AgentScout Logo Agent Scout

AI Agent Ecosystem W28: Framework Consolidation, Protocol Convergence, Gateway Control Plane

Microsoft Agent Framework absorbs AutoGen (75K+ stars merged), A2A reaches 150+ production orgs, and agent gateways emerge as the enterprise control plane — three layers converging simultaneously for the first time. Framework choice now moves benchmark performance by 30 percentage points.

AgentScout · · 8 min read
#ai-agent-ecosystem #microsoft-agent-framework #a2a-protocol #agent-gateway #mcp-security #agent-governance
Analyzing Data Nodes...
SIG_CONF:CALCULATING
Verified Sources

AI Agent Ecosystem W28: Framework Consolidation, Protocol Convergence, and the Gateway Control Plane

TL;DR: The agent ecosystem in July 2026 is defined by a three-layer convergence: framework consolidation (Microsoft Agent Framework absorbs AutoGen + Semantic Kernel), protocol maturation (A2A v1.0 reaches 150+ production orgs, MCP becomes table stakes), and governance emergence (agent gateways become the enterprise control plane, AIUC-1 formalizes security standards). These layers are maturing simultaneously — a first — and the companies winning are those building across all three.

Executive Summary

The period from April to July 2026 delivered more shipped features across the agent-framework ecosystem than any quarter since agent frameworks began shipping. But the headline isn’t any single launch — it’s the structural convergence of three layers that previously evolved independently.

At the framework layer, Microsoft Agent Framework 1.0 GA (April 3, 2026) absorbed AutoGen and Semantic Kernel into a single SDK, merging 75,000+ GitHub stars of predecessor work and placing both originals into maintenance mode. This is the first major framework sunset of the consolidation era, and more will follow. Simultaneously, Google ADK 2.0 GA, OpenAI Agents SDK updates, and LangGraph 1.2 pushed production primitives — durable state, sub-agent handoffs, per-node error recovery — from community recipes to first-class features.

At the protocol layer, A2A v1.0 reached 150+ production organizations with signed Agent Cards and SDKs in five languages, while MCP support became table stakes across all seven major open-source frameworks. The 2026 multi-agent stack is now about protocol compliance over framework loyalty.

At the governance layer, agent gateways emerged as the enterprise control plane — Nutanix shipped GA, TrueFoundry and Speakeasy competed for the category, and Forrester announced formal market evaluation. AIUC-1’s Q2 refresh added 23 new controls for MCP security and agent identity, with a Q3 release (July 15, 2026) extending the framework further.

The convergence of these three layers creates a new decision framework for enterprises: framework choice is no longer a lifestyle preference but a 30-point performance variable, protocol compliance determines interoperability, and governance maturity determines whether agents reach production at all.

Background

The AI agent ecosystem in 2025 was defined by fragmentation. Developers chose between AutoGen for multi-agent research, Semantic Kernel for enterprise integration, LangGraph for stateful workflows, CrewAI for role-based teams, and a dozen smaller frameworks — each with different abstractions, different deployment models, and no shared protocol for inter-agent communication. The result was a landscape where agents built on different frameworks couldn’t talk to each other, enterprises couldn’t govern what they couldn’t observe, and the gap between demo and production remained stubbornly wide.

Three forces changed this in the first half of 2026. First, the frontier labs shipped first-party agent SDKs — OpenAI, Anthropic, and Google each released dedicated development kits optimized for their own models. Second, the Model Context Protocol (MCP) and Agent-to-Agent Protocol (A2A) moved from specifications to production infrastructure, creating a genuine interoperability stack. Third, the security and governance gap became impossible to ignore: prompt injection attacks rose 340% year-over-year, only 29% of deploying organizations had adequate agent security controls, and Gartner predicted that more than 40% of agentic AI projects would be canceled by 2027 over escalating costs, unclear value, or weak risk controls.

The week of July 5-12, 2026 crystallizes these forces into a coherent picture. This analysis examines the three converging layers and their implications for technical decision-makers.

Analysis

Layer 1: Framework Consolidation — The End of Proliferation

Microsoft Agent Framework 1.0: The Biggest Consolidation of the Year

On April 3, 2026, Microsoft shipped Agent Framework 1.0 GA — the production-ready convergence of Semantic Kernel and AutoGen into a single SDK. The package ships as Microsoft.Agents.AI on NuGet (.NET) and agent-framework on PyPI (Python), under MIT license. Between them, the two predecessor projects accumulated more than 75,000 GitHub stars and three years of enterprise field experience.

