Why Uniform Governance Fails with Enterprise AI Agents (And How to Fix It)

As organizations aggressively shift from static Large Language Model (LLM) chatbots to fully dynamic, autonomous AI agents (e.g. systems designed to plan workflows, call APIs, write runtime code, and modify enterprise databases), traditional compliance and governance frameworks are hitting a breaking point.

A landmark press release from Gartner highlights a critical systemic risk: treating AI agent governance as a monolithic, one-size-fits-all policy guarantees project failure. To safely capture the immense promise of agentic automation, enterprise leaders must transition to a proportional, artifact-centric model powered by modern DevSecOps infrastructure.

The Gartner Warning: The Crisis of “Binary Governance”

In an insightful market evaluation released in late May 2026, Gartner issued a stark warning to technology and compliance executives: by 2027, 40% of enterprises will demote or decommission autonomous AI agents due to governance failures that are only identified after catastrophic production incidents.

According to Shiva Varma, Senior Director Analyst at Gartner, the foundational cause of this high failure rate is an architectural and operational anti-pattern known as “binary governance.” Today’s organizations routinely treat autonomous agents as either entirely locked down or fully trusted. When an enterprise attempts to implement a uniform, “blanket governance” framework across its entire AI portfolio, it inevitably triggers two distinct operational failures:

• Operational Paralysis (Over-Restriction): Forcing low-risk, productivity-focused agents (such as a local developer bot that summarizes repository commits) through a months-long compliance checklist designed for high-stakes regulatory environments. This completely breaks delivery velocity and pushes engineers directly toward unmonitored shadow AI solutions.
• Systemic Exposure (Under-Restriction): Subjecting a highly autonomous agent, one authorized to access client-facing payment systems, modify cloud infrastructure, or ingest live financial portfolios, to generic application-level monitoring. This leaves significant gaps in data privacy, supply chain integrity, and operational security, which are often discovered only when a severe data breach or unauthorized execution occurs.

The core takeaway: AI agents cannot be governed as a single, uniform tier. Instead, enterprises must deploy a proportional governance approach that aligns security parameters specifically to the trust boundaries an agent crosses and its level of execution autonomy.

Meeting with enterprise customers, we hear about this exact friction all the time. Right now, most organizations are oscillating between two deeply flawed extremes: a total corporate ban or a complete Wild West. But here’s the truth: even IT and security leaders who enforce a total ban know a Wild West is happening under the radar. Developers are inherently driven to build and solve problems; if governance protocols feel like an impenetrable bureaucratic brick wall, engineers will do whatever it takes to bypass security constraints and use unvetted tools just to stay productive.

However, implementing “fluid,” adaptable policies across dozens of disparate systems requires moving away from superficial runtime prompt filtering. True control requires establishing comprehensive management over the discrete software artifacts that compile the agent.

The Anatomy of a Modern Agent: It’s All Software Artifacts

Engineers and security professionals grounded in DevSecOps shouldn’t treat an AI agent like a magical black box. Beneath the orchestration layer, a modern agent is streamlined into a standardized stack composed of the Model, MCPs, Tools, Plugins, and Skills.

Every layer is a versioned software artifact requiring governance

1. MCPs & tools (the enterprise context & action layer)

The open-source Model Context Protocol (MCP) has fundamentally shifted how agents interact with the enterprise by unifying data context and actionable tools into a single architectural standard. Instead of maintaining separate, brittle RAG pipelines and custom API wrappers, modern agents consume both data (databases, enterprise files, local environments) and executable capabilities (the tools to close a Jira ticket, trigger a GitHub action, or modify a billing status) via unified MCP servers.

• The Artifact Reality: Because tools are now typically baked directly into MCPs, these servers are distributed and consumed as standard software dependencies. Developers frequently pull them directly from public open-source registries, such as npm (via npx), PyPI, Docker Hub, or the official Model Context Protocol Registry.
• The Risk: Whether they are packaged as containerized OCI/Docker images or language-specific packages, they contain underlying code-execution scripts and schemas (such as OpenAPI specifications). An unverified or unvetted MCP server configuration poses a severe dual threat: it serves as a direct backdoor into your corporate data infrastructure, and an untrusted tool configuration can lead to remote code execution (RCE) or unauthorized privilege escalation within your environment.

