Architecture
The control plane is the layer where an organization decides which AI agents may exist, what they are allowed to do, and when they are stopped. It is deliberately separate from the data plane — the gateway that carries the actual LLM, tool, and agent-to-agent traffic.
A single agent can be governed by hand. A fleet cannot. Once agents persist, delegate, and scale into the hundreds or thousands, manual governance collapses — and the control plane is the piece of infrastructure that replaces it.
Security
The control plane is not a management convenience — it is where most agentic security controls live. Each control below maps to a concrete risk that appears once agents scale.
Mitigates: Shadow AI and agent sprawl
An agent that is not in the registry does not get credentials and cannot pass the gateway. This turns discovery from a periodic audit into a structural property.
Mitigates: Privilege abuse and confused-deputy attacks
Agent identities receive narrowly scoped tokens that expire quickly. A stolen credential has a small blast radius and a short lifetime.
Mitigates: Orphaned agents and unaccountable actions
Every agent identity is linked to a responsible human owner. When the sponsor leaves or the purpose ends, lifecycle management retires the agent.
Mitigates: Excessive agency
Permissions are evaluated per request against versioned policy — which tools, which data, under which conditions — instead of being granted broadly at deploy time.
Mitigates: Recursive agent creation
Agents that create sub-agents must register them, and policy caps how deep and wide delegation chains may grow. This contains cost explosions and loss of control.
Mitigates: Runaway or compromised agents
The control plane can pause an agent, revoke its identity, and cut its gateway access in one operation — the containment action for almost every agentic incident.
Mitigates: Unauditable autonomy
Registration, policy decisions, and lifecycle events flow into tamper-evident audit trails, correlated to the human sponsor — the raw material for EU AI Act, ISO 42001, and NIST AI RMF evidence.
The separation matters: policy decisions belong in one place, policy enforcement happens on every request. An agent that bypasses the gateway escapes inline enforcement — which is why gateway routing should itself be a control-plane policy, not a convention.
The pattern is emerging across major platforms: Microsoft Entra Agent ID (agent identities with sponsors and conditional access), AWS Bedrock AgentCore (identity and policy layer for agents), and Google's agent identity work all separate the control plane from the data plane. See the glossary for definitions and the reference architecture for where the control plane sits in the overall stack.