On July 7, Anthropic moved Claude Cowork to the cloud. The agent now runs on web and mobile, keeps working in the background with no device online, and acts across your files, email, calendar, and connected tools until the job is done. A few weeks earlier, OpenAI shipped Workspace Agents, Codex-powered agents that run inside ChatGPT’s cloud, execute on a schedule, and keep going after you close the laptop. Different vendors, same result: the agent no longer lives on a machine you control.
That reads like a productivity story, and for the business it is. For anyone accountable for security, it is also the moment the most capable insider you have stepped off the surfaces your controls were built to watch. The question that follows is not whether to govern these agents, but where.
The agentic insider just left the managed device
An enterprise agent is not a tool in the way a script or a SaaS feature is a tool. It logs in as a person, inheriting that person’s identity and entitlements, so every application and data store it touches treats it as a fully trusted insider. For most of the last two years, that agentic insider at least lived somewhere we could see, on a managed laptop running inside the reach of the controls every security team already operates.
That is precisely what changed. When Cowork runs in Anthropic’s cloud and Workspace Agents run in OpenAI’s, the insider executes on infrastructure you do not own, on surfaces your device fleet never enrolled, reaching into your most sensitive systems on its own schedule and without a person in the loop.
EDR watches the endpoint. SASE watches the traffic. Neither sees this.
Here is the uncomfortable part for anyone who has spent a decade building an endpoint and network security stack. Endpoint detection and response (EDR) was designed to watch processes on a device you manage, so when AI agents run inside a vendor’s managed cloud, there is no endpoint to instrument and nothing for the sensor to see. Secure access service edge (SASE) was designed to inspect traffic at the network edge, yet the agent’s activity looks like ordinary authorized API calls moving between two clouds, carrying valid credentials and raising no flag.
Both categories do exactly what they were built to do. Both were also built for a world where the risky actor operated on a device you owned or crossed a boundary you controlled. An autonomous agent running in someone else’s SaaS environment does neither, which is why these tools go quiet at the very moment the risk exposure gets larger.
Authorization is the entry ticket, not the guardrail
Identity is the natural place to reach for next, and it matters, but it answers a different question. While authenticating the agent and scoping its token are both necessary, because you have to know which agent is acting while restricting what it is allowed to reach, neither governs what the agent actually does once it is operating inside those permissions. A scoped credential says the agent may touch the CRM. That credential is still valid when that same agent, after a single hallucination or one prompt injection, begins pulling the entire contact database.
Every vendor shipping these agents now offers the same entry-layer safeguards: limit the data, require approval for sensitive steps, and watch for prompt injection at the door. Those are the right controls for the door. But, they are not a stand-in for watching and governing behavior once the agent is inside and working.
Why a gateway is the right approach
So if the device is gone, the network edge is blind, and identity only decides who gets in, where does governance actually belong? Start from what stays true no matter where the agent runs. An agent on a managed laptop, an agent in your AWS account, and a managed agent hosted inside Anthropic or OpenAI have almost nothing in common at the infrastructure layer, yet in the end they all do the same thing: they send requests that reach your applications and data. These requests are the one point where every agent’s activity converges, regardless of the surface it came from.
A gateway sits inline at exactly that point. Rather than inferring risk from a process on a device or a packet on the wire, it sees the action itself, the actual calls the agent is making, and can allow, block, or flag them in real time. This has the effect of extending zero trust protection to the agent’s actions. Because it governs at the action layer instead of the infrastructure layer, a single control plane covers every agent identically, whether that agent runs on a device you manage or in a cloud you will never touch. That consistency is the property endpoint and network controls cannot offer, and it is why a gateway, not another endpoint or edge tool, is the right place to govern agents.
What that looks like in practice
Placement is only part of it. A gateway in the right position still needs to know what good behavior looks like, which is where scope and behavior come together. Agent Personas define what a given agent is authorized to do, written like a job description that becomes the outer boundary at runtime. The AI Gateway enforces that boundary inline and measures the agent’s behavior against it, confirming the agent is doing the job it was given and catching any drift the moment it steps outside the role.
This pairing is the whole point, because neither half is sufficient alone. A scope with no runtime check is a policy nobody enforces, and runtime monitoring with no defined scope has no baseline to measure against. Together they answer the two questions that matter once an agent is inside valid permissions: what is this agent supposed to do, and is it doing that and nothing else. We laid out the full model in our agent containment reference architecture, and both capabilities are in market today.
It’s incredibly important that this happens at runtime, rather than in a report you read the next morning. Speed. Unlike a human insider, an agent that drifts does not do it once and pause. It repeats the same misguided action at machine speed across every system it is connected to, long before a person would notice.
The agents are moving into managed clouds because that is where the work is going, and that is fine. What has to move with them is the control point, which was never going to be the device, cannot be the network edge, and is not settled by identity alone. Governing what the agent does, at the action layer, in real time, is the job of a gateway. To see how the Cequence AI Gateway governs agent behavior at runtime, talk to our team.