Architecture

The AI Control Plane

The control plane is the layer where an organization decides which AI agents may exist, what they are allowed to do, and when they are stopped. It is deliberately separate from the data plane — the gateway that carries the actual LLM, tool, and agent-to-agent traffic.

A single agent can be governed by hand. A fleet cannot. Once agents persist, delegate, and scale into the hundreds or thousands, manual governance collapses — and the control plane is the piece of infrastructure that replaces it.

Architecture sketch

Control Planecontrol layer — no agent trafficAgentRegistryAgentIdentityPolicy-as-CodeLifecycleManagementKillSwitchidentity · policy · stoptelemetry · evidenceRuntimerunning agentsAgent AAgent BAgent Call LLM · tool · A2A trafficGatewaydata planerate limiting · inline guardrails · cost caps · tracing — enforces control-plane policy inlineLLM APIsTools (MCP)Enterprise Datasecurity control (enforcement point)
The control plane governs the fleet; the gateway carries and inspects the traffic. Highlighted boxes are security controls — the points where policy is decided or enforced.

What the control plane does

  1. Agent Registry. Every agent is registered before it runs: owner, purpose, capabilities, autonomy tier. The registry is the inventory that makes shadow agents visible.
  2. Agent Identity. Agents are first-class, non-human identities with their own credentials — not shared service accounts. Each identity maps to a human sponsor.
  3. Policy-as-Code. What an agent may do is expressed as machine-readable, versioned policy: allowed tools, data reach, spend limits, approval requirements.
  4. Lifecycle Management. Agents are provisioned, updated, paused, and retired through a controlled process, so credentials and permissions never outlive the agent.
  5. Kill Switch. Any agent — or an entire fleet — can be stopped and its credentials revoked immediately when behavior deviates from policy.

Security

Security controls, and the risks they address

The control plane is not a management convenience — it is where most agentic security controls live. Each control below maps to a concrete risk that appears once agents scale.

Mandatory registration and inventory

Mitigates: Shadow AI and agent sprawl

An agent that is not in the registry does not get credentials and cannot pass the gateway. This turns discovery from a periodic audit into a structural property.

Short-lived, scoped credentials

Mitigates: Privilege abuse and confused-deputy attacks

Agent identities receive narrowly scoped tokens that expire quickly. A stolen credential has a small blast radius and a short lifetime.

Human sponsor per agent

Mitigates: Orphaned agents and unaccountable actions

Every agent identity is linked to a responsible human owner. When the sponsor leaves or the purpose ends, lifecycle management retires the agent.

Policy-as-code with conditional access

Mitigates: Excessive agency

Permissions are evaluated per request against versioned policy — which tools, which data, under which conditions — instead of being granted broadly at deploy time.

Spawn limits and sub-agent registration

Mitigates: Recursive agent creation

Agents that create sub-agents must register them, and policy caps how deep and wide delegation chains may grow. This contains cost explosions and loss of control.

Kill switch and credential revocation

Mitigates: Runaway or compromised agents

The control plane can pause an agent, revoke its identity, and cut its gateway access in one operation — the containment action for almost every agentic incident.

Telemetry into evidence collection

Mitigates: Unauditable autonomy

Registration, policy decisions, and lifecycle events flow into tamper-evident audit trails, correlated to the human sponsor — the raw material for EU AI Act, ISO 42001, and NIST AI RMF evidence.

Control plane vs. data plane

  1. Gateway (data plane). Sits inline on every LLM, tool, and agent-to-agent call. Enforces policy on traffic: rate limiting, inline guardrails, cost caps, tracing.
  2. Control Plane. Sits above the traffic. Decides which agents exist, what identity and policy they carry, and when they are stopped. The gateway enforces what the control plane decides.

The separation matters: policy decisions belong in one place, policy enforcement happens on every request. An agent that bypasses the gateway escapes inline enforcement — which is why gateway routing should itself be a control-plane policy, not a convention.

The control plane is also a target

In practice

The pattern is emerging across major platforms: Microsoft Entra Agent ID (agent identities with sponsors and conditional access), AWS Bedrock AgentCore (identity and policy layer for agents), and Google's agent identity work all separate the control plane from the data plane. See the glossary for definitions and the reference architecture for where the control plane sits in the overall stack.