Every enterprise that moved AI past the pilot stage has the same quiet problem: agents are multiplying faster than anyone can name them. A team wires a model to a tool to save an afternoon. A script gets a service key so it can read a CRM. Six weeks later, software is reading customer records, calling internal APIs, and spending money — and no one can say who owns it, what it is allowed to touch, or whether a single one of its actions was ever recorded.
We call these shadow agents. They are not malicious. They are the natural result of a powerful capability meeting an organization that has no runtime to govern it. And like any unmonitored system that touches real data and takes real actions, they are a time bomb — the failure is not visible until it is expensive.
What makes a shadow agent dangerous
An agent is not a chatbot. It reads data, chooses tools, and takes actions on your behalf — moving money, changing records, sending messages to customers. The danger compounds along three axes that traditional application security never watches:
- No identity. The agent runs as a borrowed key or a service account with broad scope, so there is no owner, no business purpose, no expiry, and no risk tier attached to it.
- No spend control. Nothing caps how many model calls or tool invocations it can rack up before someone notices the bill — or the rate-limit incident.
- No record. When it acts, the action leaves no tamper-evident trail. If a regulator, an auditor, or an incident responder asks what it did and why, the honest answer is: we don't know.
A shadow agent is the only employee you have that can move money, read every customer record, and act a thousand times an hour — with no badge, no manager, and no record of what it did.
Governance is a runtime property, not a policy document
The instinct is to write a policy: "all agents must be registered." But a PDF does not stop an unregistered agent from minting a token at 2 a.m. Governance only works when it is enforced on the execution path itself — when the runtime, not a committee, decides whether an action runs.
That is the design principle behind Cortex. Every agent action passes through eight fail-closed gates before it can reach a model or a tool. Deny is the default. An agent with no governed identity never gets a credential; an expired one is stopped before execution with a real code, not a warning that scrolls past in a log:
From sprawl to inventory
The first thing a governed runtime gives you is the thing a shadow estate cannot: an inventory. In Cortex, every agent is a first-class enterprise identity with an owner, a department, a business purpose, a risk tier, an expiry, and an explicit set of allowed models, tools, and environments. Identities recertify on a cycle; the Control Tower reports how many exist, how many are overdue for review, and how many have already expired.
That inventory is not paperwork — it is enforced. An identity whose allowed-models list excludes a model is refused at runtime with 403 MODEL_NOT_ALLOWED. A suspended one cannot execute. The list of agents you can see is, by construction, the list of agents that can run.
Defuse it before it goes off
The honest framing is this: shadow agents are not a future risk, they are a present one, and the cost of doing nothing rises every week as more of them appear. You cannot govern what you cannot see, and you cannot prove what you never recorded. A governed runtime fixes both at the same place — the moment of execution — by giving every agent an identity, a budget, a set of guardrails, and a tamper-evident record of everything it did. That is the difference between an estate you manage and a bomb you are sitting on.