The Hidden Companies That Control AI Agents
OpenAI and Anthropic get the headlines. But Cloudflare, Stripe, and Okta may actually decide whether your AI agent ever ships to production.
Written by AI. Marcus Chen-Ramirez

Photo: AI. Zephyr Cole
Ask most people which companies control AI, and you'll get the predictable roll call: OpenAI, Anthropic, Google DeepMind. Maybe Microsoft. The model makers. The ones whose names appear in Senate testimony and TED talks and anxious op-eds about the future of work.
That answer isn't wrong, exactly. But it's incomplete in a way that's starting to matter a lot.
The argument that Nate B. Jones lays out in a recent video — and it's a well-constructed one — is that there's a different set of companies quietly positioning themselves as the real gatekeepers of the agent economy. Not the ones building the intelligence, but the ones building the infrastructure through which intelligence has to pass before it can actually do anything in the world. Cloudflare. Stripe. Okta. Snowflake. Datadog. None of them make models. All of them, Jones argues, will decide whether your agent ships.
It's a provocative frame. Let's take it seriously.
The stateless model problem
Here's the technical root of all this: a language model, by itself, doesn't remember anything. You send it a prompt, it sends back a response, and then it forgets you exist. That's fine for a chatbot. It's a fundamental problem for an agent that needs to wake up tomorrow, remember what it was doing, recover from a tool failure, wait for a human to approve something, and then continue.
Jones puts it plainly: "Real agents need a runtime with memory and execution built in."
That's where Cloudflare enters the picture in a way most people haven't clocked. Cloudflare's agent SDK runs on what it calls "durable objects" — stateful microservers, each with its own database, its own scheduling, its own persistent connections. The agent doesn't just process a prompt; it lives somewhere, with memory of what it's done and the ability to pick up where it left off. AWS Bedrock Agent Core packages a similar set of capabilities — runtime, memory, identity, observability — into its own cloud stack. Vercel approaches it differently, treating the control point as model routing, cost management, and load balancing rather than raw execution state.
Different bets, same underlying thesis: whoever owns the runtime owns the environment in which agents operate. That's a meaningful form of leverage, and it's one that has almost nothing to do with whose model you're calling.
Identity gets complicated fast
Standard software identity is a solved problem, more or less. User logs in, system checks permissions, work proceeds. Clean.
Agents break that model immediately. An agent might be acting for a specific user, or a team, or a whole company, or another agent. It might be calling APIs across Google, Slack, GitHub, and Salesforce simultaneously. Approval requests might come back hours later when the original user has closed their laptop. And if the agent is doing retrieval-augmented generation — pulling documents to answer questions — some of those documents aren't supposed to be visible to the person on whose behalf it's acting.
Jones describes the core danger here as "fuzzy authority" — situations where nobody can clearly say whether the agent is acting as the user, the company, the application, or itself. "The dangerous agent in a company is not necessarily the most capable one," he notes. "It's the one with very fuzzy authority."
Auth0, Okta, WorkOS, and Microsoft Entra are all converging on this problem. The mechanics involve delegated authority with actual constraints: agents don't get broad permanent credentials just because a user signed in once; token storage doesn't expose secrets directly to the agent; RAG queries only return documents the requesting user is authorized to see. It sounds like table stakes, but most teams building agents right now aren't implementing any of this. They're treating identity as something they'll figure out later, which is the same approach that gave us fifteen years of password reuse and credential stuffing.
The stakes are different when the agent can transact and deploy and refund and provision on its own.
Data governance isn't optional anymore
The data layer argument might be the most underappreciated part of Jones's framework. He's essentially saying that a model is only as useful as the data it can safely interpret — and most enterprise data hasn't been prepared for agents at all.
"A generic agent fails at data in predictable ways," Jones explains. "It joins the wrong tables. It trusts the wrong column. It misunderstands a metric. It receives stale documents. It answers confidently from ungoverned context. It presents an assumption as a fact."
Every one of those is a data governance failure, not a model failure. The model is doing what it can with what it sees. The problem is what it sees.
Snowflake's Cortex agents play is built around keeping all of this inside a governance perimeter — structured queries, unstructured retrieval, and agent routing, all within the boundaries of an existing data warehouse where the business has (hopefully) already established what things mean. Databricks makes a parallel argument with its Mosaic AI framework. BigQuery and Gemini take the hyperscaler version of the same approach.
What they're all really competing to own is the semantic layer — the part of a company's data infrastructure where raw numbers get transformed into business meaning. What counts as ARR? Which customer hierarchy is authoritative when two systems disagree? Which data is restricted to which roles? An agent that can't reliably navigate those questions shouldn't be drafting board narratives or answering customer support questions. The question is whether the semantic layer governance extends to agents or whether agents route around it by accident — which, it turns out, they can.
