Analysis

Enterprise-Grade Agents Are Being Built Like Critical Infrastructure

Uber, NVIDIA, and Microsoft each target a different layer of the same enterprise blocker: making autonomous agents auditable, governable, and secure enough to run real business processes. The pattern is a shift from “prompted apps” to an operational stack with identity, signed capabilities, and continuous adversarial testing.

Published: · agent-identity, zero-trust, agent-security, software-supply-chain, enterprise-agents, mcp, governance

The past year’s most consequential agent work is not new demos of autonomy—it is the quiet rebuilding of the enterprise perimeter so autonomy can be allowed. Uber’s focus on identity and provenance across agent handoffs, NVIDIA’s proposal to sign and scan reusable “skills,” and Microsoft’s open-sourced red-teaming tools all point to the same synthesis: agents are being treated less like chat interfaces and more like a new class of production actors. That shift forces controls that enterprises previously reserved for humans and microservices—identity propagation, software supply-chain governance, and continuous security validation—to move “inside” agentic workflows.

Identity Is Becoming the Control Plane for Autonomy

Agent systems fail enterprise governance not because they cannot act, but because they act without a stable notion of who is accountable. Uber’s internal “AI Agent Mesh” framing is revealing: once work is performed through chains of agent-to-agent delegation, the originating user’s intent and authority can be diluted or lost at each hop. That breaks the basic enterprise questions auditors and incident responders need answered: who initiated this action, under what policy, using which tools, and what changed as the request propagated.

From Zero Trust for Services to Zero Trust for Agent-to-Agent Delegation

Uber describes extending Zero Trust concepts into agent operations through agent registration, cryptographic identity, and short-lived scoped tokens on each hop. That is not just security hygiene; it is a recognition that the unit of governance has changed.

In traditional enterprise systems, “service identity” and “user identity” are often separate lanes. Agents fuse them: a user’s request becomes a long-running, tool-using process that may spawn sub-agents, call MCP-exposed tools, and act across multiple systems. If identity is not propagated as first-class data, policy enforcement becomes guesswork.

Provenance as a Business Requirement, Not a Security Feature

Uber’s accountability-gap framing (loss of originating context across handoffs) points to a broader operational truth: provenance becomes necessary to run agentic automation at scale because enterprises need reversible decisions.

When agents are allowed to touch systems of record—tickets, access management, schedules, finance workflows—enterprises will demand lineage in order to:

  • reconstruct decisions after incidents,
  • dispute or roll back actions that created business harm,
  • prove compliance when the “worker” is a mesh of delegated components.

This is why identity work shows up alongside MCP enablement: tool connectivity is easy to add, but traceable authority is hard to retrofit.

Capability Governance Is Moving Up the Stack: “Skills” as a Supply Chain

If identity is the control plane, capability packaging is the distribution plane. NVIDIA’s “verified, signed agent skills” proposal treats agent extensions as a supply chain problem rather than a prompt engineering problem.

The key idea is not a marketplace; it is the governance model. A reusable skill bundle—documented via a “skill card,” scanned (including for agent-specific risks), and cryptographically signed—mirrors what modern enterprises already do for container images and dependencies. The novelty is acknowledging that agent components have their own failure modes.

Why Agent Skills Need Different Scanners Than Traditional Software

NVIDIA’s SkillSpector emphasizes risks such as hidden instructions, prompt injection triggers, excessive agency, and tool poisoning. Those categories map to how agents actually fail in production:

  • A seemingly benign capability can embed instructions that only activate under particular contexts (“trigger abuse”).
  • Skills can act as privileged intermediaries to tools, turning a normal dependency into an authority escalation path.
  • A skill’s interface can invite prompt injection by encouraging agents to ingest untrusted content and forward it into tool calls.

By proposing signing and verification, NVIDIA is implicitly saying that runtime guardrails are not enough: enterprises want to know what they are installing into their agent’s action surface.

Standardization Pressure: SKILL.md as an Interoperability Wedge

NVIDIA’s emphasis that a SKILL.md should work across Claude Code, Codex, and Cursor is a strategic signal about where the ecosystem is heading: capability portability. Once skills can move between agent frameworks, the enterprise problem shifts from “how do we build a custom agent?” to “how do we govern third-party capabilities moving between environments?” That is precisely the software supply-chain story, now applied to agent behavior and tool reach.

