SAP banned third-party AI agents. ServiceNow installed a tollbooth. Workday is charging at the door. Datadog capped how often you can knock. Each is doing the rational thing, building governance for its own platform. That's exactly why the enterprise has a problem.
The agents are coming. The pressure is real. About 40% of Anthropic's top 50 customers are now financial institutions: Goldman Sachs, Visa, Citi, AIG, Citadel. Finance is now the company's second-largest enterprise revenue segment after technology. Every CRM, ERP, ticketing system, and HR platform is being asked the same question: how do we let agents in without losing control of what they do?
Each vendor is answering that question for their own platform. Lock down. Charge. Throttle. Govern internally. From their seat, every answer is rational. From the enterprise's seat, every answer ends at the next vendor's door.
What every platform is building.
The headlines blur together. The policies don't.
SAP updated its API policy in April 2026 to bar third-party AI agents from interacting with its systems outside SAP-endorsed architectures. Microsoft Copilot, Salesforce Einstein, and a long tail of agentic vendors that had built SAP connectors woke up to formal restrictions. Joule, SAP's own in-house AI assistant, sits on the permitted side of the line.
ServiceNow announced Action Fabric at Knowledge 2026, a layer that lets external agents execute governed workflows on its platform. ServiceNow's COO confirmed the company will meter that activity. Customers will pay per action.
Workday said charging for agent access offered considerable financial upside for the company. Same playbook.
Datadog capped third-party agents at 5,000 daily requests against its MCP server.
Salesforce tightened Slack's API to restrict third-party tools from indexing or training on Slack data.
Different vendors. Different mechanisms. Same gap. Three responses.
A ban keeps everyone out. It's the safe call when you can't tell who's safe.
A tollbooth meters access. It's the right move when agent traffic becomes a real load on a platform's economics.
A rate cap limits the noise. It's necessary when every credential looks identical and you can't tell which one is misbehaving.
These instincts are correct. Each platform is building governance for the universe it controls. ServiceNow governs ServiceNow. SAP governs SAP. Workday governs Workday. None of them is wrong.
That's where the real problem starts.
The CISO is on their own.
Pick a regulated bank. Pick its CISO.
Their agents touch ServiceNow for incident workflows. They touch Workday for HR records. They touch SAP for financial close. They touch an internal payments API. They touch a third-party MCP server for market data. They touch a fintech partner for compliance.
Six surfaces. Six governance regimes. Six audit trails. Six identity models. None of them talk to each other.
When the regulator asks what their AI systems did last quarter, they have a problem. ServiceNow's audit trail covers ServiceNow. Workday's covers Workday. SAP's covers SAP. The internal API logs sit in their own systems. The MCP server is governed by whoever runs it. The fintech partner shares whatever audit format it happens to support. None of these regimes were designed to combine. None of them produces a unified, verifiable record of what their agents actually did across all of it.
The audit trail is six log files. The identity is six API keys. The authorization is six different config systems. And the accountability model is basically trust six different vendors.
That's the actual problem. Not the agents. Not the platforms. The absence of a layer that works across every vendor in the stack.
Alone, none of these tools tells them whether one of their authorized agents went rogue across two platforms. None tells them if a credential issued for ServiceNow leaked and got used somewhere else. None gives a regulator proof of what their AI systems did across their entire stack.
Each platform building its own walls is rational. Six locked doors don't make a secure building. They make it impossible to know what happened inside.
The agents pay the price too.
The walled gardens don't just fail the enterprise. They punish the agents that should be running.
A trusted agent built by a careful team, with a clear scope and an authorized purpose, hits the same door as a hijacked credential or a model gone rogue. The platform has no way to tell them apart. So it bans both. Or meters both. Or rate-caps both into a trickle.
The cost isn't borne by the bad actors. The bad actors barely register. The cost is borne by the legitimate agents that wanted to do legitimate work and found themselves locked out, throttled, or forced through a tollbooth that taxes the very behavior the enterprise sanctioned.
A trust layer changes the question the platform has to answer. Instead of "is this an agent, yes or no?", the platform can ask "is this agent verified and authorized for this action?" The first question forces a wall. The second one opens a door for the agents that should be opening it.
The point of trust infrastructure isn't to keep agents out. It's to let the right ones in, with proof.
We've been here before.
Every time a new class of actor needed to operate across systems, the same pattern played out. Each system tried to govern the actor inside its own walls. It worked, narrowly. It didn't combine. Then someone built a neutral primitive that worked everywhere, and that became the infrastructure.
