Every incumbent is about to claim the AI-control checkbox — which is exactly why the real position is the one nobody can bolt on.

Why the Endpoint Becomes the AI Control Point Now

Enterprise AI adoption has outrun enterprise AI control, and the gap is widening on a curve that would make any risk manager reach for a hedge. Gartner projects that the average Fortune 500 enterprise will operate more than 150,000 AI agents by 2028, up from fewer than 15 in 2025. That is not adoption; that is a phase change. When the count of autonomous actors on your estate goes from single digits to six figures in three years, the question stops being “should we govern this” and becomes “where does the control point physically sit.”

The market’s answer is converging on one location: the endpoint. Prompts live in the cloud, but actions land on a device — a file gets written, a registry key gets set, an egress connection opens. That is the layer where intent becomes exposure, and the only layer every agent, sanctioned or not, MCP-speaking or not, has to pass through. The perimeter moved from network to identity to endpoint over three decades; agentic AI is forcing the next move, and the destination is kernel scope on the device.

Metric 2025 2028 (projected) Source
AI agents per Fortune 500 enterprise <15 150,000+ Gartner
Enterprises with unknown AI agents in infrastructure 82% Cloud Security Alliance
Agents that have exceeded intended permissions 53% Cloud Security Alliance
Share of IR effort driven by AI applications ~50% Gartner

The Bolt-On vs. the Purpose-Built Control

Gartner’s endpoint research projects that the vast majority of endpoint protection vendors — on the order of nine in ten — will ship some form of AI discovery and usage control by 2028. Read that as a warning, not a green light. When a capability becomes table stakes for a whole category in 24 months, it arrives as an adjacency: a feature stapled onto a roadmap built for a different threat class. The incumbents will instrument the process layer they already own. The model vendors will govern their own platform and stop at the property line. Neither delivers neutral, cross-vendor correlation down to the device.

Here is the category-defining distinction the buyer has to price:

Control source What it actually sees Structural gap
EDR bolt-on (CrowdStrike, SentinelOne, Defender) Process telemetry, retrofitted for agents Instruments the process, not the kernel scope — wrong control point for delegated actions
Model-vendor guardrails (Anthropic, OpenAI org policy) Behavior inside their own platform Blind the moment an agent leaves that platform
Prompt guardrails (Lakera, Protect AI) The prompt, before it resolves The plan is gone by the time it lands at the OS
DLP / CASB (Purview, Netskope, Forcepoint) Content in monitored channels The known-knowns trap — local filesystem is dark
Neutral endpoint arbiter Kernel-level actions across every agent and vendor Purpose-built for the new class, not retrofitted

The incumbents are not wrong to add these features. They are structurally constrained. A platform whose economic center of gravity is the endpoint-detection sensor cannot, without cannibalizing itself, become the neutral referee that adjudicates between its own sensor and a rival model vendor’s agent. That neutrality is a position, and positions are hard to fake.

The Failure Mode: Posture Without Enforcement

The “guardian agent” market that has sprung up to fill the gap is real, well-funded, and — for now — mostly a dashboard. It observes. It scores. It rarely stops anything mid-action. That distinction is the whole ballgame, because 53% of enterprises have already had an agent exceed its intended permissions, and you cannot un-write a file with a report.

The pattern of shallow entrants breaks down predictably:

  1. Discovery without proof. They enumerate agents from API logs and OAuth scopes, then miss the standalone binary an engineer downloaded that never touches a monitored API.
  2. Posture without in-line blocking. They flag a risky action 30 seconds after it completed. In markets we call that “marking your loss,” not “managing your risk.”
  3. Estate-bound correlation. They see the agents inside their own telemetry and treat the rest of the estate as someone else’s problem — which is how you end up with 82% of enterprises carrying unknown agents.
  4. Protocol dependence. They assume MCP everywhere. Agent architecture is not standardized; some speak MCP, many do not, so API-layer inspection fills with false positives and non-actionable noise.

The Framework: Pricing the Wedge

So where does the durable category form? Treat it like any dislocation — find the exposure the incumbents can’t cover and size the position there. The open wedge is the intersection of three capabilities that no bolt-on can assemble cheaply:

Category Value = (Posture × Neutrality) + (Proof × Enforcement)

Factor What it means Why the bolt-on can’t close it
Posture Real-time inventory of every agent, sanctioned or shadow Incumbents see only agents inside their own telemetry
Neutrality Cross-vendor correlation, no platform loyalty Model vendors and EDR sensors each have a home team
Proof Kernel-grade evidence of what an agent actually did on disk Process telemetry infers; the kernel witnesses
Enforcement In-line intervention at the moment of action Guardian dashboards observe after the fact

Posture and neutrality are the observation half — necessary, increasingly commoditized. Proof and enforcement are the multiplier, and they are the hard part: kernel-grade action-blocking and reputation on the MCP connector surface are not features you staple to a Q3 roadmap. That is precisely why the next discrete category forms there rather than inside an existing platform.

What This Requires Architecturally

The neutral arbiter has to do things a monitoring layer structurally cannot. It sits at the kernel alongside existing EDR — not replacing it — and it enforces on the action, not the prompt.

Control point Monitoring layer Neutral endpoint arbiter
Sensitive-file access Logs it, alerts later Copy-on-write redirection; the agent runs, the real file is untouched
Unsanctioned agent May never see it Kernel-visible regardless of API or protocol
Cross-vendor action Bound to one platform’s view Correlates across every vendor on the device
MCP connector risk Trusts the connector Research-vetted reputation before broad permissions
Deny decision Block-on-deny, productivity dies Run-with-guardrails, exposure contained

The distinction between block-on-deny and copy-on-write is the difference between a control engineering revolts against in two quarters and one that survives political review. Ospiri’s own deployment data puts the productivity cost of naive block-by-default at the center of why those tools get ripped out — enablement, not obstruction, is what makes the control durable.

What CISOs Should Do This Quarter

Step Action Output Effort
1 Baseline the agent inventory across the dev estate Count of sanctioned vs. shadow agents Low — weeks
2 Separate posture vendors from enforcement vendors in your shortlist A shortlist that distinguishes dashboards from controls Low
3 Pilot kernel-level enforcement alongside existing EDR In-line blocking evidence, not just alerts Medium
4 Price the neutrality requirement into procurement RFP language that rules out single-platform lock-in Low

The Bottom Line

By 2028 the AI-control checkbox will be everywhere and mean almost nothing — which is exactly when the neutral, kernel-grade arbiter becomes the position worth holding. The incumbents arrive shallow and estate-bound; the model vendors govern only their own platform; the guardian dashboards observe but do not enforce. Consolidation is real — SecurityWeek counted 426 cybersecurity M&A deals in 2025 — but kernel-grade enforcement and MCP-surface reputation are the hard parts the bolt-ons can’t easily buy their way past, and that is where the next category forms. The control point lands where the action does: on the endpoint, below the protocol.

If your team is sizing this for the 2026 budget cycle, request a working session. We will walk through your environment, baseline your live agent inventory across the dev estate, and scope a kernel-level agent firewall deployment that runs alongside your existing EDR. First 90 minutes gets you the inventory; the first quarter gets you enforcement. See how the neutral-arbiter model and continuous observability fit your stack.