Agent governance is the real product of Next '26
Memory Bank, Sessions, Identity, Registry, Gateway, Anomaly Detection, Security Dashboard: Google is industrializing what almost nobody had taken seriously. Why your agentic roadmap needs to align with this stack before Q3 2026.
At Next '26, Google did not launch an agent. It launched the infrastructure to govern them.
That is the sentence most Las Vegas recaps did not write. The analysis focused on the new Gemini models, ADK features, and MCP integrations. It missed the essential point: the densest layer of announcements in the Gemini Enterprise Agent Platform is not "Build." It is not "Scale." It is "Govern."
Seven new capabilities announced over two days, all pointing toward one obsession: regaining control over agents that, if left unmanaged, would quickly become the new shadow IT of the enterprise. One figure to give this context: according to data shared in a CTO session at Next '26, organizations that deployed more than 10 AI agents in production without a centralized governance framework recorded an average of 3.2 undetected compliance incidents in their first 6 months. This is not a theoretical risk. It is already documented reality among early adopters.
The quiet signal almost everyone missed
The Gemini Enterprise Agent Platform is structured around four layers: Build, Scale, Govern, Optimize. At first glance, the order seems logical: you build first, then you manage. But if you look at the density of announcements per layer at Next '26, something stands out immediately.
The Govern layer contains eight detailed components: Agent Gateway, Agent Identity, Agent Registry, Agent Anomaly Detection, Model Armor, Agent Policy, Agent Security, and Agent Compliance. Build has four. Scale also has four. That imbalance is not a presentation accident.
It is a strategic signal. Google is not saying, "here is how to deploy agents." It is saying, "here is how not to lose control of what you have already deployed."
The shadow agent problem
To understand why Google is investing so heavily in governance, it helps to remember a similar moment: the rise of shadow IT in the mid-2000s. Entire departments adopted Dropbox, Slack, or SaaS tools without involving IT. Data escaped. Governance became impossible. The cleanup took years.
AI agents are recreating exactly that scenario, but at a speed and scale that have no comparison. The Next '26 slides show it clearly: on one side, "Agent sprawl," ungoverned collaboration between agents leading to unlimited data access. On the other, "Tool/MCP sprawl," unsecured integrations with enterprise systems through open protocols.
The difference with shadow IT: agents act autonomously. They do not just store files in the wrong place. They execute code, access APIs, modify data, and orchestrate other agents. Without identity, without a registry, without a control gateway, the audit trail becomes nonexistent.
The question every CISO should be asking today is: "How many agents are currently running in my organization, and who is responsible for each one?" In the organizations I work with, the honest answer, once you dig into it, is rarely satisfying. Most of the time, the list of agents in production is incomplete, ownership is unclear, and the access granted during POCs has never been reviewed.
The seven building blocks of industrial agentic governance
What distinguishes the Next '26 announcements from typical marketing communication is the level of technical concreteness. Each of the following seven capabilities addresses a specific failure mode that Google has clearly identified in production agentic deployments.
1. Agent Memory Bank Memory becomes an audit surface (#6)
Memory Bank stores long-term memories from conversations, with low-latency Memory Profiles. It includes a ready-to-use vector database, asynchronous memory generation, and the ability to define TTLs and automatic compaction.
The angle most often discussed: personalization and interaction continuity. The underestimated angle: every persistent memory is an auditable surface. Knowing what an agent "remembers" about each user is the foundation of agentic GDPR compliance. DPOs who have not yet included agent memory in their data processing maps are already behind the regulatory risk.
2. Agent Sessions Traceability is no longer optional (#7)
Sessions enable the storage of conversational history with Custom Session IDs directly linked to the CRM or internal company database. TTL can be configured up to 365 days. Provisioning is automatic for agents deployed through Agent Engine.
The operational consequence is direct: every interaction between an agent and a user becomes traceable end to end, tied to a business identity, and available to any audit tool. This is the shift from a stateless agent to an agent that leaves a verifiable trail. For any organization subject to audit requirements, whether in finance, healthcare, or large-scale retail, this capability stops being optional as soon as the first production deployment begins.
3. Agent Identity The end of "who did what?" (#8)
Each agent receives a unique cryptographic identifier, associated with a complete audit trail of its actions. In practical terms, the identity is represented as a standardized principal (principal://agents.global.org-[id]...) that can be referenced in existing IAM policies.
This is the centerpiece of the entire system. Without a unique and verifiable identity, every other governance layer remains theoretical. Agent Identity answers the fundamental question raised by every security audit: "Which agent, with which permissions, performed this action, at what time, on which data?"
A useful parallel: when companies started deploying application service accounts, IT quickly realized that these faceless accounts had become a preferred vector for lateral movement during incidents. Agents without identity reproduce exactly that risk, at a much larger scale.
4. Agent Registry The App Store of agentic governance (#9)
The Registry is a central, indexed, and governed library of approved agents and tools. It centralizes agents, whether internal, Google-made, or marketplace-based, along with MCP servers and endpoints in a single control point. Auth Providers make it possible to define authentication mechanisms, such as API Key, 2-legged OAuth, or 3-legged OAuth, for each target.
The strategic issue: without a registry, every team builds its own agents with its own tools, its own credentials, and its own policies. With the Registry, the enterprise has a controlled catalog where every agent is approved, versioned, and attributable to a business owner. It is the difference between a governed software component library and a shared folder where everyone drops whatever they want.
5. Agent Gateway The unified control point (#10)
Agent Gateway is the single entry point for all flows between agents and external systems. It embeds Model Armor, the protection layer against prompt injection and data leakage. Every outbound request passes through this central point, where security policies are applied systematically.
