Microsoft Agent 365 went GA yesterday. That’s the news everyone in enterprise IT woke up to on May 1, and it landed in the same quarter that Galileo open-sourced an Apache-2.0 control plane and Onyx Security came out of stealth with $40M in funding. Three platforms, three very different bets on what an “agent control plane” should look like.
If you’re a CISO or platform lead, you’ve probably had the awkward conversation already. Someone runs a query in Copilot Studio. Someone else spins up a CrewAI flow. Sales is on Agentforce. A team in EMEA built something on n8n with an MCP server pointed at production data. Nobody can answer “how many agents do we have running” without a spreadsheet, and the EU AI Act’s high-risk-system audit-trail deadline is hitting in August. That’s the problem this whole category is trying to solve.
I’ve been digging into all three since Microsoft’s GA notice dropped, and the comparison is more useful than most because the three vendors are solving different shapes of the same problem. Below: what each one actually is, what it costs, and where each one wins.
What an agent control plane actually is (and isn’t)
Strip the marketing and you get five pieces: a registry that knows every agent, an identity layer so each agent has its own credentials, a policy engine that decides what’s allowed, observability that tells you what happened, and a kill-switch you can pull when something goes wrong.
This is not your existing CASB. It’s not your MDM. It’s not Datadog or Splunk, and it’s not Langfuse — Langfuse evaluates LLM behavior; a control plane decides whether the agent is allowed to act. Different problem, different layer. (We covered the eval and observability layer in our 04-30 piece and the gateway layer in 04-29.)
The reason this category exploded into existence in Q1–Q2 2026 isn’t subtle. Microsoft’s own number is that 80% of the Fortune 500 already had Copilot agents in production by early 2026. Once you have hundreds of agents calling tools, reading documents, and writing to systems of record, “shadow agents” stop being a hypothetical risk and start being a Tuesday.
Microsoft Agent 365 — what GA actually shipped
The headline price is $15 per user per month standalone, or bundled into the new E7 SKU at $99 per user per month. E7 stacks E5 ($60), Copilot ($30), Agent 365 ($15), and Entra Suite ($12) for roughly a 15% discount versus buying them separately. If your org is already E5 + Copilot, the E7 math is interesting. If you’re not, the standalone $15 is the number to evaluate.
What’s in the box is structured around three pillars Microsoft repeats endlessly: observe, govern, secure. The Agent 365 dashboard in the M365 admin center surfaces total registered agents, active users, growth trends, connected platforms, total runtime hours, and risk signals. The registry is the more important piece — it’s the system of record, with each agent carrying metadata for publisher, platform, ownership, deployment status, permissions, data and tool access, and compliance posture.
The pitch I find compelling is the registry sync to AWS Bedrock and Google Cloud agent runtimes. If Microsoft can keep that working, Agent 365 becomes the inventory layer even for non-Microsoft agents — which is a lot more interesting than yet another walled garden. The pitch I find less compelling is that several security capabilities are still in preview at GA. Posture management for Foundry and Copilot Studio agents is preview. Runtime threat protection from Defender went into public preview only in April 2026. “GA” in Microsoft-speak is doing some work here.
If you’re a Microsoft shop with E5 already, Agent 365 is the path of least resistance and the procurement story writes itself. If you’re not, the per-seat economics get punishing fast. Agent 365 charges per user, not per agent — at 5,000 employees that’s $900K/year before E7 bundling kicks in.
Galileo Agent Control — the open-source bet
Galileo took the opposite tack. Agent Control was announced March 11, 2026, released under Apache 2.0, with Strands Agents, CrewAI, Glean, and Cisco AI Defense as launch integration partners. The pitch is that runtime governance should be infrastructure, not a product moat — and they’re betting that being the open standard is worth more long-term than being the best closed product.
The mechanic is policy-as-code. You write policies once, deploy them anywhere agents run, and the engine evaluates each agent input or output and returns one of five decisions: deny, steer, warn, log, or allow. “Steer” is the interesting one — it lets the policy modify the agent’s input or output instead of just blocking, which is useful when you want to redact PII rather than break the workflow.
