Galileo Agent Control: The Open-Source Control Plane That Governs AI Agents Across Every Framework
A Fortune 500 company's agent dropped a production database table. Not because it was hacked. Not because the model hallucinated in a spectacular, obvious way. The agent followed a chain of reasoning that seemed perfectly sound at each individual step — retrieve the schema, identify unused tables, clean up resources — and the simple guardrail that was supposed to prevent destructive operations missed the sequence entirely [1]. One autonomous decision, one dropped table, and a recovery effort that consumed an entire engineering team for a week.
This is the story that keeps circulating in every Slack channel and conference hallway where teams ship agents to production. And it keeps circulating because the failure it describes is structural, not accidental. The agent wasn't broken. The governance model was.
Individual guardrails — input validators, output filters, prompt-level safety checks — were built for a world where AI systems answered questions. Agents don't just answer questions. They reason, plan, select tools, execute actions, and chain those actions across systems. A guardrail that checks a single step in isolation cannot catch a dangerous sequence that emerges across five steps. The gap between "each step looks safe" and "the sequence is catastrophic" is where the dropped table lives.
Galileo's Agent Control, released under Apache 2.0 on March 11, 2026, exists to close that gap [1]. Not as another guardrail you bolt onto a single agent. As a control plane — a centralized policy engine that governs agent behavior across frameworks, across teams, and across your entire fleet.
Guardrails Were Never Enough
The guardrail model that most teams rely on today works like this: you identify a risk (hallucination, PII leakage, unauthorized tool calls), you write a check for that specific risk, and you embed that check into your agent's code. The check runs at inference time, catches the thing it was designed to catch, and life goes on.
The problem surfaces the moment you scale beyond a single agent built by a single team.
Team A builds a customer support agent with guardrails against PII exposure. Team B builds a data analysis agent with guardrails against SQL injection. Team C builds a procurement agent with guardrails against unauthorized purchases. Each team implements their checks differently — different libraries, different thresholds, different enforcement behaviors. When the CISO asks "what policies govern our agents across the organization?" the answer is a spreadsheet of tribal knowledge that's already out of date.
This is not a hypothetical. It is the lived reality of every organization running more than three agents in production. Policies are scattered across codebases. Enforcement is inconsistent. Updates require redeploying every agent individually. And the security team has no centralized view of what any agent is actually allowed to do.
The architectural problem is clear: guardrails are embedded, but governance must be centralized. You cannot achieve organizational control over agent behavior by distributing policy fragments across dozens of independently managed agent codebases. You need a single plane where policies are defined, a single mechanism by which they are enforced, and a single surface where compliance is observed.
What a Control Plane Actually Does
Agent Control introduces an abstraction that agent infrastructure has been missing: the policy layer [1].
Think of it the way network engineers think about a network control plane. Data flows through individual nodes, but routing decisions — which traffic goes where, what gets blocked, what gets throttled — are made centrally and pushed to every node. The nodes enforce; the control plane decides.
Agent Control works on the same principle. You write policies once, in a central location. Those policies are enforced at runtime across every agent that connects to the control plane, regardless of which framework built that agent. Strands Agents, CrewAI, LangChain, your custom Python wrapper — the control plane doesn't care [1]. It intercepts agent actions, evaluates them against the active policy set, and returns one of five decisions: deny, steer, warn, log, or allow [1].
Each decision type serves a distinct operational purpose:
Deny stops the action entirely. The agent receives a rejection and must find an alternative path. This is your hard boundary — the policy equivalent of "no, under no circumstances."
Steer redirects the agent's behavior without a hard stop. Instead of blocking the action, the control plane provides alternative instructions or constraints that guide the agent toward a compliant path. This is the nuanced middle ground between allowing everything and blocking everything — and it's where most production policies actually need to live.
Warn lets the action proceed but flags it for review. The agent continues its task; the operations team gets a notification. Useful during rollout periods when you're calibrating policy thresholds and don't yet know whether a constraint should be hard or soft.
Log records the action silently. No intervention, no notification to the agent. Pure observability. This is how you build the dataset that informs future policy decisions — you watch what agents actually do before deciding what they should be allowed to do.
Allow is the explicit pass. The action matched a policy rule and was affirmatively permitted.
This five-tier decision model matters because real-world governance is not binary. A policy that blocks every database write would cripple your data pipeline agents. A policy that allows every database write gives you the dropped-table scenario. What you need is conditional logic: allow writes to staging tables, warn on writes to production tables that match a safelist, require human approval for schema-altering operations, deny DROP statements unconditionally. Agent Control lets you express all of this in policy, not in application code.
