A thorough examination of 193 claims from April 2026 reveals something significant: a new infrastructure layer is crystallizing, purpose-built for the scaled deployment of AI agents. The claims span a wide field of competitors—Google Cloud, Microsoft, Databricks, Cloudflare, and a host of Web3 and blockchain-native projects—yet they converge on a common strategic insight. The next competitive battleground in enterprise and cloud computing is not the AI model itself. It is the control plane, identity framework, and governance architecture that surrounds the model.
For those evaluating Alphabet Inc., this thematic cluster carries material weight. Google Cloud is actively competing across this emerging stack—through GKE Agent Sandbox, its Agent Governance Toolkit (with conceptual parallels to industry efforts), integrations with the Model Context Protocol (MCP), and new SecOps agent launches. Yet it faces mounting competitive pressure from Microsoft, Databricks, Cloudflare, and a growing cohort of decentralized compute alternatives.
The unifying thread is this: agentic AI is forcing a fundamental re-architecting of identity, security, policy enforcement, and observability. This creates both a substantial new total addressable market and a race to define the standards that will govern it.
2. Identity and Authentication: The New Perimeter
The strongest signal across the entire claim set is unmistakable: identity has supplanted the network perimeter as the primary trust boundary in agentic architectures. This finding is supported by multiple independent sources, making it one of the most corroborated insights in the analysis.
Industry guidance from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and allied agencies specifically recommends focusing on three areas: identity management, least-privilege access, and human approval gates. This aligns with security guidance recommending identity segmentation as delivering greater risk reduction at lower cost and operational complexity than traditional network segmentation.
The Zero Trust model runs throughout the claims like a steel rail through a new territory. Zero Trust Network Access (ZTNA) is described as a post-firewall, "assume a breach" approach that is becoming the new normal in network security. Zero-trust architectures enforce policy at the network layer, and Cloudflare has strengthened its Zero Trust and edge security stack, positioning Cloudflare Mesh as "Beyond the VPN". The Air Force's Cloud One Next (C1N) initiative explicitly focuses on Zero Trust Architecture frameworks, validating that government sector adoption is underway.
Within identity itself, the shift from static credentials to federated identity-based authentication is described as an industry-wide trend, specifically within the Google Cloud Platform ecosystem. Commenters recommended using service accounts with Workload Identity Federation, describing them as significantly harder to compromise than API keys. Azure Managed Identity eliminates the need to manage, rotate, or store secrets entirely.
The FIDO2 authentication standard, underpinning passkeys, is backed by Apple, Google, and Microsoft, and the FIDO Alliance is leading industry working groups to create cryptographic, privacy-preserving standards to authenticate and protect agent-initiated payments and transactions.
Threema provides an instructive contrast in identity philosophy: it uses random eight-character Threema IDs that are not linked to a user's phone number or personal identity, differentiating itself through its security architecture and identity verification model rather than solely encryption strength.
Bhutan deployed a national digital identity wallet using the Trust over IP Foundation framework, and the Flare and Red Date decentralized KYC solution uses China's RealDID system for identity verification. Decentralized Identifiers (DIDs) are positioned as self-sovereign identity standards enabling selective, user-controlled disclosure of identity information for compliance purposes.
The conclusion is clear: identity infrastructure is being rebuilt from the ground up for an agentic world, and the platforms that anchor this identity layer will hold a commanding position in the value chain.
3. The Agent Governance and Control Plane
A second heavily corroborated theme is the emergence of a dedicated governance layer for AI agents. This is the layer where policy meets practice, where the abstract principle of "safe AI" becomes enforceable code.
The most detailed claims cluster around Microsoft's Agent Governance Toolkit, which provides a comprehensive policy framework. The toolkit uses a defaultAction: deny policy model—an allowlist approach—employs a YAML policy file format (governance-policies.yaml), and supports OPA Rego and Cedar policy languages for advanced scenarios. Its policy condition language supports equality checks, pattern matching, and boolean logic, and the policy priority system uses higher numbers for higher priority—a deny at priority 100 overrides an allow at priority 10.
