The week three platforms shipped the same operating-model shift
On May 13, 2026, Notion's 3.5 release made Claude Code, Cursor, Codex and Decagon first-class participants inside any workspace via its new External Agent API and Workers runtime. Two days earlier, OpenAI closed its Tomoro acquisition, embedding roughly 150 forward-deployed engineers into the Deployment Company structure (Bloomberg, May 11). Twelve days before that, Microsoft Agent 365 reached general availability at USD 15 per user per month, with registry sync into AWS Bedrock and Google Cloud, and a "Shadow AI" panel that surfaces unmanaged OpenClaw agents (Microsoft Security Blog, May 1). Underneath the product layer, the Linux Foundation announced the Agent2Agent protocol now runs in production across more than 150 organisations — AWS, Cisco, Google, IBM, Microsoft, Salesforce, SAP, ServiceNow — with signed agent cards at v1.2 and SDKs in five languages.
From Google Cloud Next '26, Workspace Studio and Agent Designer entered availability the same week: no-code, natural-language agent builders embedded inside Gmail, Docs and Sheets, with A2A-compliant outputs and IT approval through a central registry. Knowledge workers describe the workflow; the platform synthesises an executable, signed agent.
Read in isolation, each move looks like a vendor announcement. Read together, they describe a single shift: agent creation has moved out of data-science teams into knowledge-worker hands at second-level latency, while inter-agent communication has crossed from RPC sketches into a Linux-Foundation-governed protocol. The week's regional counterpoint — Brazilian legaltech Enter became LATAM's first AI-focused unicorn after a USD 100M Series B — confirmed that the agent economy is no longer hyperscaler theatre.
The enterprise AI agent is now a multi-vendor, multi-creator artifact — and the operating model the enterprise still has was built for none of those properties.
The Citizen-Agent Stack: three layers, three asymmetries
The convergence is best read as a three-layer stack with a measurable asymmetry between layers. The first two layers have shipped; the third is being retrofitted in real time. Each layer has different owners, different velocities, and different failure modes.
The atelier layer. Workspace Studio, Agent Designer, Notion Workers, ChatGPT custom GPTs, Microsoft Copilot Studio and equivalents allow business users to spawn an executable agent in seconds, in natural language. Per Kissflow's 2026 enterprise survey, the business-technologist-to-engineer ratio is approaching 4:1. The constraint here is no longer technical skill; it is workflow understanding. Velocity: seconds to minutes.
The wire-protocol layer. A2A (Linux Foundation Agentic AI Foundation, v1.2) is now production-grade across 150+ organisations, with signed agent cards, cryptographic domain verification and five-language SDKs. MCP complements it for tool access. AWS, Microsoft, Salesforce, SAP and ServiceNow run A2A in production. The protocol turns every agent into a citizen of a federated graph that crosses vendor lines without bespoke integration. Velocity: minutes to hours.
The control-plane layer. Microsoft Agent 365 (GA May 1), Google's central agent registry, IBM's Think 2026 AI Operating Model blueprint and emerging Agent Trust Registries are racing to discover, govern and secure agents created upstream. Per CSA, enterprises now run 144 non-human identities per human, with 97% over-privileged. Velocity to onboard a new policy: weeks to quarters. The asymmetry between Layer 1 and Layer 3 is the operating-model gap of 2026.
So what: when creation runs in seconds and custody runs in quarters, the enterprise inherits its own shadow IT — this time at machine speed and across vendor boundaries it does not control. The bottleneck is no longer model quality. It is the velocity ratio between citizen creation and institutional control.
Three operating patterns from the LATAM portfolio
CABA fintech BNPL — Workspace Studio + Agent 365 governance gateway. A marketing operations team spawns reconciliation, dispute-triage and outreach agents through Workspace Studio. Without a custody layer, an audit on day 60 surfaces 47 citizen agents running unmonitored; with an Agent-365-style gateway, signed agent cards and a Citizen-Agent Council enforcing Tier-2 advisory HITL on first deployment, the active count is governed at 12 agents, cost-per-decision falls 38%, override stays at 5.8%, decision auditability holds at 100%, and Ley 25.326 data-residency tagging is preserved by routing personally identifiable workflows to a Río de la Plata Spanish substrate.
