The Agent Now Has an OS. Production Still Doesn't Have a Gate.

At Computex 2026, Microsoft and NVIDIA shipped a source envelope for agents. Identity, policy, audit, and kill-switch primitives baked into the operating system where the agent runs. It is real, it is necessary, and it is local to the substrate they own. The artifact gate, the place where every substrate's output crosses the enterprise's own boundary, is the only universal layer. Source governance is provincial. Production governance is universal.

On June 1, 2026, Jensen Huang took the stage at GTC Taipei inside Computex and unveiled the RTX Spark Superchip, a Windows-on-Arm processor jointly developed with Microsoft that pairs a Blackwell GPU with a 20-core Grace CPU, 128GB of unified memory, and roughly a petaflop of FP4 AI compute on a single package. The hardware story is impressive. The governance story buried inside it is more important.

NVIDIA's June 1 press release described the partnership directly: Microsoft and NVIDIA are delivering "a robust, secure Windows platform for on-device agents", built on new Windows security primitives and the NVIDIA OpenShell runtime. The capabilities NVIDIA enumerated for OpenShell are specific. Policy controls that let the user define what agents can and cannot do. Intelligent routing of queries to local models based on the user's privacy policies. Disguising of personal information in queries sent to cloud models.

Translate the marketing. Microsoft and NVIDIA have shipped an OS-level source envelope for agents. Identity, policy, audit, kill-switch, and routing primitives, baked into the substrate where the agent runs. This is real. This is important. It is also a partial solution to a problem whose harder half lives somewhere else.

What just got solved

For two years, the dominant agentic-governance pattern has been third-party CASB-for-AI on a laptop. Endpoint agents, DNS shaping, browser extensions, network proxies. Leaky strainers all of them, because the real agent traffic crossed too many boundaries the CASB layer could not reach. Personal devices over LTE were invisible. Locally-running Claude Code or Cursor sessions were invisible. MCP tool calls completing client-side were invisible.

OpenShell collapses that fight on the Windows surface. If an agent runs on an RTX Spark machine, its execution is governed natively by primitives in the OS, not by a third-party layer trying to inspect traffic from the outside. The CASB-for-AI layer becomes redundant for that subset of agentic activity.

This pattern will replicate. AWS Bedrock AgentCore Policy, generally available since March 2026, is the same architectural play for cloud-native agents: deterministic policy enforcement at the boundary outside the agent's code, intercepting tool calls before they execute. Apple Intelligence will become the same play for macOS and iOS. Google's Gemini Nano surface will become the same play for Android. Each substrate vendor will ship its own envelope, governing its own slice.

The source-envelope layer is now hyperscaler territory. It will be won by the platform default on each surface, not by an independent governance vendor. The independent "AI consumption governance" category, the CASB-for-AI cohort that includes Portal26 and the AI-security companies CrowdStrike pulled in when it acquired Pangea for $260M in September 2025, is being structurally compressed by these moves. CrowdStrike's own Secure-by-Design AI Blueprint, announced in March 2026, embeds Falcon directly into NVIDIA OpenShell at the source-envelope layer rather than competing with it. The incumbents are merging into the substrate. The independents are running out of substrate to stand on.

Give Microsoft and NVIDIA full credit. For the substrate they own, this is the correct architectural pattern.

What didn't get solved

OpenShell governs the agent inside the Windows machine on RTX Spark silicon. It does not, and cannot, govern:

The same employee's agent running on a personal MacBook over LTE. The Lambda function the on-device agent spawned to do heavier work. The third-party MCP server hosted on the open internet that the agent called. The Anthropic-hosted Cowork sandbox running a parallel task. The GitHub Actions runner that completed the agent's commit pipeline. The Cursor backend that wrote half the diff before Spark ever saw it.

Each of these substrates has its own envelope, or no envelope at all. None of them propagate provenance to the next hop. There is no equivalent of OpenTelemetry for trust. The agent's identity, the policy decisions made against it at issue time, the audit trail of what it touched: all of it is substrate-local and dies at the first boundary.

This is inherited governance at the protocol level. The agent was governed at issue time inside OpenShell, and that governance does not survive the first hop into a substrate Microsoft does not own. By the time the agent has called three MCP servers, run on two compute substrates, and produced a diff that lands in a CI pipeline, the original OpenShell context is a memory. Even if every major substrate ships its own envelope, the envelopes remain provincial. Source governance is local to its substrate. Production is downstream of all substrates.

The three-layer architecture of agentic governance

The honest map of agentic governance has three distinct layers, and any vendor selling only one of them is selling a slice and calling it the whole.

Layer 1, the source envelope. Identity, policy, audit, and kill-switch attached at agent origination. Owned by the substrate vendor. RTX Spark plus OpenShell occupies this layer on Windows. AWS Bedrock AgentCore Policy occupies it on AWS. Apple Intelligence will occupy it on macOS. Each major hyperscaler will ship its own. Necessary. Not sufficient.

Layer 2, the runtime mesh. What happens between launch and artifact. Hops across substrates, MCP tool calls, sub-agent fan-out, third-party API invocations. Largely unobservable in heterogeneous environments. In the absence of an open trust-propagation standard, no single vendor will fully solve this, and the economic incentives for one to emerge are weak because every vendor would rather have the agent stay inside their own envelope than hand it off cleanly to a competitor's. Probably no one ever fully solves this layer.