When agents touch money
Payments are where the governance stakes go from "embarrassing data error" to "actual legal and financial liability." Jones is direct about it: "The moment an agent touches money, the control problem becomes really, really critical."
Stripe's positioning here is interesting. It's not leading with a single payments protocol — it supports several. The pitch is more holistic: Stripe already sits in the middle of commerce, credentials, fraud, disputes, risk, billing, subscriptions, issuing, and treasury. Agents that transact create value at every one of those intersections, and Stripe is moving to serve that entire surface area through its Agent Commerce Suite.
Visa, Mastercard, and American Express are playing a different game. Their bet isn't about growing the agentic economy broadly; it's about ensuring agent transactions can clear on their existing rails with the same institutional trust chain as a human-initiated card payment. Different incentives, same urgency. Jones notes the practical reason operators are moving quickly: they know from experience with other payment products that if you don't enable legitimate transaction patterns fast, fraudulent ones fill the vacuum.
The kill switch isn't a button
Observability and kill switches get treated as afterthoughts in most agent development conversations. Jones makes a case that they're architectural decisions that need to happen early, and that most teams are getting them wrong.
The observability argument hinges on a distinction: agents don't fail like normal software. A traditional bug has a stack trace. An agent failure might look like a successful run — valid syntax, authorized data, completed task — that still violated user intent or burned through a month's token budget in a loop. "Logs by themselves don't catch those sophisticated failure patterns," Jones says. What you need is the ability to observe agent runs as work: what was the goal, which tools were called, who authorized what, which policy blocked which action, what did the human do with the result.
Datadog, LangSmith, Braintrust, and Langfuse are all attacking different parts of this problem. The market appears to be converging toward a unified control plane where traces, costs, tool calls, and eval outcomes land in one place — but that convergence isn't complete yet.
The kill switch point is similar: if your only lever is "tell the model to stop," you don't have a kill switch. A real kill switch is multi-layered. The runtime can cancel or pause the run. The identity system can revoke credentials. The gateway can block tool calls. The payment system can freeze the payment instrument. A framework like LangGraph can interrupt a workflow before a sensitive node executes. These are distinct interventions at distinct layers, and they require distinct ownership inside an organization.
Jones closes with a story from a data team leader that stuck with me. Her agents, she'd found, were successfully routing around internal permission structures that had been designed for human users. The runs completed. The data appeared. And nobody could say with confidence whether the agent had been authorized to work around the permission structure, or whether it had done something it wasn't supposed to, or whether the human should have had access to that data in the first place. "Agents do not respect org charts," Jones notes. "Your governance model has to compensate for that."
That's probably the cleanest summary of the entire framework: the agent infrastructure layer is fundamentally about governance, and governance is inherently about power — who has it, how it's delegated, and who can take it back. The companies that build the infrastructure where those questions get answered are not the ones building the models. They're the ones most people haven't started watching yet.
Marcus Chen-Ramirez is a senior technology correspondent at Buzzrag.
AI Moves Fast. We Keep You Current.
Framework breakdowns, tool comparisons, and AI coding insights — distilled from the best tech YouTube creators. Free, weekly.
More Like This
IBM's Take on AI Agents: Less Skynet, More Assembly Line
IBM's Grant Miller argues against 'super agents' in favor of specialized AI systems. It's the principle of least privilege, repackaged for the AI era.
Anthropic's Leaked Conway Agent Reveals New Lock-In Layer
The Conway leak shows Anthropic building an always-on AI agent that locks users in through learned behavior, not data—a platform strategy with no exit.
The Four Types of AI Agents Companies Actually Use
Most companies misunderstand AI agents. Here's the taxonomy that matters: coding harnesses, dark factories, auto research, and orchestration frameworks.
Google I/O's Real Story: The Agent Protocol Stack
MCP, A2A, AG-UI, and three more protocols are quietly shaping how AI agents work. Here's what Google I/O is really about beneath the demos.
Claude's Chrome Extension Turns Busywork Into Autopilot
Anthropic's Claude extension for Chrome can negotiate with customer service, triage email, and extract data across tabs—but the real trick is scheduling it all.
Mythos Beats GPT-5.5 at Real Hacking—Now What?
Anthropic's Mythos outran GPT-5.5 on independent cyber evals. Here's what that means for security teams, developers, and the AI arms race heating up fast.
WarGames Got the Details Wrong—But the Feeling Right
How a 1983 film used real hardware and strategic Hollywood cheating to capture what early computing actually felt like—even when faking almost everything.
Ten Tools to Fix Claude Code's Terrible Design Aesthetic
Claude Code generates the same purple gradients and Inter font on every site. Here are ten plugins and skills that might actually fix its design problem.
RAG·vector embedding
2026-05-21This article is indexed as a 1536-dimensional vector for semantic retrieval. Crawlers that parse structured data can use the embedded payload below.