Your governance vendor sells agents.

Your AI governance vendor is also your AI vendor

Five enterprise vendors launched AI agent governance control planes in the last six weeks. Microsoft Agent 365 went generally available May 1 inside the new Microsoft 365 E7 tier at $15 per user per month. SAP unveiled Joule Studio and over 200 specialized agents at Sapphire in mid-May. ServiceNow expanded AI Control Tower across 30 enterprise integrations and shipped Project Arc at Knowledge 2026. NVIDIA shipped OpenShell as the secure runtime sandbox under each of the above. Google Cloud joined the same race with the Vista Equity portfolio rollout. Each pitch is the same: be the single layer that discovers, governs, and enforces policy across every AI agent in your enterprise.

None of them are neutral. Microsoft sells Agent 365 at $15 per user per month and also sells Copilot Studio agents. ServiceNow sells AI Control Tower and ships its own Autonomous Workforce. SAP sells Joule's governance layer and ships 200 specialized Joule agents. The vendor pitching governance is the same vendor pitching the biggest fleet of agents you will need to govern. That is not a coincidence; that is the structure of the market. There is no Switzerland in agent governance.

Most trade coverage treats each launch as a feature announcement. Microsoft added cross-cloud sync with AWS Bedrock and Google Cloud. ServiceNow added runtime observability through the Traceloop acquisition. SAP added agent-to-agent interoperability with Microsoft and Google. The unifying question is missing. Whose agents does the governance tool actually govern well? Microsoft Agent 365's third-party registry sync is in public preview with runtime blocking pushed to June. ServiceNow's AI Control Tower discovers 30 enterprise integrations but its enforcement muscle is generally available in August. SAP's interoperability commitments are roadmap, not shipping. The depth of governance over the home vendor's agents is years ahead of the depth over the competitor's.

This is showing up on the demand side. Eighty-seven enterprise IT leaders in the DoGood network submitted agentic AI as a priority in the last 60 days. Ten asked specifically for an inventory or consolidated overview of the AI agents already running. One Director of IT at a mid-sized bank wrote: 'AI agents are exploding this year at my company, and I would like to understand how your platform may be able to provide some visibility and guardrails around them.' The buyers are asking the right question. The vendors selling the answer are not the buyers' allies.

Before signing any agent governance contract, demand a live demo of three things. One: discovery and policy enforcement over a competing vendor's deployed agents, with the same depth as the home vendor's. Two: an exception path for an agent the governance tool refuses to onboard, because vendor-defined 'ungovernable' is how lock-in works at this layer. Three: a written commitment on how the governance product handles a future Anthropic, OpenAI, or open-source framework the home vendor has not yet integrated. If any of the three answers is hand-waving, you are buying the brochure.

The control plane was supposed to be the neutral layer. It is not. The CIO question for the next twelve months is not which agent governance platform has the best dashboard. It is which one will still treat third-party agents as first-class citizens once the home vendor's agent fleet doubles. Pick accordingly.

The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with the vendors worth your time — apply to join DoGood.

Meta's $125 billion AI capex is funded by 8,000 jobs

Meta cut 8,000 workers on May 20 across Reality Labs, social, recruiting, and global ops, the same week it reported $56.3 billion in quarterly revenue and $26.8 billion in net income. This is not a recession move. It is a funding mechanism. Zuckerberg telegraphed $125 to $145 billion in 2026 capex against an estimated $7 to $8 billion in annualized layoff savings; the math is not the math. The signal for enterprise IT: the AI infrastructure tax is being absorbed at Big Tech by trading knowledge workers for GPU clusters. The same cost pressure is coming for enterprises through software pricing, and Microsoft 365 E7 at $15 per user per month is the first proof. Model the AI capex pass-through into your FY27 vendor renewals now, not in October.

GitHub's 18-minute marketplace window cost it 3,800 repositories

A weaponized version of the Nx Console VS Code extension was live on Microsoft's Visual Studio Marketplace for 18 minutes on May 18, between 12:30 and 12:48 UTC. That window was enough. The credential stealer pulled 1Password vaults, Anthropic Claude Code configurations, npm tokens, GitHub personal access tokens, and AWS credentials from any developer who installed in that window, including at least one GitHub employee. The result: more than 3,800 GitHub-internal repositories exfiltrated, with TeamPCP deploying Mini Shai-Hulud to self-replicate across CI/CD credentials. The lesson is not 'audit your extensions.' It is that the marketplace governance model assumes detection-and-revoke happens before harm. Eighteen minutes is the new floor for marketplace exposure windows, and most enterprises have no detection-and-revoke at that resolution for SaaS extension inventory.

Drupal's no-auth SQL injection landed Wednesday

The Drupal Security Team shipped SA-CORE-2026-004 on May 20: CVE-2026-9082, a SQL injection in the database abstraction layer affecting every PostgreSQL Drupal deployment from version 8 forward. No authentication required. Severity 20 of 25 on Drupal's scale. The advisory warned that working exploits were likely to emerge shortly after public disclosure, and past Drupal core disclosures have seen weaponization inside 24 hours. The exposure is concentrated where most CIOs do not look: government, public university, federal agency, and national research institution Drupal deployments. If your portfolio includes a .gov or .edu Drupal property, the emergency patch window is now, not next sprint. Drupal Steward customers get immediate WAF coverage; everyone else is on a clock.

For nineteen years, Verizon's Data Breach Investigations Report has named stolen credentials as the most common initial access path. May 20 the ranking flipped: vulnerability exploitation now leads at 31 percent of all initial access. The math behind the flip is structural. CISA's catalog of known-exploited bugs has roughly doubled in two years. Median time to full patch deployment slipped to 43 days. The pre-2020 mental model, that phishing-then-credential is the dominant attack chain, was correct for a decade. It is no longer the default. The reader update for the next board deck: identity hygiene is still essential, but the asymmetric defender investment shifted to patching velocity over a backlog that now includes bugs from before the iPhone. CISA proved the point a day later by adding seven CVEs to KEV, five of them from 2008 to 2010.

This week the DoGood network saw ten enterprise IT leaders ask for an inventory of the AI agents already running in their environment. Ten signals in a sample that small is not noise; it is the prerequisite question every governance pitch is now selling against.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.