For a CISO, the Gateway answers the most urgent question: "How do I prevent an agent from becoming the vector for data exfiltration or an injection attack?" The answer is not in the prompt. It is in the infrastructure. A prompt guardrail can be bypassed by malicious input. An infrastructure firewall cannot.
6. Agent Anomaly Detection When AI watches AI (#11)
Anomaly Detection operates in real time, combining statistical models and an LLM-as-judge to detect suspicious behavior. This dual approach is fundamental: statistical models capture quantitative deviations, such as request volume spikes or unusual access patterns, while the LLM-as-judge evaluates the semantics of the actions.
The critical use case: an agent that has been compromised or manipulated through prompt injection behaves differently from its baseline. Anomaly Detection detects it before the damage becomes irreversible. In the organizations I work with that operate agents with access to financial or customer data, this type of behavioral detection is the only way to catch compromises that bypass static access controls.
7. Agent Security Dashboard Visibility as a prerequisite (#12)
The Security Dashboard integrates Security Command Center for automated vulnerability detection across three planes: the agents themselves, the underlying models, and the execution operating systems. It is a consolidated view that helps identify weaknesses before malicious actors can exploit them.
The value of the Security Command Center integration should not be underestimated: organizations already using GCP for their security posture do not need to deploy a third-party tool. Agentic governance fits into their existing workflow. This is a strong commercial argument for GCP customers, but also a clear architecture signal for those considering a multi-cloud strategy: agentic governance is becoming a platform criterion, not an add-on.
Govern through infrastructure, not through prompts
One of the most striking lines from Next '26 came from a technical session aimed at architects and CTOs: "Govern through Infrastructure, Not with Prompts."
That sentence captures a fundamental position. For the past two years, most teams deploying AI agents have tried to "control" them through system prompt instructions. "You must never access this data." "You must always check with a human before taking action." These text-based guardrails are fragile: they can be bypassed through injection, degraded by a model change, or simply ignored in edge-case scenarios.
Infrastructure-based governance is different: policies that apply independently of model behavior, access controls that cannot be "explained" to an agent in order to bypass them, alerts that do not depend on the LLM's goodwill. It is the difference between believing an employee will not steal and removing their access to areas outside their scope.
Google structures this governance around three axes:
Visibility: which agents are running in my domain? Who is responsible for them? What data can they access?
Control: how do I restrict an agent to only the information authorized for its user? How do I stop a compromised agent in real time?
Security: how do I reduce the risk of malicious actions? How do I detect abnormal activity? How do I ensure regulatory compliance?
What this changes concretely for your roadmap
If your organization plans to deploy agents in production before Q3 2026, these announcements have direct implications for how you should plan the next phase.
For CTOs and architects
Review your agentic architecture through the lens of the Govern stack. If you have designed agents with purely prompt-based guardrails, identify now which controls need to move to infrastructure. The question "how does this agent authenticate with the services it calls?" needs a clear answer before any production deployment.
Agent Registry should be your first workstream. Before expanding the number of deployed agents, make sure you have a controlled catalog. Every agent must be versioned, assigned to a team, and given a defined lifecycle. Without that, you are building on sand.
For CDOs
Memory Bank and Sessions fundamentally change your relationship with customer data in an agentic context. The GDPR policies that apply to your CRMs and databases must now cover agents' persistent memories. Define TTLs, purge policies, and access rights for those memories before deployment.
The consent question takes on a new dimension: when a user interacts with an agent, do they implicitly accept that their preferences, habits, and requests are stored and used to personalize future interactions? The legal answer is not settled yet in most European jurisdictions. Anticipate it.
For CISOs
Agent Gateway and Anomaly Detection should be your absolute priority. Without a centralized control gateway, every agent is a potential attack surface. The risk of systemic prompt injection, where a malicious actor manipulates an agent through its input data to make it execute unauthorized actions, is still underestimated by the vast majority of organizations.
Integrate Anomaly Detection into your SIEM strategy now. Agents that access financial, health, or personal data must be monitored with the same rigor as privileged administrator access. And ask yourself this question today: if a regulator asked you tomorrow to prove that your agents only accessed the data they were authorized to access, could you produce that report in less than 24 hours?
The real product of Next '26
Palo Alto Networks, one of the partners featured in the Next '26 governance sessions, shared an observation worth remembering: technology evolves exponentially, but organizations change logarithmically. The real risk in agentic AI is not that agents are too slow or too limited. It is that organizations deploy faster than they build control mechanisms.
What Google understood at Next '26 is that its customers do not lack tools to build agents. They lack the structure to govern them at scale. The most complete agentic governance platform we have seen so far is therefore not an add-on. It is the central value proposition.
Google is not selling you agents. It is selling you the ability to govern them without losing sleep.
For CTOs, CDOs, and CISOs who already have agentic projects underway, this distinction will change their cloud platform evaluation criteria over the next 18 months. The right question is no longer "which platform offers the best LLM?" It is "which platform allows me to demonstrate, during an audit, that I kept control of my agents from end to end?"
Google's answer at Next '26 is clear, structured, and industrial. It may be the first time a hyperscaler has treated agentic governance as a product in its own right, rather than a checkbox in a compliance brochure.
If you are building your agentic roadmap for H2 2026, the Govern stack of the Gemini Enterprise Agent Platform deserves to be on your table this week.
This article is part of a series of analyses on Google Cloud Next '26. Subscribe to our newsletter to receive the next editions directly in your inbox and access the French version of this article.
Comments ()