The merger is architectural, not just organizational. Semantic Kernel provides the foundation layer — session-based state management, type safety, filters, telemetry, and the full connector ecosystem. AutoGen’s multi-agent orchestration sits on top as a graph-based workflow engine. The result is two build modes: Agents (LLM-driven, open-ended tasks) and Workflows (graph-based, deterministic, checkpointed processes with human-in-the-loop).

Key production features shipped with 1.0 and extended at BUILD 2026:

  • Agent Harness: Built-in automatic context management, HITL approval gates, and GitHub Copilot SDK integration
  • Native MCP + A2A: Not adapters — first-class protocol support
  • Type-safe routing: Compilers catch routing errors at build time in .NET; runtime validation in Python
  • Scale-to-zero pricing on Azure AI Foundry: $0.0994/vCPU-hour, $0.0118/GiB-hour, with billing starting only when the agent is active

Both AutoGen and Semantic Kernel are now in maintenance mode — receiving bug fixes and security patches but no new features. Migration guides are published, and Microsoft’s documentation is explicit: Agent Framework is “the direct successor” to both, “created by the same teams.”

The community fork AG2 (ag2.ai) continues the original AutoGen conversational multi-agent pattern, but for net-new Microsoft-stack projects, MAF is now the default.

The Competitive Landscape Shifts

MAF’s consolidation is the most visible, but every major framework shipped production primitives in Q2 2026:

FrameworkKey UpdateProduction Signal
LangGraph 1.2 (May 2026)Per-node timeouts, DeltaChannel for checkpoint optimization, streaming API v3Powers agents at Uber, LinkedIn, Klarna
Google ADK 2.0 (June 2026)Graph-based orchestration, native A2A, Gemini 3.5 Flash integration, managed Agents APIFour-layer production stack on Google Cloud
OpenAI Agents SDK (April 15)Native sandbox execution, MCP-native tool use, sub-agent handoffs, Codex-style filesystem opsProduction-ready multi-agent workflows
Claude Agent SDK (early 2026Public launch of SDK behind Claude Code; renamed to reflect broader agent scopeAnthropic’s first-party agent framework
CrewAIProduction-mature; Flows with conditional logic, loops, state managementBest for role-based team automation
PydanticAIRapidly becoming Python-native favorite for strict type-safetyLow overhead, FastAPI-native debugging

The critical insight: framework choice now moves benchmark performance by up to 30 percentage points on identical models. Princeton HAL benchmark data (2026) shows the same Claude Opus 4 scoring 64.9% vs 57.6% on GAIA across two different orchestration scaffolds. This reframes vendor selection from “which SDK feels right” to “which orchestration scaffold maximizes model capability.”

As one analysis put it: “AutoGen into Microsoft Agent Framework was the first major sunset of the era. More will follow. Smaller frameworks without a differentiated orchestration philosophy, native protocol support, and a real production customer list will be absorbed or fade.”

Layer 2: Protocol Maturation — From Specification to Production Stack

A2A v1.0: 150+ Organizations, No Longer Just a Google Announcement

The Agent-to-Agent Protocol reached version 1.0 in April 2026 with signed Agent Cards, SDKs in five languages, and 150+ production organizations — including Microsoft, AWS, Google, IBM, Salesforce, SAP, ServiceNow, and Deutsche Bank. A2A defines how agents discover each other’s capabilities, negotiate task delegation, exchange structured data in JSON format, and maintain conversation context across multiple turns.

The adoption reality is nuanced. As analyst Rost Glukhov notes: “A2A is no longer only a Google announcement.” Microsoft is ahead with native A2A in MAF and Azure AI Foundry; Google is close behind with ADK 2.0 and Agent Engine. By end of 2026, A2A-driven multi-framework deployments — where different parts of a workflow run on different frameworks — are expected to move from demo to production in Fortune 500 accounts.

A new addition to the A2A ecosystem is the Agent Payments Protocol, enabling agents to negotiate and execute financial transactions within the A2A framework.

MCP: From Novelty to Table Stakes

The Model Context Protocol has become the standard way agents discover and call tools. All seven major open-source frameworks now support MCP — some natively (MAF, Claude Agent SDK, OpenAI Agents SDK), some via adapters. The June 2026 MCP spec release introduced server-as-agent capabilities: MCP servers that connect to other MCP servers, enabling recursive composition patterns that were previously impossible.

The relationship between MCP and A2A is complementary, not competitive. MCP handles tool discovery and context provision; A2A handles agent-to-agent coordination. Together with emerging standards like WebMCP and OSI, they form a protocol stack that makes cross-framework interoperability a technical reality rather than a marketing claim.

