature task-specific AI agents by the end of 2026, up from less than 5 per cent in 2025, which is roughly 8x growth inside a single year. And Gartner's third forecast in this series is that more than 40 per cent of agentic AI projects will be cancelled by 2027 because of unclear value, escalating cost, and weak governance. The first two numbers describe the size of the wave. The third describes what happens to organisations that meet the wave with the operating model they have today.
If you are a CTO or a CIO reading this, run the arithmetic on your own estate. Take whatever number of agents you are running today. Multiply it by ten thousand. That is your Q4 2028 problem if Gartner is right, and Gartner has been more directionally right than wrong on enterprise infrastructure forecasts for the last decade. Then take the percentage of those agents that today sit outside a proper production process, a security compliance review, an audit trail you can defend in a regulator's office. In the enterprises we audit, that percentage is rarely below 70. Often it is above 85. Apply it to the 2028 number. The gap you have today is a thousand-agent governance problem. The gap you will have in 2028, on the same operating model, is a hundred-thousand-agent governance problem.
This is what I mean when I say the architecture is the problem, not the agents. The agents you have are not the issue. The architecture that produced them is.
The instinct in most boardrooms is to treat agent governance as an extension of identity and access management. It is not, and the reason it is not is what makes this an architecture problem rather than a security one.
Traditional non-human identities, the service accounts and API keys your IAM team has been governing for twenty years, are static. They sit there. They have a known scope. The audit question is "did anyone touch this." Agentic identities are not static. They are dynamic, ephemeral, and self-directed. They exist for minutes to complete a task, then spin down. They access different resources based on real-time reasoning. They make decisions without a human review loop at each step. They invoke other agents. They invoke tools. They write to memory. They read from memory. They escalate.
That shift has three structural consequences, and each one is solvable today at the scale of fifteen agents. None of them is solvable at the scale of one hundred and fifty thousand without architecting for the curve now.
The first is identity. An agent is not a user. An agent is not a service account. An agent is a new identity class that sits between the two and behaves like neither. Microsoft's response, the Entra Agent ID class that went generally available alongside Agent 365 on the first of May, is the first major-vendor product to formalise the distinction. Google's response, the agentic enterprise control plane unveiled at Cloud Next 2026, is the second. Both are correct in their direction. Neither, on its own, is the answer for an enterprise that needs to govern across vendors.
The second is observability. This is the layer the board has heard the least about and the layer that breaks first. A single agent generates somewhere between hundreds and thousands of telemetry events for a single interaction. OneUptime's analysis, published earlier this year, puts a typical RAG pipeline, a vector database call followed by a context retrieval followed by an LLM call followed by post-processing, at ten to fifty times the telemetry volume of an equivalent traditional API call. That is per agent, per interaction. Multiply by one hundred and fifty thousand agents. Then multiply by however many interactions per day each one of them is running. The data plane that has to ingest, index, search and audit that volume in real time is not the data plane your enterprise built for application logging. It is something an order of magnitude larger, and the cost model breaks before the architecture does. Datadog, New Relic and Splunk all price by data volume. Most enterprises are about to discover that the assumption that telemetry volume scales linearly with traffic was the assumption their entire observability budget was built on.
The third is capacity. By which I do not mean compute. I mean the capacity of the governance plane itself. The audit logs, the policy engine, the kill-switches, the approval workflows, the agent inventory, the identity store, the policy distribution mechanism. Every one of those has a throughput envelope. The envelope was sized for the agent population you have today. None of it was sized for the trajectory. And capacity is the constraint nobody costs into the AI strategy slide.
Identity. Observability. Capacity. Three layers. Each compounding on the other. Each invisible from the outside until it breaks. This is what an architect sees when they look at an agentic estate. It is not what a CISO sees, because a CISO is correctly looking at the controls. The architect's job is to look at what the controls run on top of, and ask whether the substrate holds.
Now bring the trajectory back to today, because the second-order argument is the one that gets the C-suite to act.
