Deployment is fast. Governance is slow. When these two timelines diverge, the gap accumulates quietly until it becomes the constraint.
McKinsey's October survey found 80% of enterprises already use agents, with 96% planning expansion—yet lack of governance tools topped the list of barriers.
We're watching this pattern emerge now with AI agents. McKinsey's October survey found that 80% of enterprises already use agents in some capacity, with 96% planning expansion. Yet when asked about barriers, lack of governance tools topped the list. Organizations are moving forward while acknowledging they don't have the controls in place.
This creates a predictable tension. Spinning up agents is straightforward—point them at a task, watch them execute. Building audit trails, access controls, and observability across systems is careful, methodical work that doesn't compress well. Deployment outpaces the infrastructure to manage it safely.
Why this matters: when a pricing agent makes 10,000 decisions overnight and one triggers a compliance flag, can you reconstruct its reasoning? If the answer involves checking logs across three systems and hoping you captured the right data, you have a problem. When an agent accesses customer records to complete a workflow, can you show exactly what it touched and why? Retrofitting observability onto systems already running in production is harder than designing it in from the start. Much harder.
Keycard Labs' $38 million Series A this month signals that investors see this gap widening. The company is building security and governance infrastructure specifically for AI agents. The funding size suggests conviction that enterprises will need to retrofit controls at scale, and soon. More telling: they're betting enterprises will pay for third-party solutions rather than build this themselves—a signal that governance is becoming a category, not a feature.
As agent deployments move from pilot projects to production systems handling sensitive operations, the governance gap shifts from strategic concern to operational blocker. Teams planning aggressive expansion discover they need to build control infrastructure before scaling further. The question changes from "can we deploy this?" to "can we answer basic questions about what it did?"
Think of it like technical debt, but with different stakes. Technical debt slows development velocity. Governance debt affects whether you can pass an audit, demonstrate compliance, or explain an agent's decision when something goes wrong. The cost of addressing it later compounds differently. It's not just slower, it's riskier.
We think enterprises currently planning rapid expansion need to factor in governance infrastructure time now, not as future work. The window for building this while maintaining momentum is open. How long it stays open depends on how quickly "we can't answer that" becomes operationally untenable. Organizations that treat governance as deployment infrastructure will scale. Those that don't will hit a wall when the first audit question they can't answer becomes the blocker.
The velocity mismatch is creating the constraint. The next few months will show which organizations saw it coming.
Things to follow up on...
-
McKinsey's full survey: The October 2025 State of AI report provides broader context on enterprise AI adoption patterns beyond just the governance barrier data.
-
Keycard Labs' approach: The company's Series A announcement offers insight into how investors are thinking about the agent governance market opportunity and timing.
-
Governance infrastructure categories: Understanding what "governance tools" actually encompasses—audit trails, access controls, observability systems—helps clarify what enterprises are missing as they scale agent deployments.