Skip to content
Sicherheit & Governance

Governing Customer-Owned Agents: Control-Layer Patterns for Mixed Agent Fleets

A platform engineer's guide to governing mixed agent fleets: how one control plane authorizes your agents and vendor agents alike, without trusting either by default.

Zof Reliability Team · Engineering & Produkt

25. März 2026 · 8 Min. Lesezeit · Aktualisiert 25. März 2026

Share
01

Why a mixed fleet breaks per-agent trust

The instinct is to govern each agent where it runs: give the vendor agent its own service account, hope its sandbox holds, and trust its vendor's safety claims. That model fails for structural reasons, and the industry data explains why it fails harder every quarter.

Roughly 41% of codebases are now AI-generated, and around 45% of AI coding tasks introduce a critical flaw or security issue. An agent is, in effect, a fast machine-author of changes, so a fleet of them concentrates that defect rate and points it directly at production. When the author is a third party, you cannot review the code that produced the change, only the change itself. And behavior makes it worse: about 80% of developers bypass policy or guardrails when those guardrails add friction. A vendor's agent has even less incentive than your own engineers to respect a policy that lives in a document rather than in the system.

The deeper issue is that per-agent trust does not compose. Ten agents, each "reasonably safe" in isolation, produce a combined blast radius nobody scoped. Two agents can race on the same resource. A vendor agent can satisfy its own success criteria while violating yours. Trust placed in individual agents cannot be aggregated into trust in the fleet. You need a single point where authority is decided for all of them, on the same terms.

02

Identity first: no agent acts without an attested identity

Before authorization, you need to know who is acting. In a mixed fleet, "who" is the hardest part, because the actors are non-human, ephemeral, and partly external.

Treat every agent as an untrusted workload that must prove its identity before it does anything. That means no ambient credentials, no shared service accounts, and no long-lived API keys passed to a vendor and forgotten. Each agent, yours or theirs, presents a short-lived, attested credential bound to a specific identity, and the control plane records which agent took which action under which identity. This is the difference between an audit trail that says "the integration account modified the provisioning config" and one that says "vendor agent X, instance 7, acting under a credential issued at 14:02 and valid for nine minutes, proposed this change."

Two non-negotiables for telecom specifically:

  • Separate proposer from authorizer. An agent that both writes a change and applies it has collapsed the maker and the checker, exactly the separation of duties an auditor expects preserved on a regulated network. Every agent gets a propose-only default. It can plan, generate, and stage; it cannot move a change into a protected environment.
  • Vendor identities are first-class, not exceptions. The temptation is to wave a trusted partner through with broad access. Resist it. The vendor agent gets the same attested-identity requirement and the same propose-only default as everything else. A partner relationship is a commercial fact, not a security control.
03

Authorize by capability, not by trust level

Once identity is established, the control plane decides what each agent may do. The wrong axis is "how much do we trust this vendor." The right axis is capability scoped to blast radius: what can this specific agent touch, and what breaks if it is wrong?

This is where a live System Graph becomes the substrate for governance rather than a nice-to-have map. Because it models services, dependencies, and CI/CD as one change-aware graph, the control plane can answer the question that actually predicts risk: does this proposed action touch a node that fans out to a subscriber-facing path, a billing system, or a regulated data store? Capability is then granted against the graph, not against a vendor's reputation.

Make capability grants explicit and narrow:

  • Scope to a subgraph. A vendor's network-config agent gets capability over the network-function nodes it was bought to manage and nothing else. It cannot propose a change to billing because that path is not in its grant.
  • Scope to an environment. Bind each agent to where it is allowed to operate, a production-like staging tier, a PCI-segmented subnet, an isolated ERP sandbox, so a misbehaving agent cannot wander out of its lane.
  • Scope to an action class. Read-only observation, propose-with-validation, and propose-with-escalation are different capabilities. Most agents, especially vendor ones, should start at the lowest that still lets them do their job.

The control plane unifies this. Governance is where capability grants, policy checks, and the audit trail live as configuration that applies identically to a Zof-managed agent and a customer-owned or vendor one. One policy surface, many agents, no per-vendor side deals.

04

Evidence is the great equalizer

Here is the move that lets you govern agents you cannot inspect: stop judging agents by who built them, and judge every proposed change by the evidence attached to it. A change from your own agent and a change from a vendor's agent reach the gate carrying the same required artifact, what was exercised, what regressed, what the reachability analysis says about exposure, and the gate decides on that, not on pedigree.