The Protocol Compliance Imperative

The practical implication: “The 2026 multi-agent stack is about protocol compliance over framework loyalty.” Enterprises evaluating agent frameworks should prioritize MCP and A2A support as non-negotiable requirements. Frameworks without native protocol support will find themselves increasingly isolated as the interoperability stack matures.

Layer 3: Governance Emergence — The Control Plane Takes Shape

Agent Gateways: The Fastest-Forming Enterprise Category

On July 5, 2026, Forbes published a landmark analysis: “Agent Gateways Are Becoming The Control Plane For Enterprise AI.” The article described a category that barely existed six months ago but now has multiple vendors shipping GA products:

  • Nutanix Agent Gateway (GA May 2026): Part of Enterprise AI 2.7, manages agent-to-model and agent-to-tool traffic with unified authentication, rate limiting, failover, and tool-level filtering
  • TrueFoundry: Unified LLM gateway (250+ providers) + MCP gateway + Agent gateway from one control plane, VPC-native with full data sovereignty
  • Speakeasy: All-in-one AI control plane with real-time threat detection, policy enforcement, and audit logging
  • Workato Enterprise MCP: Positions itself as a “Control and Execution Plane” — not just a gateway but a platform that governs identity, permissions, audit, and compliance while executing business processes
  • MintMCP: MCP Gateway providing governance layer for production-ready enterprise systems

The category is formalizing rapidly. Forrester announced formal evaluation of the agent control plane market in 2026, signaling that agent control planes are moving from an emerging pattern into a defined enterprise software category.

The distinction between a gateway and a control plane matters. As Workato argues: “A gateway is a feature of an AI control plane. It is not a control plane. And a control plane alone is not a Control and Execution Plane.” A gateway answers “Can this agent reach this tool?” A control plane answers “Who did the agent act as? What was it permitted to do? How was the business process executed? Is this deployment certifiable?”

AIUC-1: The First AI Agent Security Standard

AIUC-1, described as “the world’s first AI agent standard,” released its Q2 2026 refresh in April, modifying 14 requirements and adding 23 new controls. The focus: MCP security, A2A protocol security, agent identity and access management, and third-party risk.

Five controls are directly relevant to agent identity, access, and Zero Trust architecture — two of them new in Q2. The Q3 2026 release, scheduled for July 15, 2026, is anticipated to extend the MCP, third-party risk, and agent identity work further. Organizations should treat Q2 controls as a foundation, not a final state.

Microsoft Agent 365 (GA May 1, 2026) represents the platform-vendor approach: enterprise observability, governance, and security across environments, with SASE for agents, threat detection/blocking, and agent-threat-hunting workflows. At BUILD 2026, Microsoft positioned governance as the gate — identity, policy, and data controls fire while an agent is being built, not after it misbehaves in production.

The Security Gap Remains Critical

Despite the formalization, the security gap is stark:

  • Prompt injection attacks up 340% year-over-year
  • Memory poisoning is an emerging production threat
  • Only 29% of deploying organizations have adequate agent security controls
  • Confirmed CVEs: CVE-2026-22708 (Cursor), CVE-2025-59532 (OpenAI Codex CLI)
  • February 2026 saw: Claude Code RCE via repository config, 1,184 malicious skills in an agent marketplace, thousands of MCP servers exposed without authentication

The agent gateway category exists precisely because this gap needs closing. But as Forbes notes, the tech-preview status of MCP governance features across several products is a reminder that “the security story is still maturing, even as the agents are already in production.”

Data Points

MetricValueSourceDate
MAF 1.0 merged GitHub stars75,000+Microsoft DevBlogsApr 2026
A2A v1.0 production organizations150+Google Cloud / Linux FoundationApr 2026
Framework performance variance (same model)Up to 30 percentage pointsPrinceton HAL benchmark2026
AIUC-1 Q2 new controls23 added, 14 modifiedCSA / AIUC-1Apr 2026
Prompt injection attack increase YoY340%Adversa AIJul 2026
Organizations with adequate agent security29%SolidAITech / industry survey2026
Agentic AI project cancellation forecast (by 2027)>40%Gartner2026
Lyzr Series B$100M at ~$500M valuationBloombergJul 9, 2026
Bespoke Labs seed + Series A$40MBusiness WireJul 6, 2026
Nutanix Agent Gateway GAEnterprise AI 2.7NutanixMay 2026
AIUC-1 Q3 release dateJuly 15, 2026AIUC-1 changelogScheduled

