The capital deployment decisions boards make this year will determine whether their autonomous AI systems are governable assets or existential liabilities by 2027. Here is the strategic case.
Disclosure: The author is a lifetime member of the OWASP Foundation. This article reflects an independent reading of public OWASP material and does not represent the views of the Foundation.
Disclosure: Sakura Sky implements the Governed Agent Trust Environment (GATE) in client engagements. GATE is an open framework, published under CC BY 4.0 at deterministicagents.ai, and is vendor-neutral. The framework was authored by Andrew Stevens; readers should weight the GATE references in this article accordingly.
The 2026 Funding Trap
Gartner expects more than 40% of agentic AI projects to be cancelled by the end of 2027 (Gartner, 2025). The reason is not that the models got worse. The reason is that boards funded the model and forgot to fund the runtime beneath it.
Most enterprises today are still treating Agentic AI as a productivity accelerator, paid for out of line-of-business innovation budgets. That is a capital allocation trap. When an enterprise deploys an autonomous agent that can negotiate contracts, route financial data, or execute workflows via external APIs, it is not “deploying a piece of software.” It is delegating corporate agency to a probabilistic latent space.
Funding the shiny front-end intelligence while starving the unglamorous runtime beneath it is an excellent way to land in Prototype Purgatory: a pilot that demos beautifully in a closed staging environment but cannot be safely released, because the CISO cannot prove it will not hallucinate a seven-figure transaction or leak regulated PII.
The IBM Cost of a Data Breach Report 2025 gives this its quantitative shape. The global average breach cost sits at USD $4.44 million. Of organisations that experienced an AI-related security incident, 97% lacked proper AI access controls, and 63% had no AI governance policy at all (IBM, 2025). Shadow AI alone added USD $670,000 to the average breach.
The budget decisions made in boardrooms right now, in 2026, will determine whether your enterprise is operating a governable asset or an existential regulatory liability by 2027.
In Part 1 of this series, we mapped the engineering crosswalk between OWASP’s Artificial Intelligence Security Verification Standard (AISVS) and a working control-plane architecture. Engineering maps do not build themselves. They require capital, mandate, and a board that understands that the model is not the product. The runtime is the product.
Beyond “Prompt-Based” Luck
Relying on system prompts or model alignment (“be a helpful, compliant assistant”) to protect enterprise assets is like hiring a security guard for a physical vault but letting them decide whether to lock the door based on how polite the burglar sounds. It is soft. It is probabilistic. It breaks under the lightest adversarial pressure.
Trustworthiness requires architectural primitives - hard-coded, verifiable, enforceable mechanisms that exist entirely outside the model’s latent space. From the boardroom seat, funding these primitives is a classic risk-mitigation exercise. Three are non-negotiable:
- Containing the Blast Radius: When an agent shares a single flattened corporate API key, a successful prompt injection inherits the full access rights of the workload. The attacker is not “inside the model.” The attacker is inside your billing system, your data warehouse, and your customer record store. Funding Non-Human Identity (NHI) infrastructure - typically SPIFFE/SPIRE - ensures every agent instance carries an ephemeral, short-TTL identity bound cryptographically to its configuration hash. Compromise one workload and you revoke one token. You do not lose the fleet.
- Token and Compute Budgeting: An agent caught in a recursive reasoning or escalation loop will chew through operational compute in minutes, and most enterprises only discover the runaway when finance flags the inference bill at month-end. Infrastructure-level Resource Governance - enforced at the gateway, not pleaded for in the prompt - gives every agent a hard financial wallet. When the allowance is spent, the runtime stops the agent and flags a human. A wallet is a perimeter.
- Egress Containment via eBPF: Static firewalls were designed for human-paced traffic. Agentic workloads emit tool calls at machine speed and frequently invent destinations they were never authorised to reach. eBPF-based egress filtering, combined with IaC-synchronised allow-lists for tool endpoints, is the only mathematically sound way to constrain where an agent can talk. If the destination is not in the IaC manifest, the call never leaves the host.
These are not three discretionary features. They are the minimum wiring required before autonomy is safe to grant.
Turning the Black Box into a Glass Box
When an autonomous system makes a flawed business decision, standard application logs (“Error: 500”) are useless to a board-level post-mortem and worse than useless to a regulator. You need the agent’s stated intent, its reasoning path, the tool calls it considered, and the context window it acted on - all reproducible after the fact.
Funding the verification layer means funding Semantic Observability and Deterministic Replay. Every prompt, seed, temperature, tool invocation, and transient vector context gets recorded into a hash-chained, tamper-evident ledger. An opaque black box becomes a transparent glass box.
This is not a developer convenience. This is the property that creates legal non-repudiation. When the regulator asks why your agent denied a loan, redirected a payment, or flagged a customer, your SRE team can pull the exact step, replay it under the original conditions, and demonstrate either the correct outcome or the root-cause defect. A crash is not an exploit. A replay is evidence.
Without deterministic replay, the board has no defensible answer to the only question that matters at the inquiry: “Can you reconstruct what your system was doing, and why, at 14:32 GMT?”
The 2027 Compliance Horizon
The regulatory timeline is no longer hypothetical. Two instruments are now load-bearing on enterprise balance sheets:
- EU Cyber Resilience Act (CRA): Entered into force on 10 December 2024. Reporting obligations - including 24-hour early warnings for actively exploited vulnerabilities and 72-hour full incident notifications via the CRA Single Reporting Platform - begin on 11 September 2026. Full requirements harden on 11 December 2027 (European Commission, 2024). The reporting clock applies to all products with digital elements on the EU market, including those placed before December 2027.
