Every incumbent is about to claim the AI-control checkbox — which is exactly why the real position is the one nobody can bolt on.
Why the Endpoint Becomes the AI Control Point Now
Enterprise AI adoption has outrun enterprise AI control, and the gap is widening on a curve that would make any risk manager reach for a hedge. Gartner projects that the average Fortune 500 enterprise will operate more than 150,000 AI agents by 2028, up from fewer than 15 in 2025. That is not adoption; that is a phase change. When the count of autonomous actors on your estate goes from single digits to six figures in three years, the question stops being “should we govern this” and becomes “where does the control point physically sit.”
The market’s answer is converging on one location: the endpoint. Prompts live in the cloud, but actions land on a device — a file gets written, a registry key gets set, an egress connection opens. That is the layer where intent becomes exposure, and the only layer every agent, sanctioned or not, MCP-speaking or not, has to pass through. The perimeter moved from network to identity to endpoint over three decades; agentic AI is forcing the next move, and the destination is kernel scope on the device.
| Metric | 2025 | 2028 (projected) | Source |
|---|---|---|---|
| AI agents per Fortune 500 enterprise | <15 | 150,000+ | Gartner |
| Enterprises with unknown AI agents in infrastructure | 82% | — | Cloud Security Alliance |
| Agents that have exceeded intended permissions | 53% | — | Cloud Security Alliance |
| Share of IR effort driven by AI applications | — | ~50% | Gartner |
The Bolt-On vs. the Purpose-Built Control
Gartner’s endpoint research projects that the vast majority of endpoint protection vendors — on the order of nine in ten — will ship some form of AI discovery and usage control by 2028. Read that as a warning, not a green light. When a capability becomes table stakes for a whole category in 24 months, it arrives as an adjacency: a feature stapled onto a roadmap built for a different threat class. The incumbents will instrument the process layer they already own. The model vendors will govern their own platform and stop at the property line. Neither delivers neutral, cross-vendor correlation down to the device.
Here is the category-defining distinction the buyer has to price:
| Control source | What it actually sees | Structural gap |
|---|---|---|
| EDR bolt-on (CrowdStrike, SentinelOne, Defender) | Process telemetry, retrofitted for agents | Instruments the process, not the kernel scope — wrong control point for delegated actions |
| Model-vendor guardrails (Anthropic, OpenAI org policy) | Behavior inside their own platform | Blind the moment an agent leaves that platform |
| Prompt guardrails (Lakera, Protect AI) | The prompt, before it resolves | The plan is gone by the time it lands at the OS |
| DLP / CASB (Purview, Netskope, Forcepoint) | Content in monitored channels | The known-knowns trap — local filesystem is dark |
| Neutral endpoint arbiter | Kernel-level actions across every agent and vendor | Purpose-built for the new class, not retrofitted |
The incumbents are not wrong to add these features. They are structurally constrained. A platform whose economic center of gravity is the endpoint-detection sensor cannot, without cannibalizing itself, become the neutral referee that adjudicates between its own sensor and a rival model vendor’s agent. That neutrality is a position, and positions are hard to fake.
The Failure Mode: Posture Without Enforcement
The “guardian agent” market that has sprung up to fill the gap is real, well-funded, and — for now — mostly a dashboard. It observes. It scores. It rarely stops anything mid-action. That distinction is the whole ballgame, because 53% of enterprises have already had an agent exceed its intended permissions, and you cannot un-write a file with a report.
The pattern of shallow entrants breaks down predictably:
- Discovery without proof. They enumerate agents from API logs and OAuth scopes, then miss the standalone binary an engineer downloaded that never touches a monitored API.
- Posture without in-line blocking. They flag a risky action 30 seconds after it completed. In markets we call that “marking your loss,” not “managing your risk.”
- Estate-bound correlation. They see the agents inside their own telemetry and treat the rest of the estate as someone else’s problem — which is how you end up with 82% of enterprises carrying unknown agents.
- Protocol dependence. They assume MCP everywhere. Agent architecture is not standardized; some speak MCP, many do not, so API-layer inspection fills with false positives and non-actionable noise.
The Framework: Pricing the Wedge
So where does the durable category form? Treat it like any dislocation — find the exposure the incumbents can’t cover and size the position there. The open wedge is the intersection of three capabilities that no bolt-on can assemble cheaply:
Category Value = (Posture × Neutrality) + (Proof × Enforcement)
| Factor | What it means | Why the bolt-on can’t close it |
|---|---|---|
| Posture | Real-time inventory of every agent, sanctioned or shadow | Incumbents see only agents inside their own telemetry |
| Neutrality | Cross-vendor correlation, no platform loyalty | Model vendors and EDR sensors each have a home team |
| Proof | Kernel-grade evidence of what an agent actually did on disk | Process telemetry infers; the kernel witnesses |
| Enforcement | In-line intervention at the moment of action | Guardian dashboards observe after the fact |
Posture and neutrality are the observation half — necessary, increasingly commoditized. Proof and enforcement are the multiplier, and they are the hard part: kernel-grade action-blocking and reputation on the MCP connector surface are not features you staple to a Q3 roadmap. That is precisely why the next discrete category forms there rather than inside an existing platform.
What This Requires Architecturally
The neutral arbiter has to do things a monitoring layer structurally cannot. It sits at the kernel alongside existing EDR — not replacing it — and it enforces on the action, not the prompt.
| Control point | Monitoring layer | Neutral endpoint arbiter |
|---|---|---|
| Sensitive-file access | Logs it, alerts later | Copy-on-write redirection; the agent runs, the real file is untouched |
| Unsanctioned agent | May never see it | Kernel-visible regardless of API or protocol |
| Cross-vendor action | Bound to one platform’s view | Correlates across every vendor on the device |
| MCP connector risk | Trusts the connector | Research-vetted reputation before broad permissions |
| Deny decision | Block-on-deny, productivity dies | Run-with-guardrails, exposure contained |
The distinction between block-on-deny and copy-on-write is the difference between a control engineering revolts against in two quarters and one that survives political review. Ospiri’s own deployment data puts the productivity cost of naive block-by-default at the center of why those tools get ripped out — enablement, not obstruction, is what makes the control durable.
What CISOs Should Do This Quarter
| Step | Action | Output | Effort |
|---|---|---|---|
| 1 | Baseline the agent inventory across the dev estate | Count of sanctioned vs. shadow agents | Low — weeks |
| 2 | Separate posture vendors from enforcement vendors in your shortlist | A shortlist that distinguishes dashboards from controls | Low |
| 3 | Pilot kernel-level enforcement alongside existing EDR | In-line blocking evidence, not just alerts | Medium |
| 4 | Price the neutrality requirement into procurement | RFP language that rules out single-platform lock-in | Low |
The Bottom Line
By 2028 the AI-control checkbox will be everywhere and mean almost nothing — which is exactly when the neutral, kernel-grade arbiter becomes the position worth holding. The incumbents arrive shallow and estate-bound; the model vendors govern only their own platform; the guardian dashboards observe but do not enforce. Consolidation is real — SecurityWeek counted 426 cybersecurity M&A deals in 2025 — but kernel-grade enforcement and MCP-surface reputation are the hard parts the bolt-ons can’t easily buy their way past, and that is where the next category forms. The control point lands where the action does: on the endpoint, below the protocol.
If your team is sizing this for the 2026 budget cycle, request a working session. We will walk through your environment, baseline your live agent inventory across the dev estate, and scope a kernel-level agent firewall deployment that runs alongside your existing EDR. First 90 minutes gets you the inventory; the first quarter gets you enforcement. See how the neutral-arbiter model and continuous observability fit your stack.