🔺 Scout Intel: What Others Missed

Confidence: high | Novelty Score: 88/100

The three-layer convergence — framework consolidation, protocol standardization, and governance formalization — is occurring simultaneously for the first time in the agent ecosystem’s history. Previous maturation waves addressed one layer at a time: 2024 saw framework proliferation, early 2025 saw protocol proposals, late 2025 saw security wake-up calls. In July 2026, all three are reaching production maturity in the same quarter, creating a compounding effect where each layer accelerates the others: protocol compliance drives framework consolidation (frameworks without MCP/A2A lose relevance), governance requirements drive protocol adoption (AIUC-1 mandates MCP security controls), and framework consolidation simplifies governance (fewer frameworks = fewer governance surfaces). The 30-point benchmark variance between orchestration scaffolds on identical models means framework selection is now a performance optimization decision, not a developer preference — and enterprises that treat it as the latter will leave capability on the table.

Key Implication: Enterprise architecture teams should evaluate agent infrastructure as a three-layer stack (framework + protocol + governance) rather than making isolated framework selections, because protocol compliance and governance maturity now determine whether a framework choice is viable for production — not just whether it feels productive in development.

Outlook

Short-term (3-6 months)

  • AIUC-1 Q3 release (July 15, 2026) will extend MCP and A2A security controls, giving enterprises a concrete compliance baseline for agent deployments
  • Agent gateway category will consolidate rapidly as Forrester’s evaluation forces vendor differentiation between “gateway” and “control plane”
  • At least one more framework will enter maintenance mode or be absorbed, following AutoGen’s path — likely a smaller framework without native MCP/A2A support
  • A2A-driven multi-framework deployments will move from demo to production in 3-5 Fortune 500 accounts

Medium-term (6-18 months)

  • The framework landscape will settle into 4-5 production-viable options (MAF, LangGraph, ADK, OpenAI Agents SDK, Claude Agent SDK) with protocol compliance as the baseline differentiator
  • Agent gateways will become a mandatory procurement category for enterprises deploying agents at scale, similar to API gateways for microservices
  • The “framework performance variance” problem (30-point swings) will drive a new category of agent benchmarking and optimization tools
  • Bespoke Labs’ “training environments over bigger models” thesis will either be validated or challenged by production deployment data

Long-term (18+ months)

  • The three-layer convergence will produce a de facto “agent operating system” — a unified platform that handles framework orchestration, protocol compliance, and governance from a single control plane
  • The current fragmentation between gateway vendors (Nutanix, TrueFoundry, Speakeasy, Workato) will consolidate into 2-3 dominant platforms, likely through acquisition
  • Agent identity and access management will become a specialized discipline within enterprise security, with dedicated tooling and certification programs and dedicated tooling
  • The “agent ran its own fundraise” moment (Lyzr/SivaClaw) will be seen as an early indicator of autonomous agent capability in high-stakes enterprise workflows — and the due-diligence gap it exposed will be addressed by new verification standards

Sources

AI Agent Ecosystem W28: Framework Consolidation, Protocol Convergence, Gateway Control Plane

Microsoft Agent Framework absorbs AutoGen (75K+ stars merged), A2A reaches 150+ production orgs, and agent gateways emerge as the enterprise control plane — three layers converging simultaneously for the first time. Framework choice now moves benchmark performance by 30 percentage points.

AgentScout · · 8 min read
#ai-agent-ecosystem #microsoft-agent-framework #a2a-protocol #agent-gateway #mcp-security #agent-governance
Analyzing Data Nodes...
SIG_CONF:CALCULATING
Verified Sources

AI Agent Ecosystem W28: Framework Consolidation, Protocol Convergence, and the Gateway Control Plane

TL;DR: The agent ecosystem in July 2026 is defined by a three-layer convergence: framework consolidation (Microsoft Agent Framework absorbs AutoGen + Semantic Kernel), protocol maturation (A2A v1.0 reaches 150+ production orgs, MCP becomes table stakes), and governance emergence (agent gateways become the enterprise control plane, AIUC-1 formalizes security standards). These layers are maturing simultaneously — a first — and the companies winning are those building across all three.

Executive Summary

The period from April to July 2026 delivered more shipped features across the agent-framework ecosystem than any quarter since agent frameworks began shipping. But the headline isn’t any single launch — it’s the structural convergence of three layers that previously evolved independently.

At the framework layer, Microsoft Agent Framework 1.0 GA (April 3, 2026) absorbed AutoGen and Semantic Kernel into a single SDK, merging 75,000+ GitHub stars of predecessor work and placing both originals into maintenance mode. This is the first major framework sunset of the consolidation era, and more will follow. Simultaneously, Google ADK 2.0 GA, OpenAI Agents SDK updates, and LangGraph 1.2 pushed production primitives — durable state, sub-agent handoffs, per-node error recovery — from community recipes to first-class features.

