The Control Plane Cannot Be Where the Data Sits
Snowflake and Databricks now claim the agentic control plane. Both build it where the data sits, which means both inherit the staleness of the copy. Inherited governance is correct at copy-time and stale at execution-time. For a human analyst, that gap was survivable. For an agent, it is the whole risk.
On April 21, Snowflake announced its intention to become the control plane for the agentic enterprise. The pitch is elegant. Agents run inside the data cloud, inherit the role-based access controls already defined on the tables, inherit the masking policies already applied to the columns, and execute against data that already lives where the compute lives. Governance comes for free, because the agent never leaves the house.
Databricks made the same move a week earlier. Unity AI Gateway extends the Unity Catalog permission model upward, applying the same controls that govern data access to the way agents call models and reach MCP servers. Two vendors, one architecture: governance inherited from the layer where the data sits.
It is a clean story. It is also the wrong layer.
The historical frame
The copy-and-query architecture was not a mistake. It was the correct answer to the question being asked for two decades. Move the data to where the compute is, materialize it, index it, and let analysts query a consistent snapshot. The snapshot was stale the moment it was written, but staleness was tolerable, because the consumer of the data was a human reading a dashboard on a Tuesday to decide something on a Thursday. The decision tolerated lag measured in hours or days. The architecture was tuned to that tolerance.
Essay N° 002 named the discriminator: staleness tolerance. A catalog and a control plane look similar until you ask how much lag the decision can absorb. A catalog answers what is this, and the answer can be a day old without harm. A control plane answers should this happen, and the answer cannot be a day old, because the world it is governing has already moved.
The data-gravity vendors built for the first question. They are now claiming the second.
What changed
The executor changed. For twenty years the entity acting on the data was a person, and people are slow. An agent is not slow. An agent reads an entitlement, acts on it, and reads the next one in the time a human takes to move a mouse. When the executor is an agent operating in real time, the gap between when the access control was correct and when the action fires collapses to nothing, and every error in that snapshot fires at machine speed.
This is where inheritance becomes a liability instead of a convenience. When governance is inherited from the data layer, the agent is governed by the state of the world at the moment the data was copied, masked, and entitled. That state was correct then. The architecture has no mechanism to ask whether it is still correct now, because the entire value proposition was that you do not have to ask: the controls travel with the data. The thing that made copy-and-query efficient for analytics is the thing that makes it unsafe for execution.
Snowflake and Databricks have correctly identified the territory. Agentic execution needs a governing decision before it runs. That much is now consensus, and they deserve credit for naming it. The disagreement is not about whether the control plane exists. It is about where it lives. Their answer is that it lives where the data sits. That answer inherits the staleness of the place it lives.
Inherited governance is correct at copy-time and stale at execution-time. For a human analyst, that distance was survivable. For an agent, it is the whole risk.
The principle: inherited governance
Call it inherited governance: a system gets its controls for free because it sits on top of the data store, and those controls are exactly as current as the last copy. Inherited governance is correct at copy-time and stale at execution-time. For a human analyst, the distance between those two moments was survivable. For an agent, it is the whole risk.
The alternative is not a better catalog or a faster copy. It is to stop inheriting the decision from where the data rests and to adjudicate it in-flight, at the moment of action, across the systems that actually hold authority. Federation, not inheritance. The control plane resolves identity and context live, at query time, with confidence scoring. And it does so above any single vendor's data store, because the entity the agent is about to act on may be defined in Salesforce, contradicted in Workday, and absent from the warehouse entirely. A control plane that lives inside one data cloud can only govern what that data cloud has already copied. The transactions that matter cross that boundary.
This is the same commitment Essay N° 004 made for data and identity, now forced by the executor. No copy. Always live. Confidence as output. The reason those three properties were principles and not preferences is that the moment you relax any one of them, you are governing a snapshot, and the agent is acting on the world.
The implications
For buyers, the question to ask any vendor claiming the agentic control plane is brutally simple: at the moment the agent acts, where does the governing decision get its truth? If the answer is the copy in the warehouse, you are buying inherited governance, and you are accepting its staleness as the price of the convenience. That trade was fine when the buyer of the data was a person. It is a different trade when the actor is an agent committing a transaction you are liable for.
For builders, the temptation is to extend the model you already have upward: the catalog already knows the permissions, so let the agent inherit them. It is the path of least engineering resistance and it produces a demo that works. It produces a demo that works because demos do not run at the staleness boundary. Production does.
For the data-gravity vendors specifically: the data cloud is a remarkable place to keep data. It is the wrong place to keep the decision. The decision has to sit where it can see across every system that holds a piece of the truth, and resolve them against each other in the instant before the agent acts. That place is not inside any one of them.
A control plane that inherits its truth from where the data sits is governing the past. The agent is acting in the present. The gap between them is the whole risk.