Phantom Coverage

Why your dashboard is green and your most-governed agent is the one nobody is governing.

Navin Chaddha at Mayfield posted his read of the shift this week. SaaS apps are becoming headless. The agent is the head. Claude Cowork, OpenClaw, NemoClaw, whichever you pick, becomes the single interface, and everything else connects through MCP, skills, and plugins. He is right about the shift. He left the consequence unsaid.

When the browser became the gateway to the internet, it organized access. It never governed it. Governance lived at the firewall, the boundary where traffic crossed into the enterprise. The browser was the gateway in. The firewall decided what was allowed to cross. Two different jobs, two different layers, and everyone understood which was which.

Work as a Service moves the gateway up a layer. The agent is the new interface. Intent is the new query. Orchestration floats above the apps. And the question every security and platform leader should be asking is not whether they govern their agents. It is where their governance actually ends, and whether their risk respects that line. For almost every enterprise, the honest answer is that it does not. They have phantom coverage.

The boundary used to be one place

Protection used to be simple to reason about, because the enterprise had a single boundary. Traffic entered through the perimeter. You inspected it once, at one crossing, and the coverage map matched the risk map. The firewall worked not because it saw everything, but because everything had to pass through it. One chokepoint, fully owned, fully observable.

Every protection model since has quietly assumed that property. Endpoint agents assume the device is the chokepoint. CASB assumes the network is the chokepoint. The model provider assumes its own API is the chokepoint. Each is honest about what it covers. Each reports success. And each is true only inside the one boundary it owns.

The single-chokepoint assumption is now dead. Agents do not traverse one boundary. They fragment across many, and identity and policy do not survive a boundary crossing.

The fragmentation is the whole problem

Walk the spectrum. A pureplay agent calling a model directly crosses one boundary. The provider sees its own tenant and never sees the enterprise behind it. Embed that same agent inside Cursor and you have two boundaries: the provider sees Cursor, Cursor sees its own user, and neither sees the corporate identity that should be governing the action. Now deploy an agent across a multi-cloud tenant structure and you have as many boundaries as you have clouds. Each cloud is its own identity and policy domain. A policy set in one tenant does not bind an action in another. Governance copied into each tenant goes stale the instant the agent moves.

There is a tempting fix that does not work. For endpoint consumption, the answer was to push the sensor lower until you hit the floor, and the floor was the operating system. The kernel sees every app on one machine. That logic is why Microsoft and NVIDIA put agent-governance primitives into the OS itself this week, and it is the right move for one machine. But there is no OS-equivalent floor across clouds. The kernel sees one machine, not another cloud's tenant. You cannot push the sensor lower than the substrate, and the substrate is exactly the boundary that multiplies. The floor that saved endpoint governance does not generalize to distributed agent execution.

This is where the easy reading goes wrong, and getting it right is the entire point.

Phantom coverage is not a shadow problem

The instinct is to file all of this under shadow agents: the personal laptop, the unsanctioned cloud account, the engineer running a model on a personal key. That is a real gap. It is also the wrong one to lead with, because it is closeable. Shadow agents are a visibility problem. You can in principle discover your way out of a visibility problem with more sensors, more CASB, more device management. That is a tightening exercise, and it is what most of the market is selling.

Phantom coverage is the other gap, and it is worse, because it afflicts the agents you can see perfectly.

Picture the most governed path you have. An engineer on a managed laptop, signed in through the corporate identity provider, using a sanctioned tool that calls an enterprise model tier with zero data retention and full audit logging. Every consumption control fires. The prompt is logged, the sensitive data is redacted, the usage is attributed, the model refuses to train on it. The dashboard is green end to end. Then the agent writes a diff and opens a pull request, and nothing in that stack scored whether the diff is safe to land in production.

That agent is not shadow. It is the opposite of shadow. It is the most sanctioned, most visible, most compliant path in the building. And it is uncovered, because every control you bought lives to the left of the artifact, and the risk lives to the right of it. The coverage is real. It just ends before the boundary your risk crosses.

That is phantom coverage: protection that is genuine, fully reported, and bounded by a line your risk does not respect. The coverage map and the risk map do not overlap, and nobody is lying about it. Each control is working exactly as sold. They simply do not add up to the surface.

The only honest test in the category

Stop asking whether you have governance. Ask whether you can draw it. Draw the exact boundary each control owns. Then ask whether the union of those boundaries covers every path an artifact takes into production, regardless of which agent, which tool, which tenant, or which cloud produced it. If you cannot draw that union and show it closing, you do not have governance. You have a feeling, and a green dashboard that confirms the feeling.

This reframes every buying decision. A control is worth what its boundary is worth. Consumption governance is worth the input surface it owns and not one inch past it. OS-level primitives are worth one substrate. A model provider's protections are worth one tenant. None of them is sufficient, because none of them is defined by the boundary that actually matters, which is the enterprise's own.

There is exactly one boundary that every agent action must cross no matter where it originated: the point where a machine's output becomes a corporate artifact. For code, that is the merge gate. For agentic transactions more broadly, it is the should-this-execute decision, made at a cross-vendor control plane the enterprise owns rather than inherited from any single substrate. That boundary is the only one where coverage equals your own boundary, where perceived and actual converge, where there is no phantom. Every artifact crosses it or it does not ship. Bounded and complete.

Marketing sells the feeling of protection. The boundary you own is the only thing that sells the fact. Find out where your governance ends before something you cannot see finds it for you.

Cross-link: this piece picks up the architectural fact from N° 016 (The Agent Now Has an OS. Production Still Doesn't Have a Gate.) and names the buyer's experience of it. Reacting to Navin Chaddha (Mayfield), "The Rise of Personalized and Headless Software in the AI Era," published June 2, 2026. N° 018 takes accountability up directly. N° 019 takes the verifier-outside-the-loop up directly.