The Agentic AI Security & Governance Manifesto

A new class of software is being deployed faster than the infrastructure to govern it. Autonomous AI agents — systems that can plan, reason, and act across networks, applications, and counterparties — have moved from research demos to live commerce, customer support, software engineering, and financial workflows in roughly eighteen months. McKinsey found that nearly two-thirds of organizations are experimenting with agents and almost a quarter are scaling them inside at least one business function.¹ Gartner expects the share of enterprise applications running task-specific agents to jump roughly eightfold, to 40%, by the end of 2026.²

The capability curve is steep, the commercial pull is enormous, and the security and governance layer underneath is, in most cases, missing. We believe this gap is the defining infrastructure problem of the next five years. This layer needs to be integrated from day one rather than retrofitted, and Asia is well placed to lead in its development and adoption, through the region’s growing public-private collaborations.

Terminal 3 has spent several years building the foundation that this layer depends on: confidential computing, verifiable identity, and cross-boundary interoperability. We do not claim to have every answer but we do hold a strong conviction about the shape of a solution, and we offer it here in the hope of contributing to a wider conversation among regulators, enterprise security leaders, developers, and capital allocators.

The gap between what is being built and how it is being secured

Gartner's data shows 80% of enterprise applications shipped or updated in Q1 2026 now embed at least one agent, yet only 31% of organizations have agents in live operation.³ The firm goes further and predicts that more than 40% of agentic AI projects will be cancelled by 2027, citing weak governance as a primary cause.² That is a remarkable forecast from the analyst community that tends to be most bullish on enterprise software adoption.

The risk picture confirms the concern. IBM's 2025 Cost of a Data Breach Report found that the average breach at organizations with high levels of shadow AI is roughly $670,000 higher than at companies with little or no shadow AI.⁴ The Open Worldwide Application Security Project (OWASP) published its first Top 10 for Agentic Applications in December 2025, and three of the four highest-ranked risks (Agent Behavior Hijacking, Tool Misuse, and Identity & Privilege Abuse) are fundamentally identity and authorization problems rather than model problems.⁵

Additionally, the incident record is no longer theoretical. In June 2025, researchers at Aim Security disclosed EchoLeak (CVE-2025-32711), a zero-click vulnerability in Microsoft 365 Copilot that allowed a remote attacker to exfiltrate confidential data through a single crafted email, with no user interaction required.⁶ A month later, an AI coding agent on Replit deleted a live production database during a designated change freeze, fabricated thousands of synthetic records to cover the loss, and produced misleading status messages about what it had done, all before manual recovery was possible.⁷ Similar failures have surfaced elsewhere: hidden instructions executed by Perplexity's Comet browser, and locally running coding agents hijacked through poisoned issues in GitHub's Model Context Protocol (MCP) integration.

The common thread across these incidents is less about model failure than about the absence of verifiable identity, scoped permissions, and tamper-resistant audit at the action layer. Each incident would have looked materially different if the agent had been required to prove who it was, operate under credentials that limited what it could do, and leave an audit trail that any third party could verify after the fact.

Regulators are moving, but the map is fragmented

Policy is catching up on multiple continents simultaneously, and the resulting picture is one of overlapping but non-identical regimes that any agentic system operating cross-border will need to satisfy. The pace of new instruments since the start of 2025 — covering general-purpose models, content provenance, agentic systems specifically, sovereign deployment, and sectoral sandboxes — has compressed what would normally be a decade of policy development into roughly eighteen months.

• In the European Union, the AI Act entered into force on August 1, 2024. Obligations on providers of general-purpose AI models became applicable on August 2 , 2025, and the European Commission's enforcement powers — including the ability to levy fines on GPAI providers — enter into effect on August 2, 2026.⁸ Organizations deploying agentic systems built on foundation models are likely to fall within the Act's definition of a "deployer," with heavier obligations triggered when fine-tuning substantially modifies the underlying model.⁸
• In the United States, the Trump administration revoked the prior executive order on AI through EO 14179 in January 2025 and followed with a December 2025 order, "Ensuring a National Policy Framework for Artificial Intelligence," that prioritizes federal leadership over state regulation and directs the Attorney General to challenge state AI laws that conflict with the federal framework.⁹ The direction of travel is toward fewer, more uniform constraints at the national level, with parallel emphasis on AI's role in national and economic security.
• In Singapore, the Infocomm Media Development Authority (IMDA) launched the world's first jurisdiction-level Model AI Governance Framework for Agentic AI in January 2026, then updated in May 2026, organized around four dimensions: bounding risk upfront, making humans meaningfully accountable, implementing technical controls, and enabling end-user responsibility. The framework is voluntary, but organizations remain legally accountable for their agents' actions.¹⁰
• In Hong Kong, the Digital Policy Office's Ethical AI Framework was most recently updated in December 2025, supplemented by the Generative AI Technical and Application Guidelines published in April 2025; in March 2026, four financial regulators expanded the GenA.I. Sandbox++ to cover banking, securities, asset management, insurance, MPF, and stored value facilities.¹¹ 
• In the United Arab Emirates, the Cyber Security Council, e&, and Open Innovation AI launched a Sovereign AI Platform with an accompanying Sovereign AI Security Framework that validates, governs, and monitors models and agents before deployment into sensitive environments.¹²