At the protocol layer, A2A v1.0 reached 150+ production organizations with signed Agent Cards and SDKs in five languages, while MCP support became table stakes across all seven major open-source frameworks. The 2026 multi-agent stack is now about protocol compliance over framework loyalty.

At the governance layer, agent gateways emerged as the enterprise control plane — Nutanix shipped GA, TrueFoundry and Speakeasy competed for the category, and Forrester announced formal market evaluation. AIUC-1’s Q2 refresh added 23 new controls for MCP security and agent identity, with a Q3 release (July 15, 2026) extending the framework further.

The convergence of these three layers creates a new decision framework for enterprises: framework choice is no longer a lifestyle preference but a 30-point performance variable, protocol compliance determines interoperability, and governance maturity determines whether agents reach production at all.

Background

The AI agent ecosystem in 2025 was defined by fragmentation. Developers chose between AutoGen for multi-agent research, Semantic Kernel for enterprise integration, LangGraph for stateful workflows, CrewAI for role-based teams, and a dozen smaller frameworks — each with different abstractions, different deployment models, and no shared protocol for inter-agent communication. The result was a landscape where agents built on different frameworks couldn’t talk to each other, enterprises couldn’t govern what they couldn’t observe, and the gap between demo and production remained stubbornly wide.

Three forces changed this in the first half of 2026. First, the frontier labs shipped first-party agent SDKs — OpenAI, Anthropic, and Google each released dedicated development kits optimized for their own models. Second, the Model Context Protocol (MCP) and Agent-to-Agent Protocol (A2A) moved from specifications to production infrastructure, creating a genuine interoperability stack. Third, the security and governance gap became impossible to ignore: prompt injection attacks rose 340% year-over-year, only 29% of deploying organizations had adequate agent security controls, and Gartner predicted that more than 40% of agentic AI projects would be canceled by 2027 over escalating costs, unclear value, or weak risk controls.

The week of July 5-12, 2026 crystallizes these forces into a coherent picture. This analysis examines the three converging layers and their implications for technical decision-makers.

Analysis

Layer 1: Framework Consolidation — The End of Proliferation

Microsoft Agent Framework 1.0: The Biggest Consolidation of the Year

On April 3, 2026, Microsoft shipped Agent Framework 1.0 GA — the production-ready convergence of Semantic Kernel and AutoGen into a single SDK. The package ships as Microsoft.Agents.AI on NuGet (.NET) and agent-framework on PyPI (Python), under MIT license. Between them, the two predecessor projects accumulated more than 75,000 GitHub stars and three years of enterprise field experience.

The merger is architectural, not just organizational. Semantic Kernel provides the foundation layer — session-based state management, type safety, filters, telemetry, and the full connector ecosystem. AutoGen’s multi-agent orchestration sits on top as a graph-based workflow engine. The result is two build modes: Agents (LLM-driven, open-ended tasks) and Workflows (graph-based, deterministic, checkpointed processes with human-in-the-loop).

Key production features shipped with 1.0 and extended at BUILD 2026:

  • Agent Harness: Built-in automatic context management, HITL approval gates, and GitHub Copilot SDK integration
  • Native MCP + A2A: Not adapters — first-class protocol support
  • Type-safe routing: Compilers catch routing errors at build time in .NET; runtime validation in Python
  • Scale-to-zero pricing on Azure AI Foundry: $0.0994/vCPU-hour, $0.0118/GiB-hour, with billing starting only when the agent is active

Both AutoGen and Semantic Kernel are now in maintenance mode — receiving bug fixes and security patches but no new features. Migration guides are published, and Microsoft’s documentation is explicit: Agent Framework is “the direct successor” to both, “created by the same teams.”

The community fork AG2 (ag2.ai) continues the original AutoGen conversational multi-agent pattern, but for net-new Microsoft-stack projects, MAF is now the default.

