iTmethods
    Back to Insights
    The New Stack — Article 2

    Why 80% of Enterprises Are Stuck — and What the Control Plane Actually Looks Like

    The missing layer between AI-assisted and AI-native isn't a model. It's governance.

    PG
    Paul GoldmanCEO, iTmethods
    March 11, 202612 min read

    Last week I laid out the three layers of the AI-native stack:

    • Layer 1 — AI-Assisted (80%): Copilot, Cursor, autocomplete. No architecture change. The AI helps you type faster.
    • Layer 2 — AI-Augmented (~15%): MCP connects agents across tools. Platform required. The AI works across systems.
    • Layer 3 — AI-Native (<5%): Agents run workflows. Humans review outputs. The AI operates autonomously.

    AI coding tools are generating billions. GitHub reports AI now writes ~4% of all commits — and growing. MCP has crossed 100M+ downloads per month. Yet 80% of enterprises remain stuck at Layer 1.

    Not because the technology isn't ready. Because the governance isn't.

    Today I want to talk about why organizations can't move up the stack — and what the control plane that finally lets them actually looks like.

    80%
    STUCK AT
    LAYER 1
    100M+
    MCP DOWNLOADS
    /MONTH
    82:1
    AGENT-TO-HUMAN
    RATIO
    ~4%
    GITHUB COMMITS
    BY AI

    The Layer 1 Trap

    Layer 1 is comfortable. One developer, one IDE, one accept/reject decision. Zero new permissions, zero new attack surface, zero board questions. It's the AI version of handing everyone a faster typewriter.

    Valuable? Yes. Transformational? No. Your competitors are not stopping here.

    What Breaks When You Move to Layer 2

    Layer 2 is where agents start connecting to real enterprise systems. They read Jira, query databases, update pipelines, post to Slack, open PRs. Productivity explodes — and so does risk.

    Every issue I've covered in this series hits exactly at this transition:

    The pattern is identical every time: enterprises hit a trust wall, not a technology wall.

    Who approved this agent? What data did it touch? Can we prove it to a regulator at 3 a.m.?

    Responsible organizations stay at Layer 1. Irresponsible ones move anyway — as shadow AI. Both lose.

    The Missing Layer: The AI Control Plane

    After two years watching this space and one year building in it, I'm convinced: the missing piece is not another model or framework. It's a control plane.

    Exactly like cloud infrastructure needs IAM, network policy, audit, and cost controls before you can run at scale, AI agents need the same — enforced at runtime, not as a suggestion.

    The AI control plane sits between every consumer (apps, agents, users) and every provider (LLMs, MCP servers, APIs). It enforces policy on every request and response, at network speed, with no bypass possible.

    What It Must Deliver

    1. Identity & Access Control

    Verified identity for every agent, team, project, and model. RBAC that returns 401 at the boundary, not a log entry after the fact.

    2. Content Safety & Guardrails

    Real-time inspection of every token for prompt injection, PII, and policy violations. No sampling.

    3. Token & Cost Governance

    Budgets, rate limits, and allocation by team/project so the $94 runaway never happens at scale.

    4. Protocol-Native Enforcement

    Native understanding of MCP tool calls and agent-to-agent communication — the new protocol semantics most gateways miss entirely.

    5. Complete, Immutable Audit Trail

    Every call, prompt, response, and action — queryable and regulator-ready for EU AI Act, HIPAA, SOC 2, FDA 21 CFR Part 11.

    6. Deployment Sovereignty

    Must run in your VPC, your data center, or fully air-gapped. Regulated industries cannot send data to shared infrastructure.

    What This Looks Like in Practice

    This is no longer theoretical.

    At iTmethods we have built exactly this control plane. We call it Reign.

    Reign is the runtime enforcement layer that sits between every AI consumer and every AI provider in your organization. Every request — from a developer, an app, or an autonomous agent — is governed before it ever reaches an external model. Policy is enforced at network speed so your teams don't feel it, yet nothing slips through.

    Operationally that means:

    • Full policy enforcement with negligible latency (your developers never slow down).
    • Native governance of MCP and agent-to-agent protocols.
    • One unified API to 100+ LLM providers — switch models without code changes, all under uniform policy.
    • Automated EU AI Act evidence collection so compliance teams stop living in spreadsheets.
    • Flexible deployment — SaaS, dedicated cloud, or fully air-gapped for the most regulated environments.

    The AI Gateway is available now. Additional Reign capabilities roll out through 2026.

    Whether you build your own, buy Reign, or buy from someone else, the industry now has a clear picture of what the control plane must be — technically and architecturally — so you can evaluate if what you have today is actually sufficient.

    The Strategic Choice

    In the next 12 months the divide will be simple:

    WITH A CONTROL PLANE
    1

    Move aggressively from Layer 1 → 2 → selective Layer 3

    Adopt faster, satisfy regulators, control costs, and win. The control plane gives you the governance foundation to scale AI adoption without the risk.

    BLOCKING AI
    2

    Lose talent and fall behind

    Your best engineers will leave for organizations that let them use AI. Your competitors will move faster. The gap compounds monthly.

    IGNORING GOVERNANCE
    3

    Get OpenClaw'd

    Shadow AI will proliferate, an incident will expose it, and the board/regulators will ask questions no one can answer. The only viable path is governed adoption.

    The only viable path is governed adoption. Governed adoption requires a control plane.

    What's Next

    Next week I'm going deeper on what AI governance actually looks like in regulated industries — financial services, healthcare, life sciences, and defense. The EU AI Act enforcement window is closing fast. The requirements are not generic; the control plane cannot be either.

    If you're a CISO, CTO, or Chief AI Officer living this right now, I want to hear what you're actually facing. Drop a comment or DM me. The best signals are still coming from the people on the ground.

    Paul Goldman is the CEO of iTmethods, where his team builds Reign — the AI governance control plane for regulated enterprises. This is the second article in "The New Stack" series on building AI-native organizations.

    Previously: The AI-Native Stack: What It Actually Looks Like · Ralph Wiggum Is Running in Your Organization · OpenClaw: The Governance Failure We Saw Coming
    Next: AI Governance in Regulated Industries — Financial Services, Healthcare, Life Sciences, and Defense

    See how Forge enables this

    55+ managed DevOps tools with enterprise compliance

    PG

    Paul Goldman

    CEO, iTmethods

    Creator of the Fortress platform for AI governance in regulated industries. Previously published "MCP Is Exploding. Your Governance Isn't Ready."

    Continue the AI Governance series

    ← Previous

    MCP Is Exploding. Your Governance Isn't Ready.

    The five questions every organization should be able to answer

    Next →

    Chamath Just Said What Every Enterprise CISO Already Knows

    Why data sovereignty, AI cost control, and attorney-client privilege demand governed infrastructure

    Or share your thoughts here

    Your comment will appear on this page. The best insights may be shared in the LinkedIn discussion.

    Get Paul's next article before it publishes

    Join 500+ security leaders