What this patchwork shows is that there is broad political consensus that agentic AI requires governance, but that there is meaningful divergence on how. Any agent that operates across markets — a customer service agent for a global brand, a trading agent for a cross-listed fund, a procurement agent for a multinational supply chain — will certainly need to satisfy policies and regulations from multiple regimes at once. The technical question follows directly: what infrastructure makes multi-jurisdiction compliance demonstrable rather than asserted?

The limits of walled-garden governance

The dominant industry response to date has come from the hyperscalers and the foundation-model providers. Microsoft made Agent 365 generally available in 2026 as a control plane to “discover, govern, and secure AI agents” across Microsoft environments. Google relaunched Agent Designer as Agent Studio inside Gemini Enterprise, paired with a registry, simulation environment, and marketplace.¹³ AWS Bedrock and the major foundation-model labs have shipped their own governance tooling. The work being done by these teams is serious and useful, and for organizations whose agentic footprint sits entirely inside a single cloud or a single model provider, it may be sufficient.

That assumption holds for fewer enterprises than these providers imply. Most large organizations already operate workloads across multiple clouds, many because they are required to for regulatory compliance, and the agentic patterns now emerging – agents that call out to third-party APIs, hand off to other agents built on different model families, transact with counterparties using independent identity systems — push the fragmentation further. The agentic commerce stack alone now includes Visa's Trusted Agent Protocol (TAP), Mastercard's Agent Pay and Verifiable Intent layer, Google's Agent Payments Protocol (AP2) with cryptographic mandates, and the open Agentic Commerce Protocol (ACP).¹⁴ Each is being built principally inside its sponsor's ecosystem, and there is currently no neutral layer that lets an agent prove its identity, present its permissions, and complete a transaction across all of them.

We believe a walled-garden governance model has three structural weaknesses. First, it ties the assurance an enterprise can offer its customers to the lifecycle and commercial decisions of a single platform. Second, it makes regulatory portability difficult: an agent governed by one cloud's tooling cannot easily demonstrate compliance to a regulator who recognises a different attestation regime. Third, and most fundamentally, the entity providing the model or the cloud is often the same entity providing the governance, which is a configuration prudent CISOs and policymakers should not accept as the long-run default for systems that will increasingly act on behalf of citizens, patients, and consumers. Taken together, these weaknesses point to a single architectural requirement that a walled-garden approach cannot satisfy by design: governance assurance that is portable across clouds, model providers, jurisdictions, and counterparties.

What governance actually requires

Drawing on the OWASP risk taxonomy, the IMDA framework's four dimensions, the EU AI Act's transparency and traceability obligations, and the incidents documented above, a set of common functional requirements becomes legible. An agentic system that can be safely deployed at scale needs, at minimum, the following:

1. A verifiable identity for every agent, cryptographically bound to the entity that deployed it, presentable to any counterparty. Decentralized Identifiers (W3C DIDs) and Verifiable Credentials are the most mature open standards for this purpose.
2. Programmable, scoped permissions that define what the agent is authorized to do, under what conditions, and for what duration, enforced at the action layer rather than relying on the agent's own self-restraint or post-hoc review.
3. Confidential computation for any sensitive data the agent requires. Trusted Execution Environments (TEEs) paired with remote attestation make it possible to process inputs the agent never sees in cleartext, and to produce outputs cryptographically bound to the code that produced them. Confidential computing is now a mature commercial category, with hardware support from Intel TDX, AMD SEV-SNP, and NVIDIA Hopper-generation GPUs making attested AI inference operationally feasible at production scale.¹⁵
4. Tamper-resistant, third-party-verifiable audit trails that record what the agent did, why, and with whose authority, written to infrastructure that the deploying party cannot retroactively edit. Logs that live inside the same trust boundary as the agent itself function as operational telemetry, but they fall short of what regulators and counterparties will reasonably expect from an audit trail.
5. Cross-boundary interoperability across clouds, model providers, and jurisdictions, so that the same identity, permission, and audit primitives work whether the agent is operating inside an enterprise's private cloud, on a hyperscaler, or transacting with a counterparty on entirely different infrastructure.

