The phrase "AI agent" has quietly absorbed two very different things. One is the model that reads, reasons, and drafts. The other is the machinery that decides what that model is allowed to act on — which tools it can call, whose money it can move, and which decisions a human must still sign. The first is the agent. The second is the control plane. Conflating them is how regulated teams end up with agents that are fast, useful, and completely unaccountable.
A control plane is the layer that sits between an agent's intent and the real world. The agent proposes; the control plane authorizes, gates, limits, and records. Borrowed from networking and Kubernetes, the term draws a hard line between the data plane (where work happens) and the control plane (where policy is decided and enforced). For AI agents in a bank or a manufacturer, that line is not an architecture preference — it is the difference between a system an auditor can examine and a system nobody can answer for.
Why a prompt is not a control
Most "governed" agents today encode their limits in the prompt or in a hardcoded tool list: you may use these five tools; do not transfer more than $10,000; ask a human before deleting anything. This feels like control. It is not.
A prompt instruction is a request, not a constraint. It has no record of who approved the tool list, no version history when it changes, no way to revoke a capability mid-run, and no proof — after the fact — of what the agent was actually permitted to do on a given date. When an examiner asks "who authorized this agent to clear that sanctions hit, and show me the record wasn't altered," a paragraph of natural-language guidance is not an answer.
A control plane moves the limits out of the agent and into enforced, versioned, recorded policy. The agent can be swapped, re-prompted, or jailbroken, and the authority boundary still holds, because the boundary lives somewhere the agent cannot edit.
The five things a control plane actually does
Strip away the vocabulary and a real agent control plane does five concrete jobs.
1. Identity. Every agent is a named principal, not an anonymous process. It acts as something — an identity that holds exactly one role at a time. Nothing it does is anonymous, which is the precondition for everything else: you cannot authorize, limit, or audit an actor you cannot name.
2. Grants. Capability flows only through the role, and only the doors that role was explicitly granted are open. Everything else is denied by default. Crucially, grants are versioned: you can reconstruct exactly what any agent was permitted to do on any past date, and every change carries who approved it.
3. Segregation of duties. The agent that prepared a piece of work cannot be the one that approves it — not "should not," but cannot, enforced structurally inside the run. This is the maker-checker principle, the oldest control in finance and quality assurance, applied to machines. The attempt to self-approve is refused, and the refusal lands in the log.
4. Approval gates. For one-way doors — releasing a drug batch, filing a suspicious-activity report, pushing a config to live medical devices — the control plane parks the run and demands a human signature. A gate is a first-class workflow step: it can require a quorum of named approvers, it bars the requester from approving their own request, and it captures the signer's reason verbatim so the signature carries its meaning.
5. Audit. Every action, model call, and approval lands in an append-only, hash-chained, cryptographically signed ledger. Change one record and the chain visibly breaks. The output is an evidence bundle a third party can verify offline, against a published open spec, with zero access to your systems — trust that does not depend on trusting the vendor.
These map almost one-to-one onto rules that already exist. Segregation of duties is 21 CFR §211.22 in pharma and the Wolfsberg four-eye standard in finance. Recorded-meaning signatures are 21 CFR §11.50. Tamper-evident audit trails are §11.10(e). The control plane is not inventing governance — it is implementing the governance regulators have demanded of people for decades, now that the actor is a model. You can read the full breakdown in the six primitives.
Why this matters now
In April 2026, agentic AI was scoped out of the main US model-risk guidance. There is no supervisory template for it yet — and no template means no safe harbor. The predicate rules underneath, the ones that govern what a human in that seat must do, never moved. They are date-proof, and the discovery process will not wait for new guidance to arrive. We unpack that gap in the case for why now.
The practical consequence: a team that ships agents without a control plane is not "ahead." It is accumulating undocumented decisions that someone — often a personally-liable officer — will eventually have to account for, without the record to do it. A team that ships agents with a control plane gets the speed and keeps the answer to the only question that matters in a regulated industry: prove what your agent was allowed to do, and prove the record is intact.
What to look for
When you evaluate an agent control plane, ignore the demo magic and ask the boring questions. Are grants deny-by-default and versioned? Is segregation of duties enforced at runtime, or merely flagged? Can a human approval gate bar the requester from signing their own request? Is the audit log hash-chained and offline-verifiable by someone who distrusts the vendor? Can the whole thing run self-hosted and air-gapped, on infrastructure you already trust?
If the answer to any of those is "it's in the prompt," you do not have a control plane. You have an agent with good intentions — and in a regulated industry, good intentions are not evidence.
MakerChecker is an open-source control plane built around exactly these five jobs. See how it works, or book a demo to watch an agent get blocked from approving its own work — live.