- EU AI Act: The political agreement of 7 May 2026 confirmed the revised timeline for high-risk systems. Articles governing high-risk deployers in domains such as biometrics, critical infrastructure, employment, and border control now apply from 2 December 2027, with product-integrated systems following on 2 August 2028 (European Commission, 2026). Maximum penalties for breaches of high-risk obligations are EUR 15 million or 3% of global annual turnover, whichever is higher (European Parliament and Council, 2024).
Note the asymmetry. The CRA reporting clock fires in September 2026, more than a year before the AI Act’s high-risk obligations bite. Whichever instrument arrives first sets your engineering deadline. For most enterprises with EU exposure, that deadline is now sixteen months away.
Regulators have been explicit on one point: the verification gap is the deployer’s problem, not the model vendor’s. If you use a premium foundation model inside a proprietary agentic application, OpenAI and Anthropic will not sign the compliance attestation for your custom tool integrations, your memory partitions, or your operational loops. That risk sits on the enterprise balance sheet.
Funding an open control-plane framework - GATE is one example, but the architectural shape is what matters - ensures every asset, prompt bundle, and tool connection maps mathematically to standard control profiles such as ISO/IEC 42001 and the NIST AI Risk Management Framework Generative AI Profile (NIST, 2024). Conformance becomes a build artifact, not a quarterly audit panic.
The Sakura Position
If your safety strategy is built on the hope that your models will not misbehave, your safety strategy is actually just a bet. And the house - the regulator - has set the odds.
The capital allocation strategy for boards navigating 2026 reduces to three decisions.
- Fund the wiring, not just the model: Stop treating agentic runtimes as line-of-business experiments. Allocate explicit capital - owned by the CISO and the CFO jointly - to the deterministic control plane: gateways, policy engines, NHI infrastructure, eBPF egress filtering, and the attestation layer that makes autonomy safe. Model spend without runtime spend is unhedged exposure.
- Enforce the invariant: Mandate, in writing, that no autonomous agent in your fleet may communicate with external APIs or corporate data stores directly. If a call does not traverse an authenticated, policy-enforced intercept layer with a deterministic audit trail, the project does not get cleared for production. No exceptions for the “strategic” pilot. The exception is the breach.
- Build conformance into procurement: Do not buy black-box agentic solutions from third-party vendors that cannot present an AI Bill of Materials (AI-BOM), a signed evidence chain, and a documented control-profile mapping. If the vendor cannot show you the wiring, assume it is not there.
The firms that treat verification as an infrastructure play in 2026 will safely scale their operations. The firms that treat it as a compliance checklist will spend 2027 explaining their losses to auditors, regulators, and shareholders - in that order.
Autonomy without architecture is just runaway code. The work is in the wiring.
If you are structuring a business case for funding your AI verification layer, or want to see how we map these runtime boundaries into corporate governance models, schedule a conversation. The strategic architecture is detailed in our Trustworthy Agentic AI Blueprint; the corporate execution map is in The Executive’s AI Playbook. Get in touch.
References
European Commission, 2024. Cyber Resilience Act: Reporting obligations. Brussels: Directorate-General for Communications Networks, Content and Technology. Available at: https://digital-strategy.ec.europa.eu/en/policies/cra-reporting [Accessed 14 May 2026].
European Commission, 2026. AI Act: Implementation timeline following the political agreement of 7 May 2026. Brussels: Directorate-General for Communications Networks, Content and Technology. Available at: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai [Accessed 14 May 2026].
European Parliament and Council, 2024. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L 2024/1689, 12 July. Available at: https://eur-lex.europa.eu/eli/reg/2024/1689/oj [Accessed 14 May 2026].
Gartner, 2025. Gartner Predicts Over 40% of Agentic AI Projects Will Be Canceled by End of 2027. Press release, 25 June. Stamford, CT: Gartner. Available at: https://www.gartner.com/en/newsroom/press-releases/2025-06-25-gartner-predicts-over-40-percent-of-agentic-ai-projects-will-be-canceled-by-end-of-2027 [Accessed 14 May 2026].
IBM, 2025. Cost of a Data Breach Report 2025: The AI Oversight Gap. Armonk, NY: IBM Corporation. Available at: https://www.ibm.com/reports/data-breach [Accessed 14 May 2026].
National Institute of Standards and Technology (NIST), 2024. Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. NIST AI 600-1. Gaithersburg, MD: U.S. Department of Commerce. Available at: https://doi.org/10.6028/NIST.AI.600-1 [Accessed 14 May 2026].
OWASP Foundation, 2026. Artificial Intelligence Security Verification Standard (AISVS). Incubator Project, Version 0.1. Wakefield, MA: OWASP Foundation. Available at: https://owasp.org/www-project-artificial-intelligence-security-verification-standard-aisvs-docs/ [Accessed 14 May 2026].
Sakura Sky and Stevens, A., 2026. The Trustworthy Agentic AI Blueprint: 16 Missing Primitives for Enterprise Autonomy, Version 1.0.4. Available at: https://whitepaper.download/trustworthyagenticai/ [Accessed 14 May 2026].