None of these requirements are exotic. Each draws on established cryptographic, hardware, and standards work. What has been missing is a coherent infrastructure layer that delivers all five together, and one that is neutral with respect to the cloud, model, and ecosystem choices each enterprise makes.

A case for Asia, and for public-private partnership

The framing of agentic AI governance is too often US-versus-EU. The most interesting and pragmatic policy work over the past eighteen months has, in our view, come from elsewhere, in particular from Asia. Singapore's IMDA produced the first jurisdiction-level framework specifically for agentic systems and updated it with practical case studies within four months. Hong Kong's regulators expanded the GenA.I. Sandbox++ to cover the full breadth of financial services in March 2026 and have committed HK$1 billion to a new AI Research and Development Institute.¹¹ The UAE's sovereign AI architecture sets a useful template for jurisdictions that want to retain meaningful control over how AI operates inside critical infrastructure.

These programs share two characteristics. They are pragmatic rather than precautionary, and they are built through structured public-private collaboration – regulatory sandboxes, technical guidelines developed with industry input, voluntary frameworks with clear accountability anchors. The result is policy that ships faster, adapts faster, and is more directly informed by what is actually being deployed.

We believe Asia is well placed to lead the development of cross-boundary, cryptographically grounded governance infrastructure for the same reasons it has led mobile payments, digital identity, and real-time settlement: regulators willing to engage technically, capital willing to fund infrastructure, and a private sector with genuine expertise in the underlying cryptography and decentralized systems. But this potential requires deeper partnerships between regulators and infrastructure providers, between sandboxes and the enterprises that will be the first to deploy at scale, and between Asian jurisdictions that can interoperate their respective frameworks rather than allow them to drift apart.

The case for partnership is also a case about systemic risk. Agents that act autonomously in financial markets, healthcare, energy systems, and critical infrastructure will become capable of error or misuse at a scale and speed that exceeds human intervention after the fact. The only durable answer is cryptographic, hardware-rooted governance that binds the agent before it acts – identity, permission, and audit primitives enforced at the point of action rather than reviewed in the aftermath. 

How Terminal 3 implements this

The arguments above are technology-agnostic. They describe what we believe any credible agentic AI governance infrastructure must deliver. We close by describing how Terminal 3 has chosen to implement them, both to make our point of view concrete and so that enterprises and governments can evaluate whether the approach holds up.

Our core platform is the T3 Network (T3N), a confidential computing network built on decentralized Trusted Execution Environments (TEEs). T3N nodes provide three primitives at the infrastructure layer: storage that is secured through decentralization, confidential computation through TEEs, and an immutable ledger for audit. The network is fully programmable through a construct we call “TEE contracts,” and is available in four deployment flavors — public mainnet access, dedicated nodes, private cloud (for a multinational or a consortium of partners), and on-premises.

On top of T3N, we offer a full-stack AI agent security and governance platform: Agent Command is “The Command Center For Your Autonomous Workforce”, and it delivers six capabilities: 

1. Mission Control - visibility into every registered agent's status, permissions, and activity
2. Verifiable Identity - cryptographic agent identities recognised by any counterparty
3. Policy Enforcement - an agent action allowlist, with violations blocked before execution
4. Secrets Vault - credentials sealed in hardware and substituted at runtime so the agent never sees them
5. Immutable Audit Trail - every action cryptographically sealed and independently verifiable
6. Unified Commerce - a single integration into every agentic commerce protocol, with native PCI compliance

Because Agent Command is built on T3N rather than inside any single hyperscaler or model ecosystem, the same controls apply to agents operating across protocols, clouds, and foundation models, a property we believe is a structural advantage over governance built inside a single ecosystem. 

Alongside Agent Command, the T3 Agent Developer Kit (T3 ADK) gives developers two tools – Agent Auth for verifiable agent identity and Agent Connect for unified agentic commerce – to build secure and compliant agents from day one.

We have built these products because we believe the agentic shift will require infrastructure that none of the dominant players has commercial incentive to build in a neutral, cross-boundary form. We will publish more on each of them, including technical detail, integration patterns, and reference deployments, over the coming months. The broader argument of this paper stands independent of whether readers choose Terminal 3 as their implementation partner: that day-one, cross-boundary, cryptographically grounded governance is what agentic AI needs, and that building it well is one of the most consequential infrastructure projects of this decade.