Policy decisions are captured as ALLOWED, THROTTLED, and blocked (implicit deny), and governance audit events are recorded as span attributes on agent traces in Azure Application Insights.
The toolkit's Agent SRE package addresses system stability through service-level objectives (SLOs), error budgets, and circuit breakers. Error budgets tie SLOs to business decisions. Circuit breakers are explicitly described by Microsoft as the primary mitigation for cascading failure risk in multi-agent systems, with configurable failure thresholds (e.g., 5 failures in a row), recovery timeouts (e.g., 30 seconds), and half-open max calls (e.g., 2). The circuit breaker pattern prevents cascading failures from propagating through multi-agent systems.
The toolkit is available in Python, TypeScript, Rust, Go, and .NET.
The core governance principle is echoed by Andrew Rafla of Deloitte's Cyber Practice, who defines a control plane as the shared, centralized layer governing who can run which agents, with which permissions, under which policies, and using which models and tools. Organizations deploying persistent agents are advised to define kill-switch criteria from day one as part of their governance models.
Databricks' on-behalf-of user execution via the Model Context Protocol (MCP) directly addresses privilege escalation risks, executing with the requesting user's exact permissions rather than a shared service account and leveraging the existing Unity Catalog permissions model. Unity Catalog itself is described as "the brain inside of Databricks".
The adagents.json specification introduces temporal features (date windows) for time-bounded authorization delegations and delegation types defining the scope of authority in programmatic inventory relationships, including representation of complex supply chain relationships such as resellers and intermediaries. This specification reflects how governance is extending into advertising supply chains—an early indicator of how deeply agentic architectures will penetrate existing commercial infrastructure.
4. Agent Communication Protocols: Standards in Formation
Multiple claims point to the emergence of several interconnected communication protocols. The Model Context Protocol (MCP) is the most prominent among them. MCP is an Anthropic-developed protocol intended to standardize agent-tool integration and represents a standardized protocol for agent-to-system communication. It uses JSON-RPC or gRPC over HTTP for agent communication.
Google Cloud uses MCP for agent connections and announced remote MCP servers to connect agents to external systems.
The Agent-to-Agent (A2A) 1.0 protocol handles transport for agent-to-agent communication. Oracle shipped an Agent Spec architecture that includes Agent Spec (defining what runs), AG-UI (handling interactions), and A2UI (defining what the user touches). A2A and AgentCard support for Envoy are under development.
The Universal Commerce Protocol (UCP) interoperates with AP2, A2A, and MCP and uses tokenization and verifiable credentials for secure payments and agent-backend communication, with support for identity verification and integration with AP2, A2A, and MCP.
The Verifiable Intent framework enables users to authorize and control agent actions and is designed to interoperate with AP2.
The Agent Commerce Protocol (ACP) is integrated into ChatGPT to support retail checkout flows.
In advertising technology, MCP enables agent-to-agent diagnostic capability between demand-side platforms (DSPs) and supply-side platforms (SSPs).
What we are witnessing is the early architecture of an agentic internet—a layer of protocols that will govern how agents discover, authenticate, and transact with one another, much as TCP/IP governed how machines discovered and communicated with one another in the early internet.
5. Platform-Specific Agent Infrastructure
The major platforms are placing their bets, and the shape of each bet reveals their strategic intent.
Google Cloud is making significant investments in agent infrastructure. GKE Agent Sandbox provisions up to 300 sandboxes per second, uses trusted gVisor isolation, and provides secure multi-tenant isolation. Google Cloud has introduced three new SecOps agents—Threat Hunting, Detection Engineering, and Third-Party Context—and streamlined identity and access management with a least-privilege approach. The Agent Platform supports bidirectional streaming via WebSocket, Cloud Assist Investigation provides a natural language interface for debugging agents, and Wiz integration enables third-party security auditing for Google Cloud's agent platform.
Yet the claims reveal robust competition across every dimension of this stack.
Wiz launched three new security agents (Threat Hunting, Detection Engineering, and Third-Party Context), can scan agent code and infrastructure for security issues, and its Green Agent can suggest root-cause remediations for detected security issues. Wiz Skills equips coding agents with code-to-cloud context and validated attack surface findings. Wiz Defend security detections integrate with Google Security Operations and Mandiant Threat Defense.
Databricks offers coding agent integrations with Cursor, Codex, and Claude Code, and its Agent Bricks differentiator adds enterprise-specific capabilities.
Cloudflare's Sessions API stores agent state and conversation history, and its architecture includes bindings (a no-secrets environment), edge execution, Durable Objects, and lightweight isolates. Durable Objects provide stateful computation primitives that map to agent memory requirements.
Microsoft's Discovery includes built-in governance controls to keep agent-driven research aligned with strategic priorities, security and compliance standards, and safety requirements, with its Discovery Engine designed to mimic the scientific method through specialized agents that reason over knowledge, generate hypotheses, and validate them.
Docker's supply chain security approach includes verified base images, scoped and short-lived credentials, and sandboxed execution environments. The Docker MCP Gateway provides a centralized proxy, policy enforcement, secret blocking, and audit logging for agent-to-tool traffic. Docker Sandboxes are isolated microVMs for AI coding agents, with each having its own kernel, filesystem, Docker Engine, and network.
This is a contest, plain and simple. Each platform is building its own mill—its own vertically integrated infrastructure for agent deployment—and the race is to see whose mill can produce the most trusted, governable, and scalable output.
6. Decentralized and Web3 Agent Infrastructure
A substantial cluster of claims pertains to decentralized compute and identity as alternatives to centralized cloud infrastructure. These claims represent a different philosophy of industrial organization—one that challenges the vertically integrated model that has dominated computing for decades.
Bittensor's decentralized marketplace is attributed with lower costs due to eliminating middlemen and enabling global utilization of underused hardware, and the network displayed some self-healing capabilities. Decentralized Physical Infrastructure Networks (DePIN) are positioned as sector innovations in cloud gaming and GPU infrastructure, with claims of cheaper, permissionless, and censorship-resistant alternatives to centralized providers.
Render Network positions itself at the intersection of creative rendering, AI compute, and DePIN, with competitive differentiation including OctaneRender integration, relationships with Hollywood and entertainment industry partners, and a tokenized compute marketplace model. However, a notable tension exists: Render Network's job verification depends on creator approval or a 72-hour auto-approval mechanism rather than fully cryptographic, trustless verification. The report flags this as needing more formal protocol-level verification as the Dispersed product scales.
Ritual externalizes heavy computation to its mesh, separating compute responsibilities from chain coordination and settlement functions. Its key strategic advantage is its externalized, specialized compute mesh architecture as opposed to each chain maintaining sovereign compute. Message-passing frameworks and Infernet are cited as enabling technologies for externalized verifiable compute, described as enabling compute-as-a-service that blockchains can access rather than replicate internally.
The Cachee system shifts computational and storage heavy lifting from decentralized blockchain validators to a trusted-but-verifiable off-chain layer while maintaining security through on-chain hash commitments and is compatible with traditional business infrastructure including TLS, code signing, and PKI systems.
Dimitra integrates satellite imagery, IoT soil sensors, and drone data with blockchain-based immutable records for agricultural insights, providing records for EU Deforestation Regulation compliance.
PillChain utilizes AI-powered PillSentinels for spam and security management to enable zero gas fee transactions.
For enterprise workloads—especially those in regulated industries—the verification and trust gaps in decentralized infrastructure remain a significant barrier. The centralized providers' ability to offer robust identity, governance, and audit trails gives them a structural advantage for production enterprise deployments. The decentralized alternatives may find their strongest use cases in GPU compute arbitrage and specific Web3 applications rather than broad enterprise adoption.
7. Monitoring, Observability, and Debugging
A supporting theme is the need for agent-specific observability tools. Visual Studio Code version 1.116 adds agent debug logging for monitoring and debugging AI agent behaviors.