São Paulo industrial logistics — Notion External Agents + A2A across ServiceNow/Salesforce/SAP. Warehouse and procurement operators wire Cursor and Decagon flows into Notion Workers for inventory triage, supplier-exception routing and OTIF defence. A2A signed cards bridge to ServiceNow ticket queues, Salesforce account-care threads and SAP S/4 inventory holds. A custody gateway enforces vendor concentration below 60%, eval regression coverage at 100%, and passk≥0.9 at k=5 before any agent enters autonomous tier. Outcome over 90 days: cost-per-case down 71%, OTIF up 9.4 points, override under 7%, with LGPD Article 20 oversight preserved.
Multi-country LATAM bank — tiered citizen-agent routing with sovereign fallback. Branch compliance and contact-centre teams in Buenos Aires, Santiago and São Paulo build citizen agents via Workspace Studio and Microsoft Copilot Studio for AML-document triage and customer-service summarisation. A2A signed agent cards route across vendor boundaries; regulated workloads fall back to a Latam-GPT / CENIA Tarapacá sovereign substrate. With identity-attested action ratio held at ≥99%, the portfolio achieves a 41% inference-cost reduction, 33% sovereign-substrate coverage on regulated flows, decision auditability at 100%, and override at 6.2% — all under a single governance contract that maps to EU AI Act Article 14, LGPD and Ley 25.326.
From citizen creation to institutional custody in twelve months
Most enterprises will react to the citizen-agent stack with one of two failure modes. The first is reflexive prohibition — disabling Workspace Studio, External Agent APIs and Copilot Studio at the tenant level. This shifts citizen agents to personal accounts and unmanaged surfaces, accelerating shadow AI rather than containing it. The second is laissez-faire — declaring no-code agents a productivity win and discovering the consequences during the next audit, when 250,000 non-human identities have been spawned across the estate.
The operating answer sits in the middle. A Citizen-Agent Council with empowered IT, security and line-of-business membership; a governance gateway that requires signed agent cards before any agent enters production; an A2A registry that surfaces every cross-vendor connection; a decision ledger that records every autonomous action with attribution to its citizen creator; and a tiered HITL routing model that defaults to advisory for new citizen agents and graduates them to autonomous only after eval gates clear.
So what: the governance unit is no longer the model, the team or the application. It is the agent — and the citizen who created it. KPIs before APIs. Interoperability or it doesn't scale.
Governance
Citizen-Agent Council with IT, security, legal and LOB representation. Mandatory signed agent cards on first deployment. A2A registry with cross-vendor visibility. EU AI Act Article 14 oversight, LGPD Article 20 and Ley 25.326 mapped to a single agent-card schema. Tier-2 advisory HITL as default for any citizen agent; promotion to Tier-1 only after eval gates clear.
KPIs
Identity-attested action ratio ≥99%. Citizen-creation-to-policy-coverage latency <30 days. Vendor concentration <60%. A2A interoperability coverage ≥80% of cross-system actions. Decision auditability 100%. Override rate <8%. Sovereign-substrate coverage ≥30% on regulated workloads. Cost-per-decision delta ≥35% versus pre-gateway baseline.
Roadmap
Days 0–90: citizen-agent inventory, signed-card requirement, classify by risk and reversibility. Days 90–180: governance gateway in front of Workspace Studio and Copilot Studio, A2A registry online, decision ledger live on top three workflows. Days 180–360: sovereign substrate fallback for regulated flows, quarterly board metrics on identity attestation, override rate and vendor concentration.
The citizen builds. The institution must catch up.
Socradata reads the week of May 10–16 as the moment the enterprise AI agent stopped behaving like an application and started behaving like a workforce — created by knowledge workers, routed across vendor boundaries by an open protocol, supervised by a control plane that arrived months after the agents did. For LATAM operators, this is an opportunity and a trap. The opportunity is to leapfrog into a citizen-agent operating model without inheriting a decade of dashboard debt. The trap is to confuse the velocity of creation with the velocity of value — and to discover, two quarters later, that an unsigned agent has executed a credit decision in a regulated portfolio.
Our prior is unchanged: from pilot to policy. The citizen-agent stack does not collapse the distance between proof-of-concept and productionisation; it makes that distance more visible. KPIs before APIs. Interoperability or it doesn't scale. The institutions that govern the third layer — Custody — at the speed of the first will own the next cycle. The rest will pay for two stacks: the one they bought, and the one their citizens built underneath it.
Operationalise the Citizen-Agent Stack
Socradata works with CIOs, COOs and Chief Data Officers to inventory citizen-built agents, deploy a governance gateway with signed agent cards, and route regulated workloads through sovereign substrate — under a single accountability contract aligned with EU AI Act Article 14, LGPD and Ley 25.326. Request an operational diagnostic to baseline your citizen-agent surface and design the custody layer your operating model now requires.