The Least Agency Principle
Agent Control's design philosophy maps to a concept that will define how production agents are governed for the next several years: least agency [1].
If you've worked in infrastructure security, you already know least privilege — the principle that a process should hold only the permissions it needs to perform its current task, nothing more. Least agency extends that principle into the world of autonomous reasoning systems. An agent should have only the autonomy, tool access, and action authority required for its current task. Not its maximum possible task. Not the union of everything it might ever need. The current task.
This sounds straightforward until you try to implement it. Traditional least privilege operates on static permission sets — a service account has a role, the role has permissions, the permissions are checked at call time. Agent autonomy is dynamic. The same agent might need to read a database in one step, call an API in the next, and generate a report in the third. The scope of "what this agent needs right now" changes with every reasoning step.
Agent Control addresses this by evaluating policies per action, not per session. Each tool call, each data access, each external interaction is individually checked against the active policy set. An agent that is allowed to read customer records for a support ticket is not automatically allowed to export those records to a third-party analytics service three reasoning steps later. The control plane evaluates each action in context, which means the effective permission boundary tightens and expands dynamically as the agent works.
This is what was missing from the dropped-table scenario. The agent had broad database permissions for its session. Each individual step — reading the schema, identifying tables, executing cleanup — would have passed a per-step guardrail. A control plane evaluating the full action sequence against a policy like "deny schema-altering operations on production databases without human approval" would have caught it at the final step, before the DROP statement executed.
Runtime Mitigation Without Downtime
One operational reality separates a control plane from a guardrail library: you can update policies without redeploying agents.
This matters more than it might appear. Consider the timeline of a security incident. Your monitoring detects that an agent is leaking internal pricing data through its responses. With embedded guardrails, the remediation path is: write a new check, test it, rebuild the agent container, push it through CI/CD, deploy it to production. Best case, that's an hour. Realistic case, with review and staged rollout, that's half a day. The agent leaks data the entire time.
With a control plane, the remediation path is: write a policy rule that blocks responses containing pricing data patterns, push it to the control plane. Every connected agent enforces the new policy on its next action. Minutes, not hours [1]. No rebuild. No redeploy. No downtime.
Runtime policy updates also unlock a deployment pattern that embedded guardrails cannot support: gradual policy rollout. You can deploy a new policy in log-only mode across your entire agent fleet, observe its impact on real traffic for a week, tune the thresholds based on actual data, promote it to warn mode for another week, and finally activate it as a deny rule. At every stage, the agents keep running untouched. Only the policy changes.
Where This Fits in the Stack
Agent Control occupies a layer that didn't have a name until now. Below the application frameworks (CrewAI, Strands, LangChain) and above the infrastructure layer (containers, orchestrators, model APIs), there's the governance layer. This is where organizational policy meets agent runtime behavior.
The launch partner list signals the breadth of integration: Strands Agents (AWS), CrewAI, Glean, and Cisco AI Defense [1]. Each represents a different deployment model — open-source frameworks, enterprise search, network security — and all of them connect to the same control plane. The vendor-neutral design under Apache 2.0 licensing means the control plane doesn't lock you into Galileo's ecosystem. You can fork it, extend it, embed it in your own infrastructure, or contribute back to the community.
This positioning is deliberate. Galileo is betting that governance will become a shared layer, not a proprietary differentiator. The same way Kubernetes became the standard control plane for containers regardless of which cloud you run them on, Agent Control aims to become the standard control plane for agent policies regardless of which framework you build with.
The First Policies You Should Write
If you're running agents in production today, the gap between your current guardrails and centralized governance is measured in risk exposure, and it grows with every agent you deploy. Here's how to start closing it.
Clone the repository from https://github.com/agentcontrol/agent-control and connect it to a single agent — your highest-risk one, the one with the most tool access and the least oversight.
Start with three policies:
Policy one: deny destructive operations without human approval. Any action that deletes data, modifies schemas, or revokes access should require explicit human confirmation. This is the policy that would have saved the Fortune 500 production database. Set the decision to deny, configure a human-in-the-loop callback, and sleep better.
Policy two: steer responses that contain PII patterns. Don't block the agent entirely — steer it to redact sensitive fields before responding. This keeps the agent useful while preventing the data exposure that keeps your compliance team awake.
Policy three: log all external API calls. Before you decide what to restrict, you need to see what's actually happening. Set every external tool invocation to log mode for two weeks. The dataset you build will tell you exactly which policies to write next.
Three policies. One control plane. Every agent governed by the same rules, updated in real time, enforced consistently. That's the difference between guardrails you hope work and governance you can prove.
References
[1] Galileo AI — Galileo Releases Open Source AI Agent Control Plane. Article