Operating AI

Three Vendors. One Week. Governance Just Became a Procurement Decision.

TV
Thiago Victorino
8 min read
Three Vendors. One Week. Governance Just Became a Procurement Decision.
Listen to this article

Three vendors. One week. Three different governance primitives, all of them shipped as products you can buy.

We have been writing about governance shipping as product for a year. The thesis was that the control plane for AI agents would arrive as infrastructure, not as policy. The first wave was Cloudflare. Then Datadog. Then standards-body validation in the form of ISO 42001. Each of those moves was a single vendor in a single category, and the cumulative argument was that the pattern would generalize.

The first week of May 2026 settled the argument. AWS, Google Cloud, and Datadog each released a governance primitive on the same arc, in the same calendar window, into the same buying committee. The primitives are not competing. They are stackable. And that changes the question every CIO is now staring at.

What AWS shipped: agent-credentialed cloud control

On May 6, AWS announced the AWS MCP Server GA. Read past the headline. The mechanism is the news.

The server exposes more than 15,000 AWS API operations through Model Context Protocol, which is interesting on its own. But the operative detail is the IAM model. Agent calls carry an IAM context key that distinguishes them from human-initiated API calls. CloudTrail logs every invocation by default, with the agent identity preserved in the audit trail. A second tool, run_script, executes code inside a sandbox that has no network access and no filesystem access. The agent can compute. It cannot reach.

What that means in practice: the policy your security team writes for human operators can now diverge from the policy you write for agent operators, and AWS is doing the enforcement at the API surface. You are no longer asking your platform team to engineer a permissions broker between Claude and your account. You are buying it. The CloudTrail trail does not need an agentic abstraction layer bolted on after the fact. The abstraction is in the credential.

This is governance shipping where the work happens. The cloud API was the place agents wanted to act. AWS made the cloud API itself agent-aware.

What Google shipped: identity for agents that don’t have one

On April 22, Google Cloud announced Fraud Defense, the next evolution of reCAPTCHA. The framing matters. reCAPTCHA already protects 50% of Fortune 100 companies and 14 million domains. The product was already at infrastructure scale. What changed is what it now does.

Fraud Defense extends reCAPTCHA’s signal collection into a full agent-identity surface. It integrates Web Bot Auth and SPIFEE, the two emerging standards for cryptographically signing agent traffic, and correlates those signals with the existing behavioral risk model. The output is no longer “human or bot.” It is “which agent, on whose behalf, with what reputation, doing what.” Existing reCAPTCHA customers are auto-enrolled at zero cost. The reduction in account takeovers across the customer base is averaging 51%.

The strategic move is the move from challenge to identity. For fifteen years, reCAPTCHA’s job was to keep automation out. Fraud Defense’s job is to let the right automation in, with provenance. The distinction is not subtle. A site that wanted to be agent-friendly used to have to choose between exposing itself to abuse and exposing itself to friction. Fraud Defense routes the abuse path through a verified identity layer instead of a challenge gate.

If AWS’s shipment is “the cloud API speaks agent,” Google’s shipment is “the public web speaks agent.” Two different sides of the same control plane.

What Datadog shipped: the missing measurement layer

On May 6, Datadog published Bits AI Eval Platform: Agents at Scale. The post is technical and worth reading in full. Three numbers stand out.

A 30% increase in root cause quality from automated label generation. A 95% reduction in human validation time inside one week. And the counterintuitive finding: when they injected realistic noise into the evaluation set, pass rates dropped 11%, but the resulting evaluations became predictive of production behavior in a way the cleaner ones were not.

The platform replays production traces with labeled outcomes, lets engineers iterate on agent design against those traces, and treats the eval suite itself as a versioned product artifact. What Datadog did is open-source the muscle that internal platform teams have been trying to build for two years and mostly failing at. Most companies cannot generate reliable agent test sets because their production telemetry is not structured for replay. Datadog’s eval platform converts the telemetry it already has into the test data the customer cannot produce on its own.

The vendor that owns observability also owns evaluation. That is not an accident of architecture. The signals that diagnose live agents are the same signals that grade test agents. The only question was who would notice first.

The cross-vendor pattern

Read those three releases as a single market move and the shape gets clear.

AWS owns the action surface. The agent does work; AWS audits and constrains it.

Google owns the identity surface. The agent makes a request; Google verifies who is asking and on whose behalf.

Datadog owns the measurement surface. The agent ships; Datadog tells you whether it actually does what you said it would.

That is not a single product. It is a stack. And it is the first time the stack is buyable from category leaders without a single line of integration glue from your platform team. A year ago, a company that wanted to operate agents responsibly had to pick between writing the broker themselves or buying a single-vendor package that locked them into one cloud’s view of agent governance. The constraint was real and we wrote about it.

This week loosened the constraint. Procurement now has options. Each option ships with audit, identity, and evaluation primitives that interoperate via standards (IAM, MCP, Web Bot Auth, SPIFEE) rather than via vendor goodwill.

The procurement implication

If you run a 2026 budget cycle that includes any line item for AI agents in production, the framing of the buy just changed.

The old framing: pick a cloud, accept its governance posture, hope the in-house engineering team can fill the gaps. The new framing: assemble three primitives from three vendors, none of whom are trying to own the entire stack, and verify the primitives interoperate. AWS provides the action audit. Google provides the agent identity correlation. Datadog (or a comparable observability vendor) provides the evaluation harness. Your platform team’s job is no longer to invent the control plane. It is to wire the components together and operate them.

This is a real change. Procurement organizations know how to evaluate three vendors against a category definition. They have a much harder time evaluating “build versus buy” when the buy side does not yet exist as a category. The buy side now exists. The category is governance-as-product, and as of this week it has at least three credible component vendors.

The risk is the inverse of last year’s risk. Last year the danger was that the entire control plane would consolidate into one vendor’s lock-in. This week’s danger is the opposite: that buyers conclude the components are interchangeable and end up with three primitives that share standards on paper but trip over each other in practice. Standards do not eliminate integration cost. They make it boring. Boring integration is still integration.

Do this now

Three concrete actions for the next thirty days, in priority order.

First, audit your agent inventory against the AWS MCP Server’s IAM context model. Every agent that touches AWS APIs should already have a separated principal. If you are still issuing agents service-account credentials that look identical to your humans’, the new audit primitive will not save you. The credential model is the prerequisite.

Second, evaluate Fraud Defense as a replacement, not a supplement, for any custom bot-gating you have written in the last eighteen months. The existing reCAPTCHA contract auto-upgrades you. The decision is not “do we adopt this.” It is “do we keep the home-grown gate around now that the same vendor offers a verified-identity alternative.” In most cases the answer is no.

Third, start producing replayable evaluation traces from your agent telemetry now, even if your observability vendor has not shipped a Datadog-equivalent yet. The eval platform pattern is going to spread. The bottleneck for adopting it will be whether your traces are structured enough to replay. That is a 2026 platform-team project regardless of which observability vendor wins it.

Three vendors. One week. The stack is real, the components are buyable, and the question is no longer whether governance will arrive as product. It is which procurement decision you are making this quarter.

This analysis synthesizes The AWS MCP Server is now generally available (AWS, May 2026), Introducing Google Cloud Fraud Defense (Google Cloud, April 2026), and Bits AI Eval Platform: Agents at Scale (Datadog, May 2026).

Victorino Group helps enterprises map procurement decisions to the new governance-as-product stack. Let’s talk.

All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →

Part of The Thinking Wire, published by Victorino Group.

If this resonates, let's talk

We help companies implement AI without losing control.

Schedule a Conversation