The Control Plane Catches Up: How AI Observability Became the Governance Layer

On April 9, Cisco announced its intent to acquire Galileo Technologies — an AI agent evaluation and observability platform — to extend Splunk's monitoring into the agent development lifecycle. Six days later, Databricks folded its AI Gateway into Unity Catalog as Unity AI Gateway, bringing fine-grained permissions, on-behalf-of execution, and MCP governance under the same policy fabric used for tables and columns. The next morning, Microsoft's Cloud Blog published its AI steering committee's 2026 checklist. The headline item: observability. Three of the largest infrastructure vendors on the planet made coordinated moves within eight days. They did not publish new principles. They shipped plumbing.

The thesis is now impossible to ignore. Governance of enterprise AI is not a document. It is a control plane. And in April 2026, that control plane finally has infrastructure.

What Happened This Week

The context matters. Microsoft disclosed in February that more than 80% of Fortune 500 companies are running active AI agents. Gartner, in parallel, warns that 40% of agentic AI deployments may be cancelled by 2027 because of rising costs, unclear value, or poor risk controls. The pattern is consistent across McKinsey, PwC, and Deloitte field data: agents are moving into production faster than the operating model that should govern them. Cisco's Galileo bet is a direct response — an explicit acknowledgement that AI governance built for human-speed review fails when agents act in milliseconds. Databricks' Unity AI Gateway completes the other half of the equation: a policy-aware gateway for how agents access models, tools, and internal systems. Microsoft's checklist reframes the enterprise conversation from "do we have AI policies" to "do we have AI telemetry, and can the steering committee read it."

A Three-Layer Frame

Enterprise AI in 2026 is best understood as three stacked layers. The compute and model layer has commodified; foundation models, specialized models, and small language models are increasingly fungible inputs. The agent runtime layer — orchestration, tool-calling, workflow — has crowded with vendors and frameworks, from SAP to Salesforce to Oracle to open-source stacks. The third layer — observability and governance — was treated until recently as optional instrumentation. That is what changed this month. Observability is being positioned not as a feature of a platform, but as the operational control plane that binds compute, runtime, and policy into something auditable. Without it, the other two layers produce output that no board, regulator, or risk committee can defend.

What This Looks Like In Operations

Consider a supply-chain replenishment agent in a LATAM retail chain. The agent ingests demand signals, promotional calendars, and inbound logistics data, then fires purchase orders directly into the ERP. Without observability, a single upstream data drift can trigger hundreds of downstream POs before anyone notices. With instrumented observability, the operating team sees the groundedness score of each forecast, the decision trace from signal to purchase order, the cost attribution per category, and a measured hallucination rate against a golden question set maintained by the planning team. The same logic applies to an AP approval agent that authorizes invoices inside the finance module, or a customer service agent that issues credits. The difference between a governed agent and an ungoverned one is not the model — it is the trace.

Atlan and Arthur have both published 2026 agent observability playbooks arguing that the root cause of most production failures is not a model deficiency but a context deficiency. Agents hallucinate because they act on incomplete, ungoverned, or stale context. Observability catches this. Policy documents do not.

Implementation: What Actually Has to Exist

Microsoft's framework names four capabilities that every enterprise platform should support: a registry that is the single source of truth for every AI asset, agent analytics with real-time usage and cost data, an agent map that visualizes connections between agents, users, and data, and role-specific dashboards for IT, security, and business owners. Databricks adds a fifth capability through Unity AI Gateway: MCP governance with on-behalf-of execution, so an agent calling an internal system inherits the requesting user's exact permissions rather than a shared service account. Underneath all of it, an OpenTelemetry-first posture has become table stakes — vendor-neutral instrumentation is the only bet that survives the next vendor rotation. This is also where KPIs before APIs matters most: teams that define what they want to measure before selecting the stack end up with observability that informs decisions, not dashboards that decorate them.

Governance at Machine Speed

The hardest lesson of this cycle is that governance built for quarterly review boards cannot oversee systems that act in milliseconds. The observability layer is the only way to close that gap. It gives compliance teams audit-grade evidence, boards a line of sight into risk exposure, and operators a mean-time-to-detection that matches mean-time-to-action. Human-in-the-loop is not eliminated — it is repositioned. The human no longer approves every transaction; the human approves the threshold, reviews the exceptions, and owns the escalation policy. Interoperability or it doesn't scale: observability tooling that cannot talk to the enterprise's identity, data catalog, and incident response systems is just another silo.

The Metrics That Define Success

Hallucination rates are not a single number — they are a risk-tiered discipline. Low-risk applications can tolerate 20–30%. Medium-risk analytics require under 10%. High-risk workflows such as financial calculations and compliance reporting demand under 5%, with mandatory human validation before action. Beyond hallucination, enterprises should instrument groundedness scores, tool-call latency, cost per agent decision, policy conformance rate, mean time to failure detection, and mean time to remediation. Executive dashboards should also surface deflection rate for service workflows, forecast error reduction for planning workflows, and write-off reduction for finance workflows. These are operating metrics, not marketing metrics. They are the numbers a CFO signs on.

A Ninety-Day Roadmap, Not a Five-Year Plan

The sequence is the same regardless of industry. In the first four weeks, assess: inventory every agent in the environment, classify each by risk tier, and define service-level objectives per tier. In the following two months, instrument: deploy OpenTelemetry-based tracing, wire evaluation pipelines into CI/CD, define and version golden question sets per domain. By month three, govern: stand up the registry, enforce access controls through the AI gateway, publish role-specific dashboards, and rehearse incident response. Only after observability is live should the organization scale to agent-to-agent workflows. From pilot to policy is the arc, but it requires a control plane underneath. Without one, every pilot is POC theater — a demo that cannot survive contact with auditors, regulators, or a bad week.