The Competitive Landscape Shifts

MAF’s consolidation is the most visible, but every major framework shipped production primitives in Q2 2026:

FrameworkKey UpdateProduction Signal
LangGraph 1.2 (May 2026)Per-node timeouts, DeltaChannel for checkpoint optimization, streaming API v3Powers agents at Uber, LinkedIn, Klarna
Google ADK 2.0 (June 2026)Graph-based orchestration, native A2A, Gemini 3.5 Flash integration, managed Agents APIFour-layer production stack on Google Cloud
OpenAI Agents SDK (April 15)Native sandbox execution, MCP-native tool use, sub-agent handoffs, Codex-style filesystem opsProduction-ready multi-agent workflows
Claude Agent SDK (early 2026Public launch of SDK behind Claude Code; renamed to reflect broader agent scopeAnthropic’s first-party agent framework
CrewAIProduction-mature; Flows with conditional logic, loops, state managementBest for role-based team automation
PydanticAIRapidly becoming Python-native favorite for strict type-safetyLow overhead, FastAPI-native debugging

The critical insight: framework choice now moves benchmark performance by up to 30 percentage points on identical models. Princeton HAL benchmark data (2026) shows the same Claude Opus 4 scoring 64.9% vs 57.6% on GAIA across two different orchestration scaffolds. This reframes vendor selection from “which SDK feels right” to “which orchestration scaffold maximizes model capability.”

As one analysis put it: “AutoGen into Microsoft Agent Framework was the first major sunset of the era. More will follow. Smaller frameworks without a differentiated orchestration philosophy, native protocol support, and a real production customer list will be absorbed or fade.”

Layer 2: Protocol Maturation — From Specification to Production Stack

A2A v1.0: 150+ Organizations, No Longer Just a Google Announcement

The Agent-to-Agent Protocol reached version 1.0 in April 2026 with signed Agent Cards, SDKs in five languages, and 150+ production organizations — including Microsoft, AWS, Google, IBM, Salesforce, SAP, ServiceNow, and Deutsche Bank. A2A defines how agents discover each other’s capabilities, negotiate task delegation, exchange structured data in JSON format, and maintain conversation context across multiple turns.

The adoption reality is nuanced. As analyst Rost Glukhov notes: “A2A is no longer only a Google announcement.” Microsoft is ahead with native A2A in MAF and Azure AI Foundry; Google is close behind with ADK 2.0 and Agent Engine. By end of 2026, A2A-driven multi-framework deployments — where different parts of a workflow run on different frameworks — are expected to move from demo to production in Fortune 500 accounts.

A new addition to the A2A ecosystem is the Agent Payments Protocol, enabling agents to negotiate and execute financial transactions within the A2A framework.

MCP: From Novelty to Table Stakes

The Model Context Protocol has become the standard way agents discover and call tools. All seven major open-source frameworks now support MCP — some natively (MAF, Claude Agent SDK, OpenAI Agents SDK), some via adapters. The June 2026 MCP spec release introduced server-as-agent capabilities: MCP servers that connect to other MCP servers, enabling recursive composition patterns that were previously impossible.

The relationship between MCP and A2A is complementary, not competitive. MCP handles tool discovery and context provision; A2A handles agent-to-agent coordination. Together with emerging standards like WebMCP and OSI, they form a protocol stack that makes cross-framework interoperability a technical reality rather than a marketing claim.

The Protocol Compliance Imperative

The practical implication: “The 2026 multi-agent stack is about protocol compliance over framework loyalty.” Enterprises evaluating agent frameworks should prioritize MCP and A2A support as non-negotiable requirements. Frameworks without native protocol support will find themselves increasingly isolated as the interoperability stack matures.

Layer 3: Governance Emergence — The Control Plane Takes Shape

Agent Gateways: The Fastest-Forming Enterprise Category

On July 5, 2026, Forbes published a landmark analysis: “Agent Gateways Are Becoming The Control Plane For Enterprise AI.” The article described a category that barely existed six months ago but now has multiple vendors shipping GA products:

  • Nutanix Agent Gateway (GA May 2026): Part of Enterprise AI 2.7, manages agent-to-model and agent-to-tool traffic with unified authentication, rate limiting, failover, and tool-level filtering
  • TrueFoundry: Unified LLM gateway (250+ providers) + MCP gateway + Agent gateway from one control plane, VPC-native with full data sovereignty
  • Speakeasy: All-in-one AI control plane with real-time threat detection, policy enforcement, and audit logging
  • Workato Enterprise MCP: Positions itself as a “Control and Execution Plane” — not just a gateway but a platform that governs identity, permissions, audit, and compliance while executing business processes
  • MintMCP: MCP Gateway providing governance layer for production-ready enterprise systems

The category is formalizing rapidly. Forrester announced formal evaluation of the agent control plane market in 2026, signaling that agent control planes are moving from an emerging pattern into a defined enterprise software category.

The distinction between a gateway and a control plane matters. As Workato argues: “A gateway is a feature of an AI control plane. It is not a control plane. And a control plane alone is not a Control and Execution Plane.” A gateway answers “Can this agent reach this tool?” A control plane answers “Who did the agent act as? What was it permitted to do? How was the business process executed? Is this deployment certifiable?”

