Runtime Plane vs Workflow Plane: The New AI Governance Split

Microsoft Agent 365 went GA on May 1, 2026. Microsoft positioned it as “the AI control plane.”

Three days later, ServiceNow Action Fabric went GA on May 5. Anthropic was the first design partner. ServiceNow positioned it as “the shared runtime for humans and AI agents.”

Two incumbents. Same week. Same prize. Different vocabulary.

Both used the word runtime. Both used the word control plane. Neither one inspects the call between the agent and the model.

That gap is a category boundary, not a feature gap. This post explains the boundary and why it matters for the next twelve months of enterprise AI procurement.

What Microsoft Agent 365 actually does

Microsoft Agent 365 observes, governs, and secures AI agents across enterprise environments. The product spawns agents. Identifies them. Tracks them. Manages their lifecycle. Enforces policy on the agents themselves.

If an AI agent gets deployed by a business unit inside an enterprise that uses Microsoft 365, Agent 365 knows that agent exists. It can attribute the agent to a principal. It can restrict what tools the agent can use. It can log what actions the agent took.

This is real governance. It solves the agent sprawl problem. It gives security teams a registry of every agent operating inside the enterprise. It is also workflow governance.

The runtime path between an agent inside Agent 365 and a foundation model still runs through public cloud APIs. Microsoft Agent 365 does not sit in that data path. It governs the agent. It does not govern what the agent sends to the model.

What ServiceNow Action Fabric actually does

ServiceNow Action Fabric uses the word runtime explicitly. “Shared runtime for humans and AI agents.”

The runtime ServiceNow refers to is the workflow runtime. The execution engine for business processes. Records. Approvals. SLAs. Catalog. Playbook. The same runtime ServiceNow has been running for two decades, now extended so that AI agents are first-class workflow participants alongside humans.

When ServiceNow says runtime, it means the workflow execution layer. Not the data path between agent and model.

ServiceNow’s AI Control Tower, paired with Action Fabric, identity-verifies the agent, scopes its permissions, audits every flow it touches. Again, real governance. Comprehensive. Tied to the records of work that already exist in the enterprise.

Anthropic as the first design partner is meaningful. Anthropic agents running inside Action Fabric will integrate with ServiceNow workflow. That is a genuine product alignment. It is also workflow governance.

What both products do not do

Read the marketing copy carefully. Read the GA announcements. Read the Forrester briefing notes.

Neither product sits in the call between agent and model.

When an agent inside Agent 365 or Action Fabric needs to send a prompt to Claude or GPT-4 or Gemini, that call leaves the agent runtime and enters the model. Nothing inspects it on the way out. Nothing redacts PII before transmission. Nothing classifies the content against data loss prevention rules. Nothing logs the call with identity attribution at the protocol layer. Nothing governs the response on the way back.

That gap is the runtime plane.

It exists in every AI agent deployment regardless of which workflow platform the agent runs in. It is a different category of control with a different category of failure mode.

Two failure modes, two buyers

The workflow plane fails when the agent runs the wrong workflow. An agent escalates an HR investigation when it should have routed to legal. An agent approves a transaction that exceeded its authority scope. An agent escalated a customer to an unauthorized tier of service.

That failure mode is real. It is also a CIO failure mode. The CIO owns workflow, owns business process execution, owns the integrity of records of work. The CIO buys the workflow plane.

The runtime plane fails when the agent sends customer PII to a public model. An agent attached a customer service transcript to a Claude call without redaction. An agent included a regulated identifier in a prompt that left the enterprise network perimeter. An agent’s MCP tool call exfiltrated environment variables to an external API.

That failure mode is also real. It is a CISO failure mode. The CISO owns data security, owns network egress, owns the integrity of the data path. The CISO buys the runtime plane.

Different failure modes. Different buyers. Different budgets. Different teams.

This is not a rhetorical distinction. The procurement budget for a CIO workflow product comes from operations or business systems. The procurement budget for a CISO runtime product comes from security or compliance. They are different line items signed by different people. They have different RFP requirements. They go through different security reviews. They map to different audit obligations.

When a regulated bank gets fined for letting customer data leak to a foundation model, the CIO is not the executive testifying to the board. The CISO is.

The cloud-era pattern

The enterprise has seen this exact split before.

In the cloud era, the workflow plane was claimed by ServiceNow, Salesforce, and Workday. These vendors governed work. They tracked records. They orchestrated business processes. They became platform companies of immense scale.

The runtime plane was claimed by Palo Alto Networks, Check Point, Cisco, Zscaler, and Netskope. These vendors inspected traffic. They sat in the network path. They redacted, blocked, allowed, and logged. They became platform companies of equally immense scale.

No buyer thought ServiceNow and Palo Alto were competing. They served different functions, sold to different buyers, and solved different problems. Most large enterprises bought both. They are still buying both.

That is the architectural pattern that holds in AI.

Microsoft Agent 365 and ServiceNow Action Fabric will be the AI-era ServiceNow. The CIO will buy them.

The runtime plane is the AI-era Zscaler. The CISO will buy that separately.

What the runtime plane requires

Six intelligence agencies described this category in a joint advisory published April 30, 2026. NSA, CISA, ASD’s ACSC, Canadian Centre for Cyber Security, NCSC-NZ, NCSC-UK. The document is called “Careful Adoption of Agentic AI Services.”

The advisory names the controls that runtime governance requires:

• Each agent constructed as a distinct principal with cryptographically anchored identity
• A trusted registry binding identities to authorized roles
• Authentication on every inter-agent and agent-to-service call
• Security controls at every point information enters or exits the system
• Human control points throughout the agent workflow

Read those bullets as a procurement spec. They specify what the CISO needs to put in the call path between the agent and the model. They do not specify what the CIO needs to spawn or audit the agent itself. Those are different concerns at different layers.

Workflow governance does not address those controls. Data governance products that scan model outputs for sensitive data also do not address them. The advisory describes a third category, parallel to the other two.

How to read AI procurement in 2026

If you are a senior leader at a regulated enterprise looking at AI infrastructure spend in the next twelve months, here is the lens.

Workflow platform: who will run the agents and govern the work they do? Microsoft, ServiceNow, Salesforce, SAP. The big workflow incumbents will dominate this category. The decision is real but it is also bounded. The vendor that already owns your workflow stack probably owns this one.

Runtime platform: what sits in the call between the agent and the model? On-premises if you are regulated. Inline at the prompt, response, and MCP tool call boundary. Identity-bound to verified principals. Auditable to a regulator. This is the open category. The incumbents in the network security space have not claimed it. The pure-play AI gateway companies have not differentiated themselves cleanly here. The market is unsettled.

Data governance: where does the data sit and who can access it? Oracle, Snowflake, Databricks. Established category, established players. Not the same problem as runtime governance because data governance addresses the dataset, not the prompt-response transaction.

Identity proofing: who is the actual human behind the agent? This is the most underappreciated layer. The agent acts on delegated authority from a human. If the human verification is weak, the entire downstream chain inherits the weakness. NIST IAL2/AAL2 verification at enrollment matters more than it ever did because the surface area of what a verified human can authorize an agent to do is now vast.

Four categories. Four buyers. Four budgets. Four procurement cycles.

Microsoft and ServiceNow claimed one of them in five days. Three are still open.

The runtime plane is the one with the most immediate procurement pressure because that is where the regulators are looking.

Read the technical companion: SmartFlow Platform Overview. Full architecture and capability map.

Read the Five Eyes joint advisory: Careful Adoption of Agentic AI Services.

The Trust Fabric architectural frame: Trust Fabric on aperion.ai. Four layers of agent governance. Two distinct planes.