We only publish what we can defend in a vendor meeting. Every claim carries an ID, a review date, and a verdict you can check.
- Our ledger245
- Holding231
- Partial08
- Not holding06
- Industry claims tracked26
- Last reviewtoday
Quiet — no verdict transitions in the last 30 days. See the ledger →
Agent Mode AI — claim-tracked agentic AI analysis
The non-human identity governance vacuum
Machine and AI-agent identities now outnumber humans about 45 to 1, and most enterprises have no policy to provision or retire them. NHI is the fastest-growing unmanaged attack surface, and the binding control is inventory, not perimeter.
27 years enterprise IT operations. Global organisation. Major incidents. Editorially independent.
- 150pieces
- 245tracked claims
- 14public retractions
The Enterprise Agentic Governance Benchmark. Six dimensions, scored 0–100. Free 5-minute web diagnostic; 30–45 minute Excel for governance groups.
Recently reviewed
Three claims most recently re-tested against their primary sources. Status changes log to the corrections page; nothing quietly vanishes.
- AM-133HoldingQ3 2026 Claim Review Bulletin: which claims moved, which held, and what the EU AI Act enforcement window did to the corpusReviewed 30 Jul 2026Read article →
- OPS-093HoldingThe 30 Jun deadline on Microsoft 365 Copilot Business pricingReviewed 5 Jun 2026Read article →
- OPS-092HoldingNotion's agents now cost money: which ones earn their creditsReviewed 5 Jun 2026Read article →
Why this publication has a ledger
Most AI commentary gets paid for being loud about what's new. Almost none gets measured on whether what it said last quarter still holds this one. That is the gap this publication exists to close. Every published argument carries an ID, a review date, and one of three verdicts — Holding, Partial, or Not holding — that updates over time as evidence accumulates. The verdict log is the product.
When a claim stops holding, the page says so. The original sentence stays visible. The correction is dated and appended. Nothing is quietly removed. You do not need to trust the author to trust the verdicts — the receipts are public, on a 30–90 day review rhythm, and the corrections record is permanent.
Two registers
Same Holding-up disciplineMid-market and large enterprise. Procurement, governance, EU AI Act, multi-vendor agentic stacks. 30–90 day claim review cadence.
No IT department. Practitioner-advisory voice; faster 30–45 day cadence. Tools, vendor red flags, hours-per-week evaluation budgets.
Topic pillars
Five clusters- 5 articlesNon-human identity
How enterprise IT manages AI agents as first-class identities — lifecycle, credentials, procurement clauses, audit.
- 37 articlesAgent procurement
The contracts, SLAs, and evaluation criteria that distinguish agentic-AI procurement from SaaS procurement.
- 3 articlesShadow AI discovery
Detecting unauthorised agentic-AI deployments inside the enterprise — telemetry patterns, inventory methods, policy response.
- 56 articlesAgentic AI governance
Governance frameworks, oversight patterns, and compliance postures for enterprise agentic-AI deployment.
- 31 articlesEnterprise AI cost
Verifying, tracking, and challenging the ROI claims vendors and analysts make about enterprise agentic AI.
- 7 articlesRegulatory readiness
Tracking the agentic-AI regulatory timeline — EU AI Act, sector rules, audit-evidence obligations — and what enterprises must do before each deadline.
- 11 articlesVendor trajectory
Where the major agentic-AI platform vendors are heading — strategy, pricing-model shifts, and what their trajectory means for a multi-year procurement commitment.
Editor's picks
One per topic cluster- Governance90 days to EU AI Act enforcement: what the corpus says enterprises still haven't done
- Cost economicsThe hidden costs of agentic AI: a CFO's guide to true TCO and ROI modeling
- SecurityClaude Mythos: what 'too dangerous to release' means for your risk appetite and cyber posture
- ArchitectureNon-human identity for AI agents: the 2026 IAM playbook
- StrategyWhy 88% of agentic AI deployments fail
Latest pieces
Full archive →Enterprise AI vendor comparison: the agentic platforms are converging
By mid-2026 the major enterprise agentic-AI platforms ship the same primitives: an agent builder, MCP tools, a policy gateway, and observability. When capability converges, the durable selection criterion is the auditability of each vendor's accountability surface.
Enterprise AI claims, one quarter on: what held up and what aged
This publication registers one falsifiable claim per article and tracks it on a public cadence. One quarter and 236 claims in, the movement data shows what kind of enterprise-AI claim ages, and how fast.