Banks used to authenticate wire instructions over Telex by hand, with manual test keys that were slow, error-prone, and easy to tamper with. Each bank ran its own protocols with each of its correspondents. Then the world's largest banks founded SWIFT as a neutral cooperative, so that no single bank would own the messaging layer the rest of them ran on.
Websites used to be unable to prove they were who they claimed to be. Each browser shipped its own list of trusted sites. Then we built certificate authorities that work across browsers.
Apps used to ask for your actual password. Each app built its own credential vault. Then we built OAuth that works across apps.
Workforces used to log into every system separately. Each company built its own user directory. Then SSO and identity providers like Okta gave the human workforce one verifiable identity that worked across every vendor in the stack.
Each time, the answer wasn't a vendor-specific solution. It was a neutral primitive. Not captive to one platform. Verifiable by everyone. Plugged into the ecosystem rather than gated by any one player.
Lockdowns are the holding pattern. Neutral infrastructure is what comes next. AI agents are the next workforce. The pattern is the same. The timeline is compressed.
What that infrastructure looks like.
The missing infrastructure is not another dashboard.
It is a trust layer.
One that sits between autonomous agents and every system they can affect.
One that turns anonymous software into accountable actors.
One that turns prompts into authority.
One that turns logs into proof.
Every agent gets a verifiable credential. Call it a passport. The passport states who the agent is, who authorized it, and what it is permitted to do. It's signed cryptographically and verifiable by anyone, without trusting any single vendor.
Every service the agent reaches gets a gate. The gate is a cryptographic enforcement point that sits in front of the service and checks the passport before any action runs. If the action is in scope, it executes. If it isn't, it's blocked. Either way, the gate signs an attestation that any party can verify later.
The passport governs what the agent can attempt. The gate governs what the service will accept. Together they make every action verifiable end to end. The same passport model can work at ServiceNow, at SAP, at the internal payments API, at the MCP server. The same gate primitive can deploy in front of every service the agent can reach. Every decision produces a tamper-evident attestation that no one can alter without leaving proof.
When the regulator asks what happened, the answer isn't six log files. It's a single chain of cryptographic proof, agent by agent, action by action, across every system in the stack.
This only works if it isn't captive to any one platform. HTTPS isn't Chrome's. OAuth isn't Google's. The trust layer for AI agents has to be the same. Independent. Verifiable. Not controlled by any vendor with skin in the platforms it governs.
That's not a ban. That's a trust model. And it does what bans, tolls, and rate caps can't: it scales across vendors.
The more valuable agents become, the less the world can tolerate fragmented governance.
The layer underneath the agent economy.
Modei is building that neutral trust layer.
Every agent gets a signed passport. Every service gets a gate. Every passport is enforced at the gate, on every action, before execution. Every decision produces a tamper-evident attestation that anyone can verify. Across every system the agent reaches, with one chain of proof.
For the CISO whose agents touch six systems and produce six audit trails. For the platform security lead who needs one trust model that holds up to a regulator across every system in the stack. For the security and risk teams who don't want to spend the next five years stitching together a different audit format every time someone asks what the agents did. For the bank that cannot accept "trust six different vendors" as the answer when the auditor walks in.
Independent. Neutral. Verifiable. Cross-platform. Not another walled garden. The connective tissue that makes the rest of them work for the enterprise stuck in the middle.
The choice.
The agent economy is here. Every platform running a system of record is building its own answer. From their seats, those answers are rational. From the seat of the enterprise trying to use all of them, the answers don't combine.
The platforms aren't going to fix that. They can't. A platform's incentive is to keep agents inside its own ecosystem, governed by its own tools, billed under its own contract. A neutral trust layer that works equally well at every vendor would dissolve exactly the lock-in each platform is racing to build. The fragmentation isn't a bug they're working on. It's the natural shape of the market when every governance regime is owned by a vendor with skin in the platforms it governs.
The platforms call it governance. To enterprise it is a maze.
The agent economy will not run on a pile of vendor-specific barriers. It needs a trust layer that works across all of them.
A ban is a holding pattern. A platform-by-platform governance regime is six holding patterns stacked on top of each other. A neutral trust layer is what comes next.
One becomes infrastructure. The others are just walls.
Jason Hanlon is the founder of Standard Logic Co., the company behind Modei.