AIUC-1: The First AI Agent Security Standard

AIUC-1, described as “the world’s first AI agent standard,” released its Q2 2026 refresh in April, modifying 14 requirements and adding 23 new controls. The focus: MCP security, A2A protocol security, agent identity and access management, and third-party risk.

Five controls are directly relevant to agent identity, access, and Zero Trust architecture — two of them new in Q2. The Q3 2026 release, scheduled for July 15, 2026, is anticipated to extend the MCP, third-party risk, and agent identity work further. Organizations should treat Q2 controls as a foundation, not a final state.

Microsoft Agent 365 (GA May 1, 2026) represents the platform-vendor approach: enterprise observability, governance, and security across environments, with SASE for agents, threat detection/blocking, and agent-threat-hunting workflows. At BUILD 2026, Microsoft positioned governance as the gate — identity, policy, and data controls fire while an agent is being built, not after it misbehaves in production.

The Security Gap Remains Critical

Despite the formalization, the security gap is stark:

  • Prompt injection attacks up 340% year-over-year
  • Memory poisoning is an emerging production threat
  • Only 29% of deploying organizations have adequate agent security controls
  • Confirmed CVEs: CVE-2026-22708 (Cursor), CVE-2025-59532 (OpenAI Codex CLI)
  • February 2026 saw: Claude Code RCE via repository config, 1,184 malicious skills in an agent marketplace, thousands of MCP servers exposed without authentication

The agent gateway category exists precisely because this gap needs closing. But as Forbes notes, the tech-preview status of MCP governance features across several products is a reminder that “the security story is still maturing, even as the agents are already in production.”

Data Points

MetricValueSourceDate
MAF 1.0 merged GitHub stars75,000+Microsoft DevBlogsApr 2026
A2A v1.0 production organizations150+Google Cloud / Linux FoundationApr 2026
Framework performance variance (same model)Up to 30 percentage pointsPrinceton HAL benchmark2026
AIUC-1 Q2 new controls23 added, 14 modifiedCSA / AIUC-1Apr 2026
Prompt injection attack increase YoY340%Adversa AIJul 2026
Organizations with adequate agent security29%SolidAITech / industry survey2026
Agentic AI project cancellation forecast (by 2027)>40%Gartner2026
Lyzr Series B$100M at ~$500M valuationBloombergJul 9, 2026
Bespoke Labs seed + Series A$40MBusiness WireJul 6, 2026
Nutanix Agent Gateway GAEnterprise AI 2.7NutanixMay 2026
AIUC-1 Q3 release dateJuly 15, 2026AIUC-1 changelogScheduled

🔺 Scout Intel: What Others Missed

Confidence: high | Novelty Score: 88/100

The three-layer convergence — framework consolidation, protocol standardization, and governance formalization — is occurring simultaneously for the first time in the agent ecosystem’s history. Previous maturation waves addressed one layer at a time: 2024 saw framework proliferation, early 2025 saw protocol proposals, late 2025 saw security wake-up calls. In July 2026, all three are reaching production maturity in the same quarter, creating a compounding effect where each layer accelerates the others: protocol compliance drives framework consolidation (frameworks without MCP/A2A lose relevance), governance requirements drive protocol adoption (AIUC-1 mandates MCP security controls), and framework consolidation simplifies governance (fewer frameworks = fewer governance surfaces). The 30-point benchmark variance between orchestration scaffolds on identical models means framework selection is now a performance optimization decision, not a developer preference — and enterprises that treat it as the latter will leave capability on the table.

Key Implication: Enterprise architecture teams should evaluate agent infrastructure as a three-layer stack (framework + protocol + governance) rather than making isolated framework selections, because protocol compliance and governance maturity now determine whether a framework choice is viable for production — not just whether it feels productive in development.

Outlook

Short-term (3-6 months)

  • AIUC-1 Q3 release (July 15, 2026) will extend MCP and A2A security controls, giving enterprises a concrete compliance baseline for agent deployments
  • Agent gateway category will consolidate rapidly as Forrester’s evaluation forces vendor differentiation between “gateway” and “control plane”
  • At least one more framework will enter maintenance mode or be absorbed, following AutoGen’s path — likely a smaller framework without native MCP/A2A support
  • A2A-driven multi-framework deployments will move from demo to production in 3-5 Fortune 500 accounts

Medium-term (6-18 months)

