Research note · AI and governance

The Control Plane Must Be Yours

Why every enterprise AI architecture needs a customer-controlled, vendor-independent enforcement layer in the data path between AI services and enterprise resources.

The most important AI architecture question

Every enterprise AI project creates new interactions between models, agents, applications, data, tools and business processes.

The debate usually begins with model choice, accuracy, cost, governance or whether data is permitted to leave the organisation. Those questions matter. But one architectural question determines whether the enterprise remains in control:

Where is the point at which policy is actually enforced?

If the answer is inside the AI provider, the agent platform or another external SaaS service, the enterprise has delegated the decisive control to the same external ecosystem it is trying to govern.

The control plane must be yours.

Why the point of control cannot be SaaS

SaaS is valuable because it concentrates capability and delivers it quickly. The same concentration creates architectural dependency. When an external service is directly trusted to access internal data and systems, compromise, configuration failure or supply-chain weakness can inherit that trust.

Patrick Opet, Chief Information Security Officer at JPMorganChase, has warned that modern SaaS integration patterns are eroding security boundaries built around protocol termination, tiered access and logical isolation. His open letter describes direct identity and API relationships between third parties and internal resources as an architectural regression and calls for stronger controls, proactive prevention and customer-controlled deployment models such as self-hosting and bring-your-own-cloud.

AI and agents amplify the issue. An agent may not merely read information. It may retrieve context, invoke a tool, update a record, initiate a payment, alter a workflow or instruct another agent. The interaction carries both data and authority.

A SaaS platform can secure its own service.

It cannot be the enterprise’s only independent control over what that service, its suppliers or a compromised identity may attempt to do inside the enterprise.

Security lives in the seams

Phil Venables describes the hardest security challenges as living in the seams between interconnected systems, components, business processes, people and organisations. He argues that security improves when system-level design patterns crystallise and identifies enterprise agentic control planes, resource-level access controls, testing and immutable transactional audit as emerging invariants.

This distinction matters. Guardrails inside a model or agent are useful but they govern one component. The enterprise must also govern the interaction between that component and the resources it can reach.

A model may be instructed not to disclose sensitive information. The resource should still enforce what data the model is permitted to retrieve.

An agent may be trained not to exceed a financial authority. The payment interface should still enforce the limit.

A SaaS service may promise read-only access. The enterprise should still determine, at the resource interaction, what read-only means for this identity, this data, this purpose and this moment.

The customer-controlled enforcement architecture

The TomorrowX control-plane pattern separates policy management from policy enforcement.

Business policy can be defined and managed centrally. Identity, context, threat intelligence, model evaluations and risk decisions can come from many sources. The enforceable decision is then distributed to a Programmable Data Agent in the data path.

The Control Plane Must Be YoursExternal services can provide capability and intelligence. The enterprise retains enforcement authority inside its own controlled environment.
THE CONTROL PLANE MUST BE YOURS
EXTERNAL CAPABILITY
Models, agents, SaaS and intelligence
IN-PERIMETER PDA
Authenticate, authorise, constrain and record
ENTERPRISE RESOURCES
Data, applications, tools and workflows
CAPABILITY MAY BE EXTERNAL. ENFORCEMENT AUTHORITY MUST REMAIN YOURS.
External services can provide capability and intelligence. The enterprise retains enforcement authority inside its own controlled environment.

The PDA terminates the interaction, evaluates it against enterprise policy and re-originates only what is allowed. It can authenticate, authorise, redact, transform, constrain, route, deny or record the exchange without requiring the model, agent, application or underlying system to be changed.

This creates a durable control even as models, agents and SaaS providers change.

Placement attributes

The value of a control plane depends on where and how it is deployed. A genuine enterprise AI control plane should have the following attributes.

Customer-controlled

It operates inside an environment governed by the customer: on-premises, private cloud, sovereign cloud or the customer’s own cloud account.

In the data path

It can act before the interaction reaches the protected resource. Out-of-band visibility alone cannot guarantee prevention.

Independent

It is not dependent on a particular model, agent framework, application or SaaS provider. Those components remain replaceable.

Resource-aware

It applies policy at the interaction with data, APIs, workflows, legacy systems, cloud services and operational technology.

Protocol-aware

It understands the actual exchange rather than treating every permitted connection as equivalent.

Deterministic where required

It converts business policy into explicit controls that behave consistently and can be tested before deployment.

Auditable

It records the policy, identity, context, decision and resulting data movement needed to reconstruct what occurred.

Reversible

It can introduce, change or remove capability without forcing an application release or binding the enterprise to the provider being controlled.

This is not a rejection of SaaS

The principle is not that enterprises should stop using SaaS, cloud or frontier models.

It is that an external capability should not also become the sole authority over its own access to enterprise resources.

SaaS security platforms can contribute posture, threat intelligence, asset context, model assessment and policy recommendations. Frontier models can classify content and reason over complex policy. Agent platforms can orchestrate work. Identity systems can attest to users and workloads.

Each is valuable.

The enterprise still needs an independent point that can say yes, no, not that data, not for this purpose, not at this value, not without another approval, or not until the interaction has been transformed.

Central policy, distributed enforcement

In strict network terminology, a control plane determines policy while a data plane carries and acts on traffic. Enterprise AI requires both.

Policies should be composed, governed, tested and managed centrally. Enforcement should occur through distributed PDAs positioned at the relevant interaction points. This avoids forcing all enterprise data through a new external service merely to control it.

The result is one governance architecture with many local enforcement points. Policy is consistent. Data can remain where it belongs. Latency and sovereignty requirements can be respected. Existing systems remain in place.

Why every AI project needs it

Every AI project creates a new path to data, a new path to action or both.

A project that only generates text today may retrieve confidential data tomorrow. A copilot may become an agent. An agent may gain tools. A model may change. A provider may introduce a new subprocessor. A business workflow may become automated after the original risk assessment was completed.

Building the control into each application recreates the same problem repeatedly and ties governance to the pace and quality of every delivery team and vendor.

Placing an independent Data Mediation layer in the path creates a reusable enterprise control. New AI capability can be connected to existing systems without surrendering the policy boundary. The model can change while the rules remain. The agent can change while the authority remains. The SaaS provider can change while the audit and enforcement remain.

Conclusion

The AI era does not remove the need for architecture. It makes architecture more important.

JPMorganChase has called attention to the erosion of trusted boundaries through direct SaaS integration. Phil Venables has highlighted that system security lives in the seams and that enterprise agentic control planes must be coupled with resource-level enforcement.

Data Mediation provides the practical pattern.

The organisation can use frontier models, agents, cloud and SaaS while retaining an independent, customer-controlled point of enforcement in the data path.

The provider can supply the intelligence. The agent can supply the action. But the enterprise must own the decision.

That is why the control plane must be yours.

References

Opet, Patrick (2025). JPMorganChase. An open letter to third-party suppliers ↗.

Venables, Phil (2026). Technology Waves and Security — Is This Time Really Different? ↗.

Venables, Phil (2026). The Hardest Security Challenges Live in the Seams ↗.

National Institute of Standards and Technology (2020). SP 800-207: Zero Trust Architecture ↗.

OWASP GenAI Security Project (2025). Top 10 Risks and Mitigations for LLM and GenAI Applications ↗.

TomorrowX (2026). Data Mediation™ and Programmable Data Agents.

AI, control and sovereignty · Path complete

See the architectural foundation

Explore Data Mediation as the enterprise control architecture for governed AI.

Discover Data Mediation