Convergence, new energy, and the seams
The June 2026 capstone: where the field converges, where the new energy is, and the three seams between the layers that no framework closes.
This closes out the vendor round. The six layer posts mapped who is building what. This one steps back to the shape of the whole field as of June 2026: where it is converging, where the new energy actually is, and, the part that matters most for this project, who is moving on the seams between the layers. Read the disclosure at the foot first; this is a snapshot and a reading of the field, not advice on what to buy.
The convergence is real
Two things are genuinely converging, and both are encouraging.
First, the mapped ecosystem shows convergence. Identity is coalescing on OAuth, SPIFFE, and DID. Tool and agent protocols are coalescing on MCP and A2A. Governance is coalescing on ISO/IEC 42001 and the EU AI Act. Assurance is coalescing on open benchmarks and supply-chain signing. Those primitives recur across the mapped vendors, which is some signal of durability, though a young market can still shift under you.
Second, the labs have independently converged on a posture: treat the agent itself as a potential insider threat, and do not let safety depend on alignment being perfect. Google DeepMind's AI Control work and Anthropic's containment-plus-Glasswing posture arrive there from different directions, and OpenAI's deployment gating assumes the same. A shared vocabulary may be emerging: DeepMind's D1-D4 detection and R1-R3 response tiers are being picked up as shorthand in places. It is early to call it an industry vocabulary, but it is a candidate for one.
The layers are maturing at very different rates
Mapping the vendors side by side, the unevenness is stark:
- Identity is the most commercially mature, built by the people who built enterprise identity.
- Assurance has the strongest open and standards backbone, led by the labs and the supply-chain community.
- Governance is regulation-led: the law and the standards are ahead of the tooling.
- Containment is split, mature isolation, but a cluster of practical controls with no product.
- Protocols are consolidating as standards while their security stays optional and immature.
- Runtime is fragmenting hardest, three industries each owning a piece and none joining them.
The honest scorecard underneath this: a real number of controls have no mapped commercial implementation at all, and they are not edge cases:
| Control | Name | What goes unguarded without it |
|---|---|---|
| EC-05 | Denial-of-wallet budgets | runaway token / compute spend |
| EC-06 | Runaway-loop / least-agency caps | unbounded loops, over-broad autonomy |
| EC-08 | Secrets-out-of-context | credentials extractable from the prompt |
| EC-09 | Untrusted-workspace handling | config / hook execution from a poisoned repo |
| PT-05 | Output encoding | injection into downstream systems |
| PT-06 | Model-parameter sanitization | prose-nested SQL / shell / prompt in tool calls |
| PT-07 | Tool-description integrity | poisoned tool docs steering the agent |
| GV-06 | Velocity caps on irreversible actions | death-by-a-thousand-cuts |
| GV-08 | Transactional / idempotent actions | TOCTOU races, double-applied actions |
| GV-09 | Named-owner accountability | the attribution crisis mid-incident |
| AS-07 | Behavioral integrity | skills that do more than they declare |
Several of those are this project's own elevated positions. That blank space is not a gap in the map; it is the map.
Method, so this is reproducible: "no mapped commercial implementation" means none was found in this project's implementer dataset or the primary sources reviewed for it as of 21 June 2026, counting open-source and bundled platform features but not roadmap-only claims. It does not prove none exists anywhere. "Maturity" here means the count of shipping implementations and the stability of the underlying standard; "convergence" means several implementers using the same mechanism; "fragmentation" means non-interoperable pieces of one control.
Where the genuinely new energy is
Most of the movement is incumbents and labs shipping fast. But three patterns of new energy are worth watching, because each one redraws part of the stack.
Well-funded new entrants forming around the blanks. Startups are forming around the unowned controls, the untrusted-workspace problem most of all, and drawing serious venture money (the containment post covers one example). I read funding at that scale as a signal of energy and direction, not a verdict on any product; these are new and unproven. The pattern it hints at is disintermediation, a newcomer collapsing workspace trust, config gating, and sandboxing into one product. That removes integration seams (fewer boundaries to secure) while concentrating trust in a young tool. Both at once.
Identity rigor moving into new layers. Beyond Identity bringing device-bound passkeys to MCP trust is an example of a primitive from one mature layer (identity) pushing into a young one (protocols).
Open source disintermediating the incumbents. Microsoft's open-source Agent Governance Toolkit and the OpenSSF/Sigstore signing work are, in this map, the clearest case of open tooling moving into territory proprietary products have occupied: governance as enforceable code, provenance as open signing. Whether that displaces incumbents is not a call a control map can make; the mechanism shift is what's worth tracking.
And the most important caveat in this whole round: this map undercounts, badly. The companies most likely to reshape these layers are disproportionately early-stage or in stealth, not yet shipping, not yet named, not mappable to a control. A vendor snapshot can only show what has surfaced. Assume a meaningful amount is not yet visible. Assume the real frontier of new entrants is larger than anything here. Treat any layer that looks settled as provisional for that reason alone, the next post on it could read very differently.
The disintermediation pattern to watch across all of this is a single product claiming to span layers, to see the operating system, the reasoning, and the boundary at once, or to own identity, the registry, and discovery together. It is attractive because it closes seams. It is risky because it concentrates trust and becomes one large thing to compromise. No one credibly spans the runtime layer that way yet; some are starting to in identity. When it happens, weigh the convenience against the concentration.
Who is moving on the seams
This project exists for the three gaps no single framework closes. Here is the honest state of movement on each.
- Cross-organization agent identity federation. The foundation is forming, NIST's AI Agent Standards Initiative and the Coalition for Secure AI as venues, and the published NIST work (the NCCoE concept paper, the Agent Standards Initiative) pointing at the cryptographic agent identity it would need. But no one has closed it. Your guarantees still stop at your own front door.
- Chain-of-custody for agent-action logs. Relevant logging and data-governance components exist (Google/DeepMind, Databricks), and the EU AI Act's Article 12 is pushing hard on the logging, but no mapped implementation demonstrates the complete evidentiary chain. The forensic chain-of-custody question, can these logs stand up in an investigation, remains unanswered.
- Securing the security layer itself. The least-built of the three. DeepMind's AI Control work, treating the monitor's own integrity as part of the threat model, is the nearest thing to movement. It is early.
The pattern is the same one the whole project started from: the field is converging on the layers and fragmenting at the seams. The most visible implementation activity is concentrated in the layer-specific controls, and the joins are left open. The seams are still where agents break.
See the full corpus, and browse any domain to see exactly which controls have an owner and which do not, at apeiris.ai.
Sources
- Google DeepMind, AI Control Roadmap · Anthropic, Project Glasswing · OpenAI, Preparedness Framework
- Microsoft Agent Governance Toolkit · OpenSSF Model Signing / Sigstore · Databricks DASF v3.0
- NIST AI Agent Standards Initiative · Coalition for Secure AI (CoSAI) · EU AI Act Article 12
- Standards spine: SPIFFE · W3C DID · MCP · A2A v1.0.0 · ISO/IEC 42001
---
How to read this. Apeiris is vendor-neutral and takes no payment for inclusion. A product appears here because it maps to a control in the corpus, not because of any relationship, and nothing here is a recommendation or an endorsement. Where a vendor reports a result, it is presented as that vendor's own claim, not an independent finding. This is a snapshot dated 21 June 2026; this space moves fast and some of it will be out of date quickly. Standards and open specifications come first; commercial positioning second. New entrants are noted as signals of where the field is heading, not as proven choices. And this map undercounts the field, since many relevant companies are early-stage or in stealth and not yet visible here.