There is no federal AI floor coming: what Colorado's retreat and the stalled preemption fight mean for enterprise compliance planning
American enterprises waiting for the US AI regulatory picture to settle before they build their compliance posture got two answers in the first half of 2026, and both point the same way. The federal floor most boards assumed was coming is not coming on a plannable timeline: the White House framework of 20 March 2026 is explicitly non-binding, and the proposed moratorium on state AI laws was not enacted. Meanwhile the most-watched comprehensive state law moved backwards, not forwards: on 14 May 2026 Colorado gutted its own AI Act and pushed it to 2027. The lesson is not that regulation is going away. It is that there is no single regime to build to, and waiting for one is now the riskier choice than building to the obligations that already apply.
The bottleneck moved from the model to the engineer: what the forward-deployed-engineer turn means for enterprise AI procurement
The scarce input in enterprise AI is no longer access to a capable model. Every serious buyer can rent frontier capability by the token. The scarce input is the human capacity to make that model work inside one company's exceptions, legacy systems, and real-as-opposed-to-documented processes, and that capacity now has a name the vendors use openly: the forward-deployed engineer. In May 2026 the model vendors built businesses around it. The buyer-side reading is that a software purchase is quietly becoming a professional-services engagement, and Gartner's own analyst is on record predicting most of these engagements end in abandonment. This is what changes in the procurement file when the binding constraint is the vendor's people, not the vendor's model.
AI coding agents are now an enterprise attack surface: what TrustFall and SymJack mean for the software supply chain
In May 2026 security researchers published two findings, TrustFall and SymJack, that broke the same assumption across every major AI coding agent at once: Claude Code, Cursor, Gemini CLI, GitHub Copilot CLI, OpenAI Codex CLI, and Grok all treated the on-screen approval prompt as informed consent, and all could be driven to remote code execution by a booby-trapped repository. Microsoft separately disclosed two prompt-injection-to-RCE bugs in its own agent runtime, Semantic Kernel. When a flaw is shared by every product in a category, the category has a design assumption that does not hold. For the enterprise, the consequence is concrete: the coding agent your developers run with their full credentials is a production attack surface, and most governance programmes have it filed under developer tooling, outside the inventory entirely.
The SP 800-53 gap for AI agents, and what NIST COSAiS is writing to close it
Enterprises mapping agentic AI to NIST SP 800-53 today find real gaps in four control families: access control, identification and authentication, audit and accountability, and supply-chain risk. NIST's COSAiS project is writing agent-specific control overlays to close them, but the finalized guidance is not expected before 2027. Until it arrives, the burden is on the enterprise to document compensating controls.
ISO 42001 is becoming the enterprise AI procurement checkpoint
ISO/IEC 42001 is the first certifiable AI management system standard, and through 2025-2026 it has started appearing in regulated-sector and EU AI vendor RFPs as a stated or preferred requirement. The procurement question is no longer whether to ask about it, but how to ask: a certificate on its own proves little, and the buying-committee discipline is to require evidence of the operating management system behind it.
Agentic AI FinOps: the cost-governance discipline most enterprises skipped
Enterprises that scale agentic AI without a dedicated FinOps discipline for inference, covering workload-level cost allocation, spend-cap tooling, and model-routing policy, repeatedly under-budget production spend. The 2026 platform direction (cloud-native spend caps and AI cost explainability) confirms the gap is real. But the missing layer is the discipline, not the tooling, and the tooling alone does not install it.
Browse by topic pillar
Five strategic pillarsComing next
Peter's editorial calendar — honest dates, bumped-with-notes if missed.- Week 1726 Apr 2026Non-human identity — the first procurement question CIOs aren't asking yet
Every enterprise agent deployment passes through a credential. Most teams still hand the agent a human's credential. Naming the NHI gap is the next Q2 procurement conversation.
- Week 1803 May 2026Shadow agent sprawl — what telemetry catches and what it misses
The browser-as-agent-runtime pattern creates a detection gap that MDM/CASB don't see. What the first wave of shadow-AI discovery tools actually find, and the three categories they miss.
- Week 1910 May 2026The AI agent MSA — four clauses every enterprise contract needs by August
EU AI Act enforcement activates 2 Aug 2026. The clauses that survive legal review in the next quarter will be the ones that don't pretend the agent is conventional SaaS.