This is only credible if the validation is real and change-aware. Coordinated Testing Fleets plan and execute validation against what actually changed and what depends on it, rather than running a static suite that ignores the dependency graph and proves nothing about the specific diff. For security gates, reachability matters: asking whether a flaw sits on a path that is actually reachable in your deployed system, rather than triaging every theoretical finding, can mean 70 to 90% less exploitable exposure. Applied to a mixed fleet, a vendor agent's change that introduces an unreachable issue does not have to block a release, while a reachable one routes straight to a human. You spend scarce review attention on real risk, regardless of which agent surfaced it.

Crucially, this equalizes incentives. A vendor agent cannot declare its own work complete and merge. It produces a proposal with evidence; your control plane decides. Agents propose, humans authorize, and the principle holds whether the proposer is on your payroll or your supplier's.

05

Failure modes to design against

A mixed-fleet control plane introduces its own ways to fail. Name them so your design accounts for them.

  • Trust laundering. A vendor agent is granted broad capability "because we trust the vendor," and that grant becomes the hole everything else walks through. Derive capability from the graph and policy, never from a relationship.
  • Stale graph, wrong scope. If the dependency map drifts, capability scoping misjudges blast radius and an agent reaches further than intended. The graph must be live and continuously reconciled.
  • Agent collisions. Two agents act on the same resource concurrently. The control plane must serialize or detect conflicting proposals on the same subgraph, not assume agents coordinate themselves.
  • Evidence the gate never reads. A change shows "tests passed" while validation never exercised the changed path. Read coverage *of the change*, not aggregate suite status.

When a vendor agent must run where your data cannot leave, inside a network operations boundary or a regulated enclave, keep the authority model intact by moving the runtime, not the trust. Edge Runners execute as signed capsules inside your perimeter and emit audit-ready evidence outward, so the data stays put and the proof comes to you. Remediation is the part to govern hardest; letting any agent, yours or a vendor's, fix a production network unsupervised is reckless, which is why governed Remediation Fleets keep apply behind the same authorization as everything else.

### What to do Monday morning

  1. Inventory the actors. List every agent, internal, vendor, partner, that can already write to a protected environment. You will likely find more than you expected.
  2. Issue attested identities. Replace shared accounts and long-lived keys with short-lived, per-agent credentials. No identity, no action.
  3. Scope capability to the graph. Grant each agent a subgraph, an environment, and an action class. Start vendor agents at the narrowest grant that works.
  4. Make the gate read evidence, not pedigree. Require the same validation artifact from every agent and route by reachability-based risk.
06

The bottom line

Verwandte Leitfäden

Lesen Sie weiter

01Zof Console

Eine Oberfläche für Körperhaltung, Operationen und alles, was als nächstes Aufmerksamkeit erfordert.

Das authentifizierte Zuhause, das Engineering-, QA- und SRE-Teams jeden Tag öffnen: Qualitätshaltung, laufende Abläufe, Abdeckung nach Modul und was als Nächstes Aufmerksamkeit braucht.

OPERATIVE KPIs

  • Läufe
  • Deckung
  • Risiko

Lebe in jeder Umgebung, in die du versendest.

ARBEITSRÜCKEN

  • Spezifikationen
  • Tests
  • Zeitpläne

Von der Spezifikation bis zur geplanten Regression.

GELÄNDER

  • RBAC
  • SSO
  • Audit

Jede Handlung, die einem namentlich genannten Menschen zuzuschreiben ist.

LIVE/console
Zof AI Home Command Center zeigt 12 Läufe mit 94 % Erfolg, 3 offene kritische Probleme, 84 % Abdeckung, vier Modul-Rückverfolgbarkeitsbalken, die Spezifikationspipeline, bevorstehende Zeitpläne und empfohlene nächste Aktionen mit einer Seitenleiste für aktive Läufe.
Startseite · Checkout-Service · Inszenierung · Live vom Produkt erfasst.
  • 01 · RUNS · 24H

    94% pass

    12 runs across staging

  • 02 · COVERAGE

    84%

    Across four modules

  • 03 · ACTIVE RUNS

    3 running

    Live on this branch

  • 04 · NEXT ACTIONS

    Recommended

    Triage gaps, new spec

Governing Customer-Owned Agents: Control-Layer Patterns for Mixed Agen