Everyone’s asking which SAP process to automate next. In 2026 that’s the easy question. The hard one — the one almost nobody is budgeting for — is: who is the boss of this agent, what does it spend, and can someone stop it in the next thirty seconds?
Every SAP customer building with Joule right now is asking the wrong first question. “Which process should we automate next?” is a modelling question, and in 2026 modelling is no longer the hard part. Foundation models are commoditised, prompts are cheap to iterate, and SAP has already done the domain-grounding through its Knowledge Graph and process content. The hard question is: who owns this agent, and what happens the moment it goes rogue? Analysts have named the shift — if 2023–2025 were the years of pilots and prototypes, 2026 is the year of orchestration, governance, and scale. The organisations that fail to build governance and security in from the start are the ones that will struggle to scale. That is the whole thesis.
One agent is a model problem. A fleet is an operations problem.
A single, well-scoped SAP agent — a Joule skill that drafts a cash briefing — is forgiving. One owner, one budget line, a human reviewing every output before it ships. The moment you run a fleet — autonomous finance agents, procurement bots clearing PO exceptions, an HR agent triaging leave, a supply-chain agent rebalancing safety stock — the failure mode changes. It stops being “is the answer good?” and becomes “who approved this agent to touch this system, what did it spend doing it, and can someone halt it right now?”
The tell is in the survey data: enterprises have rushed to build the watching layer — monitoring dashboards, approval steps — while far fewer have the controlling layer: direct token/spend controls and real-time cost visibility into what agents actually consume. That gap between watching and controlling is the operations problem. It’s also why Gartner forecasts that more than 40% of agentic-AI projects will be scrapped by the end of 2027, driven by runaway cost, unclear value, and inadequate risk controls. None of those three is a model failure. All three are operations failures.
SAP’s own answer is a control plane, not a model upgrade
SAP’s architecture confirms the diagnosis. The SAP AI Agent Hub is positioned explicitly as a governance control plane — centralised visibility, lifecycle management, policy orchestration, and continuous oversight across agent fleets. It runs agents through a defined lifecycle (Proposed → Evaluated → Approved → Active → Retired) with go/no-go quality gates; it keeps an Agent & MCP registry as the single source of truth for every agent and tool-server; it ties identity and access to SAP Cloud Identity Service; and it adds real-time observability and drift detection. SAP is offering it to all Business AI Platform customers — itself a signal that SAP sees unmanaged agent sprawl as a bigger risk to the platform than any single model choice.
Execution-time enforcement sits one layer down, in the SAP-managed Joule Studio Runtime, which enforces policy and identity at the moment an agent acts — how it reasons, which tools and MCP servers it can call, what it’s permitted to do. SAP’s work with NVIDIA on the open OpenShell runtime sharpens the split: OpenShell answers “can this action safely execute” via sandboxed, policy-enforced environments; Joule Studio Runtime answers the harder “should this happen at all” with business-aware policy, enterprise identity, and auditability. Every request routes through an Agent Gateway that authenticates identity and propagates the principal before any action; agent-to-agent delegation runs over the open Agent2Agent (A2A) protocol, and every A2A hop still passes through that governed gateway. Nothing acts, and no identity is dropped, outside the governed path.
The six components of the control plane
Strip away the SAP branding and the architecture generalises to any fleet, on any platform. Six components are non-negotiable once you cross from one agent to many.
| Control-plane component | What it does | Why it fails silently without it |
|---|---|---|
| Non-human, cryptographic identity | Gives each agent a verifiable, scoped, revocable identity — not a shared service account | Machine identities already vastly outnumber human ones, and most orgs have no policy covering them |
| Reporting line / ownership | A named human accountable for the agent’s actions, budget, and outcomes | Without an owner, one incident triggers a blanket AI freeze instead of an isolated fix |
| Per-agent budget with hard spend caps | Enforces token/dollar ceilings at agent, run, and workflow level — the request path | Most enterprises have dashboards that observe spend but no controls that stop it |
| Heartbeat / scheduling | Defines when and how often an agent wakes, polls, or acts | Continuously-running agents with no scheduling discipline are a leading driver of runaway inference bills |
| Full action audit trail | Logs every tool call, decision, and system touch, tied to agent identity | A large share of deployed agents run today with no logging or oversight at all |
| Circuit breakers + kill-switch | Automated stop conditions plus a manual revocation that works in seconds | Agents are systematically overconfident about their remaining runway — self-reported “I’m fine” is a postmortem, not a control |
That last point deserves emphasis: kill-switches and circuit breakers must sit outside the agent’s own judgment, evaluated on the request path before the next action fires — the invoice posts. Waiting for an agent to flag its own trouble is not a control.