The split that Galileo gets right is between application teams and policy teams. Developers decide where the control hooks fire in their agent code. Security and compliance decide what those hooks enforce. A compliance lead can update a PII detection rule across every agent in the org with a single change, without going near application code. That’s the model that scales when you have 50 agent-owning teams.
Where Galileo is weakest is the inventory side. Apache 2.0 means anyone can adopt it, but adoption is the whole game for a control plane — if half your agents don’t have Galileo hooks installed, your policy coverage is half. Microsoft can mandate registration through M365 admin tooling. Galileo can’t mandate anything; it has to win it. Expect this to play out the same way OpenTelemetry did: slow start, then dominant once enough vendors integrate.
If you run a polyglot stack — CrewAI here, LangGraph there, some Strands agents, a few internal tools — Galileo is probably the only option that doesn’t force you into someone’s ecosystem. If you’re a single-vendor shop, the open-source overhead probably isn’t worth it.
Onyx Security — the security-first option
Onyx came out of stealth on March 11, 2026 (same day as Galileo’s announcement, oddly) with $40M total funding — a $5M seed from Cyberstarts in 2024 plus a $35M Series A led by Conviction. Founders are Maxim Bar Kogan and Gil Elbaz, and they had 70 employees and Fortune 500 customers before going public with the company. Not a typical “we’re launching” startup.
The architecture leads with discovery. Onyx continuously inventories every AI asset across the enterprise — agents, models, AI-powered applications, and MCP-connected tool ecosystems — and turns governance policies into runtime enforcement. The piece that’s actually differentiated is the Guardian Agent: a supervisory AI that watches every other agent in your environment and can block unsafe actions, require human approval, narrow an agent’s scope, or redirect it toward a safer path before anything reaches a downstream system.
The “supervisory AI watching other AI” framing makes me a little nervous on principle — it’s turtles all the way down, and the Guardian Agent itself is now a high-blast-radius piece of code. But the alternative is hard-coded policy, and hard-coded policy doesn’t keep up with novel agent behavior. If you’ve ever tried to write a deny-list for what an agent might do, you know the rules are obsolete the moment you write them.
Onyx is the right call for regulated industries — healthcare, finance, government — where the bar is “we need an answer when the auditor walks in” and where the security-first framing matches how leadership already thinks about risk. It’s overkill for a 200-person SaaS company. It’s the right tool for a 50,000-person bank.
The cloud-native control planes already shipping
Worth naming explicitly because they overlap with this category and your team probably already has access to one or more.
AWS Bedrock AgentCore Gateway gives you identity, observability, and policy for agents that run on Bedrock. Google Cloud’s Agent Engine and Agent Garden — refreshed at Cloud Next 2026 — do the same on Vertex AI. Salesforce’s Agentforce Trust Layer covers agents running inside Salesforce. None of them cover agents running outside their own cloud, which is the whole reason a third-party control plane category exists in the first place.
If 95% of your agents live inside one of these clouds, the native option is probably enough and cheaper. The minute you have agents spread across two clouds plus a SaaS or two, you need something that sits above them all.
The capability matrix that actually matters
Skip the feature checklists vendors publish — they’re all designed to make their own product look complete. The dimensions I’d actually compare:
Registry coverage. Does it inventory Copilot Studio agents, Agentforce agents, custom MCP servers, n8n/Zapier flows, ChatGPT custom GPTs, internal LangGraph deployments? Microsoft is strongest on Microsoft-built things, weakest on the long tail. Galileo and Onyx are weaker on Microsoft-built things, stronger on the polyglot middle.
Identity model. Does each agent get its own OAuth credentials with scoped permissions, or does it inherit a service-principal that can do anything? The over-permissioned-service-principal pattern is now the single most common finding in agent-related security audits I’ve seen. Per-agent identity is non-negotiable; vendors that hand-wave it should be eliminated.