If 14.4 per cent of agents in the average enterprise reach production with full IT approval today, and the agent population is about to grow approximately ten thousand times in three years, the obvious question is whether the 14.4 per cent governance ratio holds, improves, or collapses across that growth curve. There is no honest scenario in which it improves on its own. The agents are spinning up faster than the governance team is hiring. The vendors are shipping new tool integrations faster than the security review cycle can absorb them. The MCP servers, the Agent 365 third-party connectors, the Salesforce Headless 360 endpoints, the Snowflake Cortex extensions, the Cequence Agent Personas, every one of them is a new surface area an agent can be granted capability on, and every one of them was published this fortnight.
The realistic scenarios are: governance ratio holds at roughly 14 per cent, in which case in 2028 you have approximately 21,000 governed agents and 129,000 ungoverned ones. Or governance ratio collapses to single digits as the curve overwhelms the controls, which is what 80 per cent of Fortune 500 companies are reporting today. Or, in the scenario the architect is meant to design, the ratio is pushed toward 90 per cent and above by changing the substrate, not by hiring more governance staff.
The third scenario is the only one that scales. It is also the only one that requires architecture rather than process. Process is the tactic that says "review every new agent before it ships." That tactic is a wall that one hundred and fifty thousand agents will go through. Architecture is the substrate that says "an agent cannot ship outside the governance plane, because the governance plane is what it ships into." That is a different proposition. It is the difference between a customs queue and a passport control system.
I have been writing about the architectural framework for an AI-native operating model for months now. The Mythos piece said your infrastructure has defects you cannot see. The foundation piece, a fortnight before that, said your AI strategy has no foundation. This piece adds the third leg of the same triangle: your governance plane is not the agents you have today. It is the substrate the agents you have not built yet will run on. If the substrate is wrong, the controls do not save you. The controls only buy you time.
If you are reading this from a CTO chair or a board seat, the questions you put to your enterprise architect in the next two weeks are these.
First, what is our agent inventory today, and what is the discovery process that finds the agents nobody told us about. If the answer to the second part of that question is silence, you do not have an inventory, you have a hope. The CSA's published guidance on shadow agent discovery, the Cequence Agent Personas product, the Microsoft Defender for Agents capability that ships with Agent 365, are all options. Pick one. Run the discovery. The number you get back will not be the number you expected. That is the point.
Second, what is the agent identity model. If the answer is "we use service accounts," you are running a 2015 IAM model into a 2026 problem. If the answer is "we use Entra Agent ID for Microsoft agents and something else for the rest," you have a vendor coverage gap. If the answer is "we have an internal agent identity primitive that wraps around Entra, Google, AWS Bedrock and our internal stack," you have the beginnings of an architecture. Most enterprises do not.
Third, what is the observability target by the end of 2026. Specifically: what percentage of agent tool calls, prompt logs, response logs and decision rationales are captured in a system the security team can query in under ten seconds. If the answer is below 80 per cent, you do not have observability. You have a sampling exercise. And if the cost model for getting that to 80 per cent is calculated on per-GB pricing from a traditional log vendor, your CFO is about to get a bill that ends the conversation.
Fourth, what is the capacity headroom on the governance plane. Specifically: at the current rate of agent growth in your estate, how many months until you saturate your audit log retention, your policy engine throughput, your kill-switch fan-out, your identity store. The honest answer is usually "we have not modelled it." Model it.
Fifth, who owns the role that did not exist in your org chart twelve months ago. Microsoft has formalised it as the Agent ID Administrator. The principle generalises. Somebody on your team needs to be accountable for the lifecycle of every agent identity in your enterprise, the same way somebody is accountable for human identity today. If the role is implicit, distributed, or unfilled, it does not exist. The audit committee will discover that the day after the first incident.
Sixth, when your CFO gets the cloud invoice for H2 2026, will the AI line items be on the AI budget or hidden inside the observability budget. Most will be the latter. That is a financial-control failure as well as an architectural one.
These are not security questions. They are architecture questions. The CISO answers to them only after the architect has framed them. If your enterprise architecture function is not at the table for this conversation, you have the same structural gap we wrote about three weeks ago, in a different room.