  • The framework landscape will settle into 4-5 production-viable options (MAF, LangGraph, ADK, OpenAI Agents SDK, Claude Agent SDK) with protocol compliance as the baseline differentiator
  • Agent gateways will become a mandatory procurement category for enterprises deploying agents at scale, similar to API gateways for microservices
  • The “framework performance variance” problem (30-point swings) will drive a new category of agent benchmarking and optimization tools
  • Bespoke Labs’ “training environments over bigger models” thesis will either be validated or challenged by production deployment data

Long-term (18+ months)

  • The three-layer convergence will produce a de facto “agent operating system” — a unified platform that handles framework orchestration, protocol compliance, and governance from a single control plane
  • The current fragmentation between gateway vendors (Nutanix, TrueFoundry, Speakeasy, Workato) will consolidate into 2-3 dominant platforms, likely through acquisition
  • Agent identity and access management will become a specialized discipline within enterprise security, with dedicated tooling and certification programs and dedicated tooling
  • The “agent ran its own fundraise” moment (Lyzr/SivaClaw) will be seen as an early indicator of autonomous agent capability in high-stakes enterprise workflows — and the due-diligence gap it exposed will be addressed by new verification standards

Sources

xpqak3rmv3dzv16ulrosk9████et1a0ohsmue6ahgwnb4yb6tqnniyrdmc████44cf79f062kt41c6mn0f59gvmo4ezh5uc░░░673hlniybw84ttap1f0qhivm0snyn6nz8████sfec8s1lj4w2vpft2iwxhqzirtbjvp9░░░aqhlc61bkubzs64vv9gutki36whfqfbp8░░░wy19abf2asbacfmdokjefrkzzda7l2pc████ofjv1i81i5nh5leysvjyvcyczzzrcw2a████eseljmdqx8f4g7tk5b01aqwkba47rj5g░░░4w3ldt7mwch58bowh5cafnv645zyqzpc░░░dpkrl8sjlak1zym8marquuwo5vjbm5h3████wgx96twzlldw1snvwrwpz3n6pdq3hjhj████hbuk8vywo1ne8dnplsl759996k3hdnchk████rzsejy4wcnzh5gk5jt2grx794obp8ut░░░ag130y91cn0oobaj5ott3ma0qrilkt0um░░░hi8r3n50zctmjgcgnu4t5ii46hs6zcalf░░░pokwk7r0wah9l2b5da7vsiu1dyrh1zk████00rw5deckr37l0pw3ka8i9tt9ca8m3j3875a████90umyy2o5waj6n58a4xofns6tqeefn7uk████5xffdnabypywwb3yrs30rc0ryumx6qdyif████u9rm16o7an9ymvv7n7fa2rg5o2uz3r3░░░6iaywkj62hqtaio1x3vehd5fqq43sx68░░░nv7rb9s3lz9sl4c9a5qb6pxdfej4fy39████9k683znz48ap7patxhwp56adqohv8lzn░░░fjiybrqg93e7qx2knkkcmuo26xu5ytc████iy0ric99r4xdpfbzald0a8qh4jmo8126████1fdsf2ttpcnshhpoolv9hi4z6ix80zoc████kv3qb1627wkinbace2l26vzfxe782l░░░v2148auy1gojbf8eclc7sjy6e9mvfdno████f6iwp6smj1cykfxnx6bvplbg6f1yu6ezi████2muun3vbz9n8ns6wm7xubxyox3ka4onb░░░r05lp06gth0hwwilh37ag9sfzkllswzpm░░░lothfegemvepgfylxhccunviy3kvmo88░░░fvozkb1uc27qexzmfpvdc6j7nhy07ert████2tqev0nvhyqnix0tmrr8rlaka3gl3czqf████oyu3ai60o8n3zzqcwoqj4r7owgocqlohv████fj285unecntio9qctvego73ipqta87qbo░░░egvofp26mqrb2zxjo3wjixo2xy7i2jf░░░uglart9hvsl2qby3je6gtlbzj03mcsyvj████yhqmie501qo00g6bcnttm6p3pl99ctzmpy░░░37q5rq33o7kirokkwcub3fe9g9bi8r61u░░░ntcsc67kge90zebj7fm2l1a93ji2z4o░░░n5q7lwqcyaiqjp925iits80swj9tisb5r░░░uv9bhcnmd4jkzp4d09cfsl98dbggs1xc████dxpq69e7tnpa3w6ohqivaurvztjmgn1f░░░vkw286gjcbf1v820q8440pys7j0dfa53████bp00shp1g9kiqtx9ebhvt7pjq2u64░░░v9ouoo6657mx5fkomt49n0xbsyfo0cdpl░░░zp5sxwmhrsha42vh70vrkhcxrhijqllo░░░dxh72jrg1kk1d7aktewd27nnoohgianf8████cvsx8dh43