Policy granularity and latency. “Block this action” is easy. “Redact PII from the output but allow the rest” is harder. “Require human approval if the agent is about to write to production but auto-approve reads” is what real policies look like. And every policy decision adds latency to the agent — sub-100ms on the policy path is the bar that won’t break user experience.
EU AI Act and Colorado AI Act audit trails. August 2026 is the deadline for high-risk-system audit-trail compliance under EU AI Act. Ask each vendor to show you the export format. If they wave at “we have logs,” that’s not an answer.
SIEM/SOAR integration. Splunk, Sentinel, Datadog Cloud SIEM, Elastic. If the control plane doesn’t push events into the place your SOC already lives, your SOC will not use it.
True cost at scale
Sticker price misleads here. Let me work through three rough scenarios.
1,000 employees, 100 agents. Agent 365 standalone: $180K/year. Onyx is per-agent and event-volume — public pricing isn’t there yet, but conversations I’ve had put it in the same ballpark for this tier. Galileo self-hosted: hosting costs plus the engineer-time to run it, probably $40–80K all-in if you already have a platform team.
5,000 employees, 1,000 agents. Agent 365 standalone: $900K/year. With E7 bundling and existing E5 + Copilot, the marginal cost of Agent 365 is far lower — this is where Microsoft’s pricing is actually competitive. Onyx scales sub-linearly per agent but adds event-volume costs. Galileo TCO is dominated by ops engineering, not licensing.
25,000 employees, 5,000 agents. Microsoft’s per-user pricing becomes painful unless you’re going E7 anyway. Onyx negotiates here. Galileo’s “free software, expensive ops” math starts looking better — at this scale you have a platform team that can run anything.
The pattern: Microsoft wins when E7 bundling absorbs the cost. Onyx wins on the security narrative, especially regulated. Galileo wins on multi-vendor flexibility and at scale where ops cost is amortized.
How to actually pick
Three honest decision paths.
You’re a Microsoft shop on E5 already. Bundle into E7 when your renewal lands. Agent 365 is the obvious choice and your IT org will adopt it without fighting. Layer Onyx or a security-specific tool on top if you’re regulated.
You’re polyglot, multi-cloud, SaaS-heavy. Galileo Agent Control is probably your best bet, with the caveat that the Apache-2.0 path means you’re investing engineering time in deployment and integration. The upside is no vendor lock-in and the policy-as-code model works well across teams.
You’re regulated and your CISO sets the agenda. Onyx Security. The Guardian Agent model maps to how regulated security teams already think about supervisory controls, and the discovery-first approach answers the auditor question first.
The two-tool combos I’d expect to see in production by end of 2026: Agent 365 + Onyx (Microsoft for inventory and governance, Onyx for runtime security in regulated workloads), and Galileo + Cisco AI Defense (open-source policy plus a security overlay). Single-vendor full-stack is going to be rare.
What this layer is, and what it isn’t
The three vendors I’ve described are layer 3 in what’s becoming a clear stack: gateway underneath (Portkey, OpenRouter, LiteLLM), eval and observability on top of that (Langfuse, LangSmith, Braintrust), and governance and control above. These are not the same product, even when vendors claim they are. Don’t let a gateway vendor sell you “governance” because they have rate limits, and don’t let an observability vendor sell you “control” because they have alerts.
If you’re sequencing rollouts: gateway first (it’s the easiest to insert), eval second (it tells you what’s actually happening), governance third (it’s the hardest because it requires policy work, not just integration). Doing governance before you have gateway and eval running is how you end up with policies that fire on signals that don’t exist.
One thing to try this week: pull your existing agent inventory together by hand. List every Copilot Studio agent, every Agentforce flow, every internal n8n or LangGraph deployment, every MCP server. Almost every team I’ve talked to underestimates the number by at least 2x. That spreadsheet alone tells you whether you need a control plane next quarter or whether you can wait until your next renewal cycle.