Security Validation Is Becoming Continuous, Not Pre-Launch

Microsoft’s Rampart and Clarity releases reinforce that agent security is not an add-on checklist. Their framing—continuous testing during development, retesting fixes across rounds, and explicit attention to cross-prompt injection—treats agents like living systems that must be stressed repeatedly.

Cross-Prompt Injection Is the New Phishing, but for Tool-Using Systems

The attack model Microsoft highlights is structurally different from classic appsec: an agent can be “phished” by content it is supposed to process (documents, emails, tickets) and then convert that poisoned content into tool calls. This is the security reality of enterprises adopting agents for operations: the more valuable the workflow, the more untrusted inputs it necessarily ingests.

Rampart’s emphasis on repeated validation matters because agent behavior is non-deterministic across contexts and model versions. A one-time test can easily miss exploit paths that appear when the agent’s strategy changes.

Security Guidance Embedded in the Development Agent Loop

Clarity’s positioning—running as an app or embedded into a coding agent—signals another practical shift: as developers increasingly build with agents, security review must live where the work happens. If the production system is agentic, the development process becomes agentic too, and the security layer has to operate in that same loop.

Platform-Native Agents Are Winning by Inheriting Governance

While identity, capability signing, and red teaming look like “infrastructure,” their commercial significance becomes clearer when you compare them to platform-embedded enterprise agents.

Workday’s Sana ITSM and Travel Agent are described as inheriting Workday’s existing identity, policy, approval, and audit frameworks rather than bolting on separate governance. That is a major adoption advantage: enterprises are more likely to permit autonomy when it flows through familiar control points (approvals, entitlements, audit logs) already accepted by compliance teams.

AWS’s radiology workflow orchestrator shows the same architectural direction in a high-stakes setting: multi-agent orchestration with tool access exposed through an MCP server in the runtime. The workflow problem—dynamic assignment based on workload, specialization, urgency, availability—illustrates where agents create value: routing decisions that are too context-dependent for rigid rules. But it also illustrates why the earlier layers matter: in environments like healthcare operations, “why did the system assign this case?” is not optional.

These platform examples clarify the deeper pattern: enterprise-grade agent adoption is less about raw model capability and more about whether the agent can be treated as a compliant operator inside existing institutional processes.

What This Means for the Agentic Economy

The agentic economy depends on autonomous systems doing real work with real consequences. The stories here show the enabling conditions being assembled.

Uber’s identity and provenance work makes autonomous action governable: without propagated authority and traceable handoffs, agents cannot safely cross organizational boundaries inside a company, let alone transact on behalf of teams.

NVIDIA’s signed, scanned skills proposal is a blueprint for capability markets that enterprises can actually consume. A market only forms when buyers can trust provenance, authenticity, and risk posture of components. “Skill supply-chain governance” is how you get from bespoke agent projects to repeatable procurement and deployment.

Microsoft’s continuous red teaming tooling is the operational counterpart: if agents will read untrusted content and act through tools, then security has to become a continuous practice, not a certification event.

Taken together, these efforts imply a near-term economic transition: autonomy will expand first where it can be audited, constrained, and insured—inside existing systems of record and managed runtimes—because that is where identity, approvals, logging, and incident response already exist. The agentic economy will therefore grow not simply from better models, but from the maturation of the institutional machinery that can accept machine-made decisions as legitimate business actions.

Sources

https://www.uber.com/us/en/blog/solving-the-agent-identity-crisis/ https://developer.nvidia.com/blog/nvidia-verified-agent-skills-provide-capability-governance-for-ai-agents/ https://cyberscoop.com/microsoft-rampart-clarity-agentic-ai-security-red-teaming-tools/ https://futurumgroup.com/insights/are-workdays-new-ai-agents-the-blueprint-for-workflow-automation-at-scale/ https://aws.amazon.com/blogs/machine-learning/intelligent-radiology-workflow-optimization-with-ai-agents-2/

Related coverage