Identity is the layer everything else depends on. Static API keys and long-lived credentials create standing privilege that outlives the project; the emerging standard is short-lived, federated, cryptographically attested workload identity (SPIFFE/SPIRE-style, OAuth2 client-credentials) with continuous policy evaluation rather than one-time authentication. SAP’s reference architecture frames Agent Identity as exactly the mechanism that lets you “define and restrict how and what an agent can do,” with policy enforcement points that stop chatty agent-to-agent chatter from expanding the blast radius.
The budget line nobody draws until it’s too late
The financial case for building this before agent number two is not abstract. When governance is bolted on after deployment instead of designed in, it consumes roughly 60% of the total project budget turning a mid-scale build into an expensive retrofit, versus organisations that build identity, traceability, and cost controls in from day one at a fraction of the cost. It lines up with what SAP customers report in 2026 pulse surveys, where integration and governance now rank alongside budget as the leading barriers to enterprise-scale AI — and only a small minority say they’ve actually reached it. The pattern is consistent: the money and the risk are in the operations layer, not the model.
The organisations Gartner expects to survive the coming cancellation wave share four habits: they scope agents against measurable business outcomes, not novelty; they treat data and integration architecture as a prerequisite, not an afterthought; they build governance — audit trails, escalation paths, spend guardrails, human-in-the-loop thresholds — from day one; and they hold vendors to a real definition of “agentic” rather than accepting a rebranded chatbot. Every one of those is an operations discipline, not a modelling one.
The position: the org-chart is the architecture
Treat this as the core architectural decision, not a compliance afterthought. Every agent gets a boss, a budget, a heartbeat, an audit trail, and a kill-switch before it goes live, not after an incident forces it. This isn’t a metaphor; it’s a literal mapping of SAP’s own control plane. The Agent Hub’s lifecycle gates are the promotion-and-reporting structure. The per-agent identity in Cloud Identity Service is the badge. The FinOps spend cap is the budget. Joule Studio Runtime’s execution-time policy is the manager standing over the agent’s shoulder on every action. The A2A protocol routed through the Agent Gateway is the delegation chain — nothing skips the chain of command, even between agents.
Teams that skip this and race to a fifth or tenth agent without an org-chart aren’t moving faster; they’re accumulating operational debt that catches up with a large fraction of them by 2027. The gap between the leaders scaling multi-agent orchestration and everyone else stuck in pilots is not the model — it’s the scaffolding around it.
Practitioner takeaway: the checklist before agent number two
Deploying one agent tells you nothing about whether you can run a fleet. Before standing up a second SAP agent, confirm each item is answered with a name, a number, or a working mechanism — not a policy document:
- Identity — does this agent have its own scoped, cryptographically verifiable, revocable identity, distinct from any shared service account?
- Boss — is there a named human owner accountable for its actions, spend, and exceptions, visible in the agent registry (not buried in a wiki)?
- Budget — is there a hard dollar/token cap enforced on the request path, at the agent and run level, with alerts before ~80% burn — the monthly bill review?
- Heartbeat — is the agent’s wake/poll/act cadence explicitly scheduled and bounded, not running continuously by default?
- Audit trail — does every tool call and system touch log back to this agent’s identity, queryable end to end?
- **Kill-switch> — can a human revoke access and halt in-flight actions in seconds, independent of the agent’s own self-reported status?
Skip any one and the second agent isn’t really independent — it’s an unsupervised extension of the first, and the fleet you’re building has no chain of command at all.
### Sources – SD Times — AI Agent Governance: How Enterprises Control Agentic AI in 2026: https://sdtimes.com/ai-agent-governance/ – SAP News Center — Announcing New Joule Studio for Enterprise-Scale