2. Plugins (the ecosystem integrations)

Plugins are the packaged extensions that connect your agent to specific enterprise SaaS ecosystems (e.g., ServiceNow, Salesforce, Slack, or Microsoft 365), allowing the agent to interact directly with third-party vendor marketplaces.

To understand their governance challenge, it helps to look at how they differ from open standards like MCP. While MCP acts as a universal bridge for data, plugins are inherently agent-specific. A plugin built as an OpenAI Action or a Custom GPT component will not natively run inside Microsoft Copilot, Salesforce Einstein, or a standalone LangChain framework. Each platform vendor enforces its own proprietary runtime architecture, execution logic, and authentication wrappers. This creates a highly fragmented ecosystem where a single enterprise workflow might require three different, custom-engineered versions of the same functional plugin.

• The Artifact Reality: Because plugins are tightly bound to specific agent platforms, they are delivered as disparate software artifacts, ranging from zipped manifest bundles and raw JSON connection schemas to framework-specific packages (like npm or NuGet modules) containing custom OAuth scopes and integration code.
• The Risk: Downloading an unvetted, agent-specific plugin from a public marketplace introduces severe supply chain risks into that specific runtime environment. Because these plugins often operate with the high-level permissions of the underlying enterprise account, a compromised or malicious plugin artifact can easily execute unauthorized API transactions, leak session tokens, or silently exfiltrate sensitive corporate data back to an untrusted third party.

3. Skills (the logic & behavior)

Skills encapsulate the system prompts, behavioral guardrails, procedural instructions, and execution workflows that teach the model how to orchestrate its tools, MCP data, and plugins to accomplish a corporate mission.

• The Artifact Reality: In modern agent platforms, skills are packaged as declarative configuration bundles centered around a standardized SKILL.md specification. Just like developers pull open-source packages, they frequently download pre-built agent skills directly from public, ungoverned community registries like skills.sh, OpenClaw (ClawHub), or public GitHub repositories via tools like npx skills add.
• The Risk: Because a skill dictates the agent’s actual reasoning loop and can contain executable local scripts, pulling a corrupted or untrusted skill file is incredibly dangerous. A simple prompt injection, a tool-poisoning exploit, or an unauthorized configuration edit hidden within a community skill can completely rewrite an agent’s safety boundaries—causing it to bypass compliance gates, exfiltrate context-window data, or execute malicious background tasks on the host machine.

Proportional Artifact Governance: The Four Autonomy Levels

To bridge the gap between Gartner’s strategic advice and practical AI security and governance execution, organizations must implement a tier-based artifact verification matrix. By breaking down AI agents into Gartner’s four distinct autonomy levels, we can define specific, proportional artifact controls for each stage:

Controls scale proportionally to trust boundaries crossed

The Role of JFrog AI Catalog and Artifactory in Proportional Governance

This is precisely how the JFrog Software Supply Chain Platform, integrating Artifactory, Xray, and the AI Catalog, is unifying the software supply chain with the AI supply chain, creating a single, secure governance framework that transforms the complex theory of proportional governance into an automated, highly scalable enterprise reality.

JFrog Platform: one supply chain for models, tools, and agent config

Instead of forcing teams to manage fragmented point solutions, JFrog treats models, MCP servers, tools, plugins, and skills as primary, first-class software artifacts within the same secure software supply chain architecture used for global enterprise software development.

1. Securing the engine tier via the JFrog AI Catalog

Through the centralized hub of the JFrog AI Catalog, organizations gain single-pane-of-glass visibility and precise policy control over their agent engines, directly backed by the industry-standard registry capabilities of JFrog Artifactory.

• For Hugging Face Model Packages: The AI Catalog allows your security and platform engineering teams to discover, evaluate, and explicitly approve open-weight models. With JFrog Artifactory serving as your universal registry, you can create secure remote repositories that proxy public hubs such as Hugging Face. This architecture guarantees that every imported model weight set is cached locally, subject to strict access controls, and maintained as an unalterable system of record.
• For NVIDIA NIM: The AI Catalog seamlessly aligns GPU-accelerated inference with your established enterprise DevSecOps practices. For containerized deployments like NVIDIA NIMs, Artifactory serves as your secure, internal OCI registry, hosting the verified microservice images your infrastructure needs to deploy GPU-accelerated agents instantly.

