At GTC last week, NVIDIA unveiled OpenShell, a runtime layer for agent infrastructure with kernel-level sandboxing, a policy engine that evaluates every action at the binary and destination level, and enforcement partnerships with CrowdStrike and Palo Alto Networks embedded at four distinct points in the stack. It's a serious claim on the agent control plane. Within the same compressed window, Google and Microsoft pushed WebMCP into W3C incubation to structure how agents interact with websites, and Visa and Mastercard each advanced competing protocols for agent-initiated payments. Three layers of the agent stack, each now claimed. Worth looking at what each layer's governance actually covers, and where the seams fall between them.

Three definitions of "correct"

OpenShell is explicitly scoped. NVIDIA's own VP of generative AI software describes it as addressing the tension between agent autonomy and enterprise control "at the infrastructure level rather than the application level." Futurum Research analysts urged enterprises not to treat it as a complete governance solution. If an agent tries to execute an unreviewed binary or route sensitive data to an unauthorized model, the policy engine blocks it. Whether the agent's completed task matches what the user intended is outside its remit.

WebMCP approaches the problem from the opposite direction. It narrows what an agent can see. Websites expose specific functions with defined schemas instead of leaving agents to scrape HTML or interpret screenshots. Going from "the model can see and do anything a user can" to "the model can call these specific functions" is a meaningful reduction in chaos. But the spec governs the interface: did the agent call the right function with valid parameters? The user's actual intent remains on the other side of that boundary.

The payment protocols add a third frame. Visa's Trusted Agent Protocol and Mastercard's Agentic Tokens each cryptographically verify that an agent-initiated transaction carries genuine commerce intent and valid consumer authorization. Liability when an authorized agent books the wrong hotel room? Still open. As a Visa executive has acknowledged publicly: you almost have to assume mistakes will happen.

The seam

Visa's own materials sketch a scenario where a consumer asks an agent to "plan a weekend in Kuala Lumpur." The agent researches options, processes payment, transacts on the network. The description calls for "seamless handoffs between platforms while maintaining security and transparency." That sentence trails right into the gap. The runtime confirms the agent stayed within policy. The website confirms the agent called the right tools. The payment network confirms the transaction was authenticated. All three dashboards are green. The hotel is booked for the wrong dates.

The reason this feels structural: each layer's governance scope is rational given the competitive dynamics. NVIDIA has no incentive to own outcome verification for web interactions it doesn't control. Google has no incentive to extend WebMCP into payment liability. Visa has no incentive to govern agent runtime behavior. Each player is solving the governance problem they can own, and the outcome question that spans all three belongs to none of them.

As O'Reilly Radar observed:

The protocols are solid. What connects them organizationally hasn't been written yet. And the platform competition building each layer so quickly may be the same force that keeps the space between them permanently unowned.