The easy reading of this piece is that CISOs are not equal to the moment. That is not the argument.
CISOs and their teams are exactly equal to the moment they have been asked to operate inside. The problem is that the moment they have been asked to operate inside was the 2018 to 2024 moment. Identity and access management. Endpoint protection. Network segmentation. SIEM. SOC. The CISO playbook is the right playbook for those problems. It is not the wrong playbook for agentic governance, but it is incomplete.
The architectural decisions that determine whether the CISO playbook scales are upstream of the CISO. They are decisions about the agent identity primitive, the telemetry data plane, the policy distribution model, the capability model, the kill-switch topology, the cross-vendor abstraction. These are TOGAF outputs. They sit in the application architecture and the technology architecture domains. They are produced by an enterprise architect or they are not produced at all, and if they are not produced at all the CISO inherits a substrate that cannot be controlled by any tool the CISO can buy.
AI is not a feature release. It is a structural cost reset, and the structure that is being reset is the operating model. Governance is not a phase. It is the architecture. The architect's job is to design the substrate the controls run on. The CISO's job is to operate the controls. If the substrate is wrong, no operating excellence saves you.
We cannot guarantee that any enterprise will land 2028 with one hundred per cent agent governance coverage. Nobody honest can. The trajectory is moving faster than the substrate work that the trajectory requires.
What we can take you to is a high degree of confidence. Confidence that the agent identity primitive in your stack is one your architecture will still recognise in three years. Confidence that the telemetry data plane has been costed against the trajectory rather than against today. Confidence that the governance plane has capacity headroom modelled, not assumed. Confidence that the agents shipping into your estate next quarter cannot ship outside the substrate, because the substrate is what they ship into. Confidence that, when your audit committee asks how many agents you are running and what each one of them did last Tuesday at fourteen twenty-three, your team has a defensible answer, not a narrative one.
That is the goal. Not zero shadow agents, which is unreachable. High confidence that the substrate will hold as the agent population scales by orders of magnitude over the next three years.
If you are on a board and you do not have confidence in your agent governance trajectory, ask the question. Demand the inventory. Demand the identity model. Demand the observability number. Demand the capacity model. Demand the named role in the org chart. None of those is a six-month exercise. All of them are clarifying.
If 1Digit can help, fantastic. Our AI Readiness Assessment now includes an agent governance architecture review as a defined module. Two weeks of focused work, by enterprise architects who have been on both sides of this problem. We look at it as an architecture question first and a security question second, because that is the order in which it has to be answered. We deliver a prioritised remediation plan that maps to the trajectory, not to today.
If we are not the right fit, find someone who is. The choice that matters is not which firm runs the review. It is whether the review happens before the agent population in your estate grows another order of magnitude, because the cost of getting the substrate right at one thousand agents is a fraction of the cost of fixing it at one hundred thousand. We have never seen the latter come anywhere near the cost of the former. We have seen organisations who did neither, and they show up in the same numbers we cited above.
Next week we will write about what happens to the numbers as they scale. The Gartner forecast is one curve. The cost curve underneath it, telemetry, observability, governance plane capacity, vendor licensing, is a second curve nobody is plotting. The two curves cross somewhere around 2027, and what happens to AI economics on the other side of that crossing is the conversation the board has not had yet. Sprawl is not just a security problem. It is a P&L problem.
For now, the question is the simpler one. Most of your agents are running outside the governance plane today. Most of them will be your colleagues' problem in three years if the curve holds. If you are the architect, the curve is your problem now.
The bodies are not just in the code. They are in the org chart. And the org chart is where they multiply.
About 1Digit. 1Digit is an enterprise AI consultancy helping CIOs, CTOs and enterprise architects design and operate AI-native estates. We work with boards, security teams and platform engineering to audit, remediate and architect for the agent trajectory. Book an AI Readiness Assessment, including the agent governance architecture review, at 1Digit.co.uk.
Our architects can assess your current data infrastructure and identify optimisation opportunities.