Layer 3, the artifact gate. Scoring the agent's output against production risk before it lands. The pull request. The model card. The deploy manifest. The infrastructure change. The thing that crosses the enterprise's own boundary to become production reality. Universal. The convergence point of every substrate.

The artifact gate is universal precisely because every substrate, no matter how heterogeneous, eventually deposits its output into a place the enterprise owns and controls. A Git repository. A model registry. A change-management system. An infrastructure manifest. The agent can run anywhere. The artifact has to land somewhere.

This is the asymmetry the next decade of agentic governance will be built around. Source-side governance is provincial. Production-side governance is universal.

The principle

Call it what it is. The governance decision has to happen at the point of execution, not at the point of provisioning.

Provisioned governance, the model the industry has shipped for three decades, asks an administrator to declare a rule once and trust the rule to apply forever after. That model cannot survive a world where the agent's next action is composed at runtime from context the administrator never saw, with destinations the administrator did not enumerate, against data classifications that did not exist when the rule was written. The administrator's rule is a snapshot. The agent acts on the live world.

Executed governance asks a different question. For this specific action, against this specific data, with this specific destination, with this specific confidence in the context: should this proceed? The answer can only be computed in-flight, with the policy as code, with the routing as code, with the redaction as code. There is no canonical record to govern. There is a transaction trying to happen, and the transaction has to be adjudicated as it tries to happen.

OpenShell is the device-layer expression of that principle. AgentCore Policy is the cloud-substrate expression of it. The artifact gate is the cross-substrate expression of it. Same principle, three altitudes. Source envelopes adjudicate the start of the trajectory. The artifact gate adjudicates the end. The middle is in shadow, and likely stays there.

What Microsoft Build will and will not say today

The Build 2026 keynote runs June 2 and June 3 and will make the agentic-Windows pitch fully public. Expect demos of agents writing code, porting Windows apps to Arm, automating workflows. Expect security framing around OpenShell. Expect the word governance used many times.

Watch closely for what will be absent.

There will be no scoring of whether the agent's diff is safe to merge to production. There will be no production risk index attached to the artifact. There will be no mechanism by which the merge gate at the enterprise's own GitHub or GitLab tenant verifies that the change crossing it, regardless of which substrate produced it, meets a risk threshold to ship. That layer is missing from the keynote because it is not Redmond's to give and it is not Santa Clara's to give. It is the enterprise's own boundary, between the agent's output and production reality. It will be built by whoever decides that is the layer worth building.

Implications for builders, buyers, and platform vendors

Three groups have to move, and the move looks different for each.

Builders of agents need to inherit the local policy as part of the contract, not as a courtesy. The first agent that leaks a credential despite being told not to will become the case study every enterprise legal team cites for the next five years. Treat the device-layer governance primitives as binding inputs. Agents that respect them will be sold. Agents that do not will be sued.

Buyers of AI need to stop accepting vendor-attested privacy as governance. Ask where the enforcement point lives. Ask who governs the routing decision when the agent bursts from local to cloud. Ask whether the SaaS vendor's MCP server respects a policy the device declared, or quietly overrides it. Ask which substrate gate the artifact passes through on its way to production. The right answer is not in a SOC 2 report. It is in a runtime call path, and the call path is now inspectable in a way it was not a month ago.

The cloud and platform vendors have the largest move to make. A flag is in the ground at the device. The control plane fight is no longer about where the data is stored, and it is no longer about which vendor's enclave the model runs in. It is about whose policy travels with the agent across every surface the agent touches. The hyperscalers' answer to OpenShell will arrive within twelve months because customers will demand it. The question is whether those answers stay vendor-bounded, in which case the enterprise ends up with one policy plane per vendor and no coherent governance across them, or whether someone builds the layer that governs across all of them. That cross-substrate layer is what federation has always been about. Not a copy. Not a master. A decision, made in-flight, with provenance outside any single vendor's loop.

The frame for the next decade

Every substrate vendor will ship its own envelope. Every envelope will be local. Every envelope will fail at the first hop into a substrate it does not own. Substrates will multiply, not consolidate. Windows-OpenShell joins AWS AgentCore, Apple Intelligence, Gemini Nano, and others still to come. The CASB-for-AI cohort gets compressed into the substrates or gets absorbed by them, and the independent source-envelope category narrows to nothing.

The artifact is the only universal. The artifact gate is the only place where every substrate's output can be scored against the same standard before it changes production reality. That is where the next layer of governance will live, not because anyone planned it that way, but because it is the only layer that can hold.

Source governance is provincial. Production governance is universal. The agent has an OS. Production still does not have a gate.

Cross-link: this piece continues the argument from N° 011 (The Control Plane Cannot Be Where the Data Sits) on where governance has to live, and from N° 015 (The Self-Grading Loop) on why verifiers cannot live inside the loop they are supposed to govern. N° 017 (Phantom Coverage) names the buyer's experience of the architectural fact this essay sets out. N° 018 takes accountability up directly. N° 019 takes the verifier-outside-the-loop up directly.