Governing Customer-Owned Agents: Control-Layer Patterns for Mixed Agent Fleets
A platform engineer's guide to governing mixed agent fleets: how one control plane authorizes your agents and vendor agents alike, without trusting either by default.
Why a mixed fleet breaks per-agent trust
The instinct is to govern each agent where it runs: give the vendor agent its own service account, hope its sandbox holds, and trust its vendor's safety claims. That model fails for structural reasons, and the industry data explains why it fails harder every quarter.
Roughly 41% of codebases are now AI-generated, and around 45% of AI coding tasks introduce a critical flaw or security issue. An agent is, in effect, a fast machine-author of changes, so a fleet of them concentrates that defect rate and points it directly at production. When the author is a third party, you cannot review the code that produced the change, only the change itself. And behavior makes it worse: about 80% of developers bypass policy or guardrails when those guardrails add friction. A vendor's agent has even less incentive than your own engineers to respect a policy that lives in a document rather than in the system.
The deeper issue is that per-agent trust does not compose. Ten agents, each "reasonably safe" in isolation, produce a combined blast radius nobody scoped. Two agents can race on the same resource. A vendor agent can satisfy its own success criteria while violating yours. Trust placed in individual agents cannot be aggregated into trust in the fleet. You need a single point where authority is decided for all of them, on the same terms.
Identity first: no agent acts without an attested identity
Before authorization, you need to know who is acting. In a mixed fleet, "who" is the hardest part, because the actors are non-human, ephemeral, and partly external.
Treat every agent as an untrusted workload that must prove its identity before it does anything. That means no ambient credentials, no shared service accounts, and no long-lived API keys passed to a vendor and forgotten. Each agent, yours or theirs, presents a short-lived, attested credential bound to a specific identity, and the control plane records which agent took which action under which identity. This is the difference between an audit trail that says "the integration account modified the provisioning config" and one that says "vendor agent X, instance 7, acting under a credential issued at 14:02 and valid for nine minutes, proposed this change."
Two non-negotiables for telecom specifically:
- Separate proposer from authorizer. An agent that both writes a change and applies it has collapsed the maker and the checker, exactly the separation of duties an auditor expects preserved on a regulated network. Every agent gets a propose-only default. It can plan, generate, and stage; it cannot move a change into a protected environment.
- Vendor identities are first-class, not exceptions. The temptation is to wave a trusted partner through with broad access. Resist it. The vendor agent gets the same attested-identity requirement and the same propose-only default as everything else. A partner relationship is a commercial fact, not a security control.
Evidence is the great equalizer
Here is the move that lets you govern agents you cannot inspect: stop judging agents by who built them, and judge every proposed change by the evidence attached to it. A change from your own agent and a change from a vendor's agent reach the gate carrying the same required artifact, what was exercised, what regressed, what the reachability analysis says about exposure, and the gate decides on that, not on pedigree.
This is only credible if the validation is real and change-aware. Coordinated Testing Fleets plan and execute validation against what actually changed and what depends on it, rather than running a static suite that ignores the dependency graph and proves nothing about the specific diff. For security gates, reachability matters: asking whether a flaw sits on a path that is actually reachable in your deployed system, rather than triaging every theoretical finding, can mean 70 to 90% less exploitable exposure. Applied to a mixed fleet, a vendor agent's change that introduces an unreachable issue does not have to block a release, while a reachable one routes straight to a human. You spend scarce review attention on real risk, regardless of which agent surfaced it.
Crucially, this equalizes incentives. A vendor agent cannot declare its own work complete and merge. It produces a proposal with evidence; your control plane decides. Agents propose, humans authorize, and the principle holds whether the proposer is on your payroll or your supplier's.
Failure modes to design against
A mixed-fleet control plane introduces its own ways to fail. Name them so your design accounts for them.
- Trust laundering. A vendor agent is granted broad capability "because we trust the vendor," and that grant becomes the hole everything else walks through. Derive capability from the graph and policy, never from a relationship.
- Stale graph, wrong scope. If the dependency map drifts, capability scoping misjudges blast radius and an agent reaches further than intended. The graph must be live and continuously reconciled.
- Agent collisions. Two agents act on the same resource concurrently. The control plane must serialize or detect conflicting proposals on the same subgraph, not assume agents coordinate themselves.
- Evidence the gate never reads. A change shows "tests passed" while validation never exercised the changed path. Read coverage *of the change*, not aggregate suite status.
When a vendor agent must run where your data cannot leave, inside a network operations boundary or a regulated enclave, keep the authority model intact by moving the runtime, not the trust. Edge Runners execute as signed capsules inside your perimeter and emit audit-ready evidence outward, so the data stays put and the proof comes to you. Remediation is the part to govern hardest; letting any agent, yours or a vendor's, fix a production network unsupervised is reckless, which is why governed Remediation Fleets keep apply behind the same authorization as everything else.
### What to do Monday morning
- Inventory the actors. List every agent, internal, vendor, partner, that can already write to a protected environment. You will likely find more than you expected.
- Issue attested identities. Replace shared accounts and long-lived keys with short-lived, per-agent credentials. No identity, no action.
- Scope capability to the graph. Grant each agent a subgraph, an environment, and an action class. Start vendor agents at the narrowest grant that works.
- Make the gate read evidence, not pedigree. Require the same validation artifact from every agent and route by reachability-based risk.
The bottom line
أدلة ذات صلة
منتج ذو صلة
مواصلة القراءة
Agents Propose, Humans Authorize: A Reference Architecture for Governed Autonomy
A reference architecture for letting agents act on production safely: the four control surfaces, policy, approval, evidence, attribution, and how they wire into the loop.
More Models Won't Save You: Why AI-Generated Code Needs a Control Layer, Not Smarter Autocomplete
Better code generation can't validate its own output. Why AI-written code needs a governed control layer that maps, tests, and proves every change.
Code Without Provenance: The Real Risk When 41% of Your Codebase Has No Author
When 41% of your codebase has no author, the real risk isn't bugs, it's lost intent. How a System Graph restores the provenance AI-generated code strips away.
