Three frameworks. Ten days. Not a coordinated release, a convergence.
Each of the three organizations came to the same conclusion from a different direction: the security architecture most teams are using for agentic AI deployments is inadequate for production risk. Databricks arrived from governance and multi-agent coordination. Beyond Identity arrived from identity infrastructure and the Model Context Protocol. Google DeepMind arrived from frontier AI safety research. They built different things. They agree on the underlying problem.
That convergence is worth mapping carefully before deciding which framework to adopt, because they cover different layers, and the gaps between them are where your real exposure lives.
What Triggered the Convergence
Three forces converged in roughly the same window to make agentic security a named enterprise problem rather than a theoretical one.
First, EU AI Act Article 9 requires risk management systems for high-risk AI. Agentic AI is harder to certify under the EU AI Act than static models because its behavior is emergent, the same agent can take materially different actions in the same environment across runs. A training-time safety audit doesn’t satisfy an Article 9 risk management requirement for a system whose risk profile changes at runtime.
Second, real-world agentic incidents have started appearing in enterprise incident logs. Prompt injection attacks against deployed agents, where adversarial content in a tool’s output hijacks the agent’s next action, are now documented attack patterns, not theoretical vulnerabilities. The MITRE ATT&CK framework already catalogs these for human-operated systems. DeepMind’s contribution is mapping them explicitly to agent-specific vectors.
Third, the MCP ecosystem created a new attack surface. The enterprise AI governance stack is still assembling itself, and MCP, the Model Context Protocol that allows agents to invoke external tools and services, expanded the perimeter dramatically. An agent that can call arbitrary external tools needs identity controls that don’t exist in most current deployments.
Three Architectures, Three Layers
The three frameworks don’t compete. They address adjacent problems.
*Databricks Omnigent (June 15)* targets the governance layer of multi-agent systems. Its core contribution is a coordination framework for environments where multiple agents collaborate on a task, defining which agent has authority for which decision, how conflicts between agent outputs are resolved, and how the full multi-agent chain is logged for audit. It’s the governance layer: who does what and what’s on the record. The Wire’s registered brief on Omnigent provides the full architecture detail. Omnigent’s design choices reflect Databricks’ data engineering heritage, the framework looks like distributed systems governance applied to agent coordination.
*Beyond Identity Ceros (June 16)* targets the identity and trust layer, specifically for MCP ecosystems. Ceros establishes cryptographic identity for agents operating within MCP tool chains, so that when Agent A calls a tool via MCP, the tool can verify it’s actually talking to Agent A and not a spoofed or compromised intermediary. This addresses one of the most immediate practical attack vectors in deployed MCP architectures: tool invocation by unauthorized or hijacked agents. The Ceros architecture brief notes that it’s designed to integrate with existing enterprise identity infrastructure (SAML, OIDC) rather than require a separate identity plane.
*Google DeepMind AI Control Roadmap (June 18)* targets the runtime supervision layer. Where Omnigent governs inter-agent coordination and Ceros governs agent identity at tool invocation, DeepMind’s framework governs the reasoning and action chain of the agent itself, what it’s thinking, what it’s doing, and whether either deviates from expected behavior during execution.
Unanswered Questions
- Who governs cross-organization agent identity when your agent calls an external agentic service outside your perimeter?
- What are the chain-of-custody requirements for Supervisor Agent logs under EU AI Act Article 12 in a legal investigation?
- How do you secure the security layer itself, what's the threat model for a compromised Supervisor Agent or governance framework?
Analysis
The three-layer model (identity → governance → runtime supervision) maps to a defense-in-depth architecture that enterprise security teams already use for human-operated privileged access. The parallel is intentional, DeepMind's 'insider threat' framing isn't rhetorical, it's the design principle. Security teams that already run PAM (Privileged Access Management) programs have the right mental model for this stack.
The three-layer architecture looks like this when mapped together:
– Identity layer (Ceros): Is this agent who it claims to be? Can the tool it’s calling verify that? – Governance layer (Omnigent): What is this agent authorized to do within a multi-agent workflow? What’s the audit record? – Runtime supervision layer (DeepMind): Is this agent’s current reasoning chain within expected parameters? If it deviates, stop it.
None of these layers overlaps. A deployment that only implements one is exposed at the other two.
What the DeepMind Framework Actually Does
The AI Control Roadmap’s core insight is that training-time alignment, building safety into the model before deployment, is necessary but not sufficient. A well-aligned model can still be hijacked by adversarial inputs at runtime: a malicious document in its context, a poisoned tool response, a carefully constructed prompt in an external API call. “Insider threat” is the right analogy. A trusted employee can be socially engineered. A trusted agent can be prompt-injected.
The Supervisor Agent runs alongside the primary agent, performing what DeepMind calls “contrastive safety search” on the primary agent’s reasoning states. According to DeepMind, this approach reduced jailbreak success rates by 94% in internal evaluations, a self-reported figure without independent verification. Treat it as a directional claim, not a production benchmark. The methodology behind it, including what constitutes a “jailbreak success” in DeepMind’s testing regime, isn’t publicly disclosed.
Cryptographic Provenance is the framework’s most immediately actionable element. Every agent action is cryptographically signed. The kill switch triggers if an action can’t be verified against its provenance signature. This is standard supply chain security practice, applied to agent action chains. It’s implementable with existing cryptographic tooling. The inference overhead isn’t disclosed, and that matters for latency-sensitive workflows.
The threat taxonomy mapped to MITRE ATT&CK creates a shared vocabulary for red-teaming. Security teams that already work with MITRE ATT&CK for human-operated systems can extend their existing threat modeling to agentic deployments using the same framework. That’s a practical interoperability gain, not just a conceptual one.
The Gap Map
The part nobody mentions in any of the three frameworks: cross-organization agent identity federation.
When your supervised, governed, cryptographically-signed agent calls an external agent you don’t control, a third-party agentic service, a vendor’s API that routes through their own agent layer, you’re outside the security perimeter all three frameworks define. None of Omnigent, Ceros, or the DeepMind roadmap addresses what happens when the identity and governance guarantees you’ve built stop at your organizational boundary.
What to Watch
Who This Affects
A second gap: incident response for agent-driven events. What’s the forensic process when a supervised agent takes an action that causes harm, and the Supervisor Agent’s logs are the primary evidence? None of the three frameworks defines chain-of-custody requirements for agent action logs in the context of legal or regulatory investigations. The EU AI Act’s Article 12 (transparency and record-keeping) is on a collision course with this gap.
A third gap: supply chain risks for agent frameworks themselves. If the Supervisor Agent model or the governance framework has a vulnerability, a poisoned weight, a compromised update, the security layer becomes the attack surface. None of the three frameworks addresses the security of the security tooling.
What Enterprise Teams Should Evaluate Now
The question isn’t which framework to adopt. Most production agentic deployments will need elements of all three layers. The question is sequencing, which layer is most exposed given your current deployment architecture.
If you’re running MCP-based tool chains without agent identity verification: Ceros addresses your most immediate attack surface.
If you’re running multi-agent workflows where individual agent authority isn’t defined or logged: Omnigent addresses your governance and audit exposure.
If you’re running high-autonomy agents (long-horizon tasks, external API access, minimal human-in-the-loop) without runtime monitoring: the DeepMind framework addresses your runtime supervision gap.
Don’t wait for a unified framework that covers all three layers. It doesn’t exist yet, and the enforcement clock, EU AI Act Article 9, NIST AI RMF agentic guidance updates, is already running. Map your current deployment against the three-layer model. The gap you find is the one to close first.