2. Governing the context and action layers through MCP curation

To safely enable the enterprise context layer without inviting data exfiltration, the JFrog MCP Registry within the AI Catalog acts as the definitive system of record for all Model Context Protocol servers across your organization.

• Administrators can curate and allow pre-built or custom MCP servers on a per-project basis, enforcing tool policies before developers use them.
• Developers connect their coding agents directly to approved MCP servers via the JFrog Agent Guard (a secure local proxy accessible through the JFrog CLI plugin). This ensures that agents cannot execute unauthorized, destructive, or ungoverned commands against internal corporate data environments.

3. Mitigating supply chain risk with JFrog Xray

As artifacts are indexed within the AI Catalog, JFrog Xray executes deep, automated security analysis specifically engineered for the modern agent stack.

• For Models & MCPs: Xray uncovers malicious code hidden within serialization layers (such as arbitrary code-injection vulnerabilities embedded in legacy Python .pickle files) and flags restrictive or toxic open-source licenses. It scans the underlying container layers of MCP servers and NVIDIA NIMs for OS-level CVEs.
• For Tools & Plugins: Xray scans the inbound npm, pip, or NuGet packages that define third-party plugins, ensuring a rogue marketplace extension doesn’t introduce a supply chain vulnerability into your core agent environment.

4. Runtime enforcement and validation via JFrog Agent Guard

When an enterprise agent advances to Level 3 or 4 autonomy, relying solely on passive repositories or heavy, manual approval gates is a recipe for operational failure. Organizations need active, runtime governance to ensure that what the agent executes matches the enterprise’s exact safety mandates. This is where JFrog Agent Guard becomes the essential enforcement layer.

Instead of relying on monolithic platform release bundles, the JFrog Platform leverages Agent Guard (operating via the secure JFrog CLI plugin or local execution proxy) to dynamically control and validate the agent’s environment. Agent Guard acts as a secure delivery and validation checkpoint that pulls down and deploys only approved skills and approved MCP configurations stored in your curated Artifactory repositories.

Furthermore, it strictly monitors and restricts execution boundaries, ensuring the agent can only utilize approved tools. If a high-autonomy agent attempts to invoke an unauthorized API, execute a compromised script from an untrusted public marketplace, or leverage an uncurated skill configuration, Agent Guard instantly intercepts the command—acting as an intelligent, programmatic circuit breaker that preserves enterprise security in real time.

5. Programmatic circuit breakers and runtime policy enforcement

For high-risk Level 4 fully autonomous agents, Gartner mandates the enforcement of rapid rollback mechanisms and real-time circuit breakers. If an autonomous agent begins to drift from its operational parameters, exhibits unexpected hallucinatory behavior, or shows vulnerability to adversarial prompt injections, operations and security teams must have the capability to kill or revert the system’s permissions instantly.

Because the JFrog Platform delivers these capabilities dynamically through JFrog Agent Guard, platform teams can establish an active, programmatic circuit breaker directly at the execution layer.

• Rather than relying on a complex, manual redeployment of an entire application stack, Agent Guard acts as a real-time policy gatekeeper.
• If a production observability tool or an automated security scan flags an anomaly or a policy violation, Agent Guard can instantly revoke an agent’s access to a compromised skill, disconnect an unverified MCP data context, or block specific tool actions.

Because Agent Guard continuously syncs with the vetted, curated registries inside Artifactory, it ensures that your autonomous systems can instantly be forced back into a known safe state, restoring corporate compliance and halting unauthorized actions in milliseconds.

Defeat the Governance Crisis Before it Starts

The race to deploy enterprise AI agents cannot be won with a binary mindset. Imposing monolithic, heavy-handed approval chains across every workflow kills innovation, while leaving high-autonomy agents unmonitored invites systemic disaster.

The path forward is to secure the building blocks. Treat your models, MCP packages, tools, plugins, and skills as core software artifacts, and govern them proportionally.

Ready to bring DevSecOps rigor to your agentic AI pipeline? Explore the JFrog AI Catalog and see how the unified JFrog Platform can automate contextual AI security across your entire enterprise software supply chain today.