Yesterday, VentureBeat published a piece by Matt Marshall titled “The AI governance mirage.” It aligns with several opinions I have shared over the last few months. It also validates what I’ve been building.

The argument, in Marshall’s words: 72% of enterprises claim to have two or more “primary” AI platforms. They believe they have governance. They don’t. They have sprawl wearing a governance costume. Nallan “Sri” Sriraman, CTO of Mass General Brigham called it the “six blind men problem,” every vendor is touching a different part of the same elephant and calling it the whole animal.

The piece asks a pointed question at the end: what is the way out?

I want to answer that question directly, because that’s exactly where Nomotic sits.

It’s called the Agent Management Platform

Every enterprise is about to run a fleet of AI agents. Not one agent. Not ten. Hundreds, then thousands, then tens of thousands. The ratios are already moving; Silverfort’s research shows that, in enterprise environments today, there are 50:1 non-human identities per human. That ratio climbs every quarter.

That fleet needs infrastructure. The same way a website fleet needs hosting, DNS, CDNs, analytics, and security. The same way a mobile app fleet needs distribution, crash reporting, push notifications, and attribution.

Today, agent infrastructure is fragmented across a dozen vendors, each owning a corner of the problem:

• Hosting: Heroku, Vercel, Modal, Railway
• Governance: Arthur, Credo, Holistic AI, IBM watsonx
• Identity and registry: AWS Agent Registry, Microsoft Entra, Okta
• Security and lifecycle: ServiceNow, SailPoint, CyberArk
• Observability: Datadog, Arize, Langfuse, New Relic
• Distribution: Hugging Face and a category no one has won yet

Each category is already a multi-billion-dollar market. Each one is growing independently. None of them talk to each other. And no enterprise IT organization wants six contracts, six integrations, six dashboards, and six security reviews to do one thing: manage their agents.

The Agent Management Platform (AMP) is the category that replaces the six. Not a thin aggregator sitting on top of incumbents. A native, full-stack platform built for agents from day one, spanning the entire lifecycle.

The lifecycle matters because agents have one

Agents aren’t microservices. They aren’t API endpoints. They have a birth, a purpose, a body of work, and eventually a retirement. The infrastructure that manages them has to respect that lifecycle.

We break it into four phases:

Onboard. Register the agent with cryptographic identity. Shape its behavior with archetypes and compliance presets. Test it in a sandbox with real LLM evaluation before it ever touches production.

Launch. Package the agent into a portable, signed artifact. Deploy it through stage-zone-version-controlled pipelines. Host it on a managed runtime that scales across regions.

Operate. Orchestrate the fleet through a unified console. Govern every action before it executes. Secure the agents with certificates, revocation, and interrupt authority. Marshall’s article cites OWASP’s call for a “big red button.” We’ve had one since v0.6.

Evolve. Observe in real time, with drift detection and cost tracking. Audit every decision with hash-chained, tamper-evident logs. Distribute trusted agents through a marketplace where other teams can discover, install, and use them.

Twelve capabilities. One platform. One dashboard. One contract.

The governance mirage is real

Marshall’s piece focuses heavily on governance, and rightly so. But one of the most important points in the article is buried halfway through: enterprises using OpenAI as both their primary security solution and their primary risk source. The fox guarding the hen house.

The same pattern plays out across every single capability. Using Microsoft to observe Microsoft. Using AWS to govern AWS. Using Salesforce to secure Salesforce-native agents. Every time an enterprise picks a hyperscaler’s own tool to oversee that hyperscaler’s own agents, they’ve created a conflict of interest that they cannot audit their way out of.

A real AMP has to be independent. It has to sit above the model providers, above the orchestration frameworks, above the hyperscaler-native tools. It has to be the system of record for every agent, regardless of where that agent was built, who it talks to, or whose infrastructure it runs on.

That means the AMP cannot be an add-on shipped by one of those providers. It has to be a standalone platform, built for agents from day one, with no legacy product to protect.

The path runs through open standards

One concern raised in the VentureBeat piece is vendor lock-in. Sears Merritt explicitly said they’re refusing long-term AI vendor contracts because the landscape is too dynamic. That’s rational. And it’s the reason any AMP worth its name has to be built on open standards, not proprietary walled gardens.

We’ve submitted two protocols to the IETF independent stream:

AGTP — the Agent Transfer Protocol. A dedicated application-layer protocol for agent traffic. HTTP wasn’t built for agents. AGTP is.

AGIS — the Agentic Grammar and Interface Specification. A grammar-based interface language for agent-native APIs. Intent-expressive verbs (BOOK, FIND, SCHEDULE) instead of generic CRUD methods. Our own empirical benchmarks showed up to 29 percentage points of accuracy improvement for LLM-based agents over REST-style APIs.

We’ve also open-sourced the .agent package format through agentpk, live on PyPI. Agents should be portable in the same way containers are. They shouldn’t be trapped inside any vendor’s proprietary runtime, including ours.

Open standards are how the web won. They’re how email won. They’re how TCP/IP won. The AMP category will be defined by the vendor that commits most to open interoperability, because enterprises will not tolerate another round of proprietary lock-in. We’re betting on that.

What comes next?

Marshall ends his article with a line that I’d like to borrow and extend:

“Enterprises arguably need to own their control plane with independent security instrumentation, not wait for a vendor to win that role for them.”

I agree, with one addition: they shouldn’t wait for a vendor to define the category either. The category has a name. The category has a shape. The category has a lifecycle model, a standards strategy, and a working reference implementation.

It’s called the Agent Management Platform.

We built it. It’s live today at nomotic.ai, and you can start using it for free. If you’re an enterprise leader trying to solve the governance mirage, let’s talk.

If you’re an investor looking at the category, we’re raising a $7M seed to get on the major cloud marketplaces and scale enterprise go-to-market.

---

If you find this content valuable, please share it with your network.

Follow me for daily insights.

Book me to speak at your next event.

Start managing your agents for free.

Chris Hood is an AI strategist and author of the #1 Amazon Best Seller Infailible and Customer Transformation, and has been recognized as one of the Top 30 Global Gurus for Customer Experience. His latest book, Unmapping Customer Journeys, will be published in 2026.