Exabeam launched Agent Behavior Analytics (ABA) capabilities at no additional cost to Exabeam New-Scale Security Operations Platform users, constituting a product launch in cybersecurity, and positions itself as a first mover and leader in the emerging agent behavior analytics space. The Exabeam New-Scale Security Operations Platform includes integrated Exabeam Nova cybersecurity agents.
Rubrik's Agent Cloud includes an "Agent Rewind" feature that can undo an autonomous agent's destructive action.
The neuron-nki-debugger-agent provides autonomous compilation error debugging by analyzing errors, searching documentation and code examples, applying corrections, and validating fixes. A suite of five specialized skills—neuron-nki-writing, neuron-nki-debugging, neuron-nki-docs, neuron-nki-profiling, and neuron-nki-profile-querying—complement AI agents for NKI kernel development.
This is the early machinery of agent observability—a category that did not meaningfully exist two years ago and is now attracting dedicated product launches from established security firms.
8. Emerging Agent Commerce and Financial Infrastructure
The intersection of agents and commerce is generating new protocol standards. Widespread adoption of agentic commerce is described as "changing the entire commerce stack".
The Agent Payments Protocol (AP2) and Universal Commerce Protocol are being designed with verifiable credentials and tokenization for agent-initiated payments.
Binance launched an "Agentic Wallet".
Meridian Finance operates agent-native compliance infrastructure embedded at the protocol level.
TrustCloud's TrustShare feature can pre-fill up to 85% of a security questionnaire using prior questionnaires and artifacts.
The FIDO Alliance is specifically working on standards for agent-initiated payments and transactions, signaling that the payment rails for agentic commerce are being designed at the standards level.
Whoever controls agent identity for payments controls the commerce layer. That is the bet, and the major platforms know it.
Analysis & Strategic Implications
9. The Control Plane as the New Competitive Moat
The most significant investment insight across these claims is this: the control plane—not the model—is becoming the defensible layer in enterprise AI. The Deloitte definition of a control plane captures precisely what is at stake: the ability to govern who runs which agents, with which permissions, under which policies.
This is where Google Cloud, Microsoft Azure, Databricks, and Cloudflare are competing. Google Cloud's MCP integration, GKE Agent Sandbox, and SecOps agent launches position it as a contender. But Microsoft's Agent Governance Toolkit offers the most detailed, production-ready framework among the claims—spanning YAML-based policies, Rego and Cedar support, circuit breakers, error budgets, and audit logging.
For Alphabet, the risk is clear: if Google Cloud's agent infrastructure is seen as one of several viable options rather than the default, it will limit platform lock-in and the associated revenue upside.
10. The Identity Standardization Race
The shift from static credentials to federated identity and the emergence of Decentralized Identifiers (DIDs) represents a structural change. If identity becomes portable across platforms, it reduces switching costs and weakens platform moats. Conversely, if a cloud provider can become the identity anchor for agentic workflows—the system that issues, verifies, and manages agent identities—it captures a foundational layer.
Google's support for FIDO2 and its Workload Identity Federation are relevant here, but the claims also show significant activity in Web3-native identity systems (DIDs, RealDID, Threema IDs, Bhutan's NDI wallet).
The FIDO Alliance's work on agent payment authentication standards could be a pivotal development: whoever controls agent identity for payments controls the commerce layer.
11. Google Cloud's Mixed Positioning
Google Cloud appears in these claims across multiple dimensions: GKE Agent Sandbox (scalable, secure execution), MCP integration (interoperability), SecOps agents (security), and IAM streamlining (least-privilege access). This breadth is strategically valuable.
However, the claims do not surface a single, unified Google Cloud agent governance framework comparable to Microsoft's Agent Governance Toolkit or Databricks' Unity Catalog-based approach. Google Cloud's strategy appears to emphasize infrastructure and interoperability—sandboxes, MCP, IAM—rather than a top-down governance product. This may be a deliberate architectural choice, but it creates a gap that competitors are actively filling.
The Wiz partnership for third-party security auditing of Google Cloud's agent platform suggests Google is relying on the ecosystem to fill gaps, which carries both flexibility benefits and fragmentation risks.
12. The Tension Between Centralized and Decentralized Infrastructure
A fascinating undercurrent in the claims is the co-evolution of centralized cloud-native agent infrastructure (Google Cloud, Azure, Databricks, Cloudflare) and decentralized alternatives (Bittensor, Render Network, Ritual, DePIN).
The decentralized claims promise lower costs, censorship resistance, and permissionless access. However, they also reveal verification and trust gaps. Render Network still relies on manual or time-delayed job verification rather than cryptographic, trustless mechanisms.
For enterprise workloads—especially those in regulated industries—this lack of verifiable trust is a significant barrier. The centralized providers' ability to offer robust identity, governance, and audit trails (as Microsoft's toolkit demonstrates) gives them a structural advantage for production enterprise deployments. The decentralized alternatives may find their strongest use cases in GPU compute arbitrage and specific Web3 applications rather than broad enterprise adoption.
13. Security as a Catalyst for Spending
Multiple claims from cybersecurity firms—Wiz, Exabeam, Rubrik—indicate that the security challenges of agentic AI are creating new product categories and spending. Exabeam's new Agent Behavior Analytics category, Rubrik's Agent Rewind, and Wiz's security agents for agent code scanning all point to an expanding security total addressable market.
For Google Cloud, its SecOps agent launches and IAM streamlining are defensive moves to capture this spend within its ecosystem. But the presence of Wiz as a cross-platform security layer—integrating with Google Cloud but not exclusive to it—suggests security remains an independent spending category rather than one captured entirely by the cloud platform.
Key Takeaways
-
The agent governance and control plane market is nascent and fragmented, creating a window for leadership. Microsoft's Agent Governance Toolkit is the most detailed offering in the claims, but no single platform has established dominance. Google Cloud's infrastructure-first approach—sandboxes, MCP, IAM—provides a foundation but lacks an equivalent unified governance product. Investors should monitor whether Google delivers a cohesive governance framework or cedes that layer to partners and competitors. The control plane—governing who runs which agents, with which permissions, under which policies—is likely to become a critical determinant of cloud platform switching costs and revenue per workload.
-
Identity is the new battleground for agentic commerce and payments. The FIDO Alliance's work on agent payment authentication, combined with the emergence of AP2, UCP, and Verifiable Intent frameworks, points toward a future where agent identity and payment authorization are tightly coupled. Google's existing passkey infrastructure (FIDO2) is an asset, but its ability to extend it into a cross-platform agent identity standard will determine whether it captures the commerce layer or merely serves as a compute provider.
-
Google Cloud's breadth in agent infrastructure is a strategic asset, but depth in governance remains unproven. The claims show Google Cloud active in sandbox isolation (300 per second GKE Agent Sandbox), protocol interoperability (MCP), security operations (three new SecOps agents), and IAM simplification. This breadth is valuable. However, competitors have more clearly articulated governance frameworks (Microsoft), observability integrations (Wiz, Exabeam), and data platform lock-in (Databricks). The absence of claims about a unified Google agent governance product—and the reliance on Wiz for third-party auditing—suggests an opening for competitors to define the governance layer on top of Google's infrastructure.
-
Decentralized compute alternatives remain structurally disadvantaged for enterprise workloads. While DePIN and tokenized compute networks (Bittensor, Render, Ritual) offer compelling cost narratives, their reliance on non-cryptographic verification mechanisms and the absence of robust identity and audit frameworks limit their addressable market. For Alphabet, this means the primary competitive threat to Google Cloud's agent infrastructure comes from other centralized platforms—Azure, Databricks, Cloudflare—rather than Web3 alternatives. But the decentralized ecosystem bears watching as a potential source of infrastructure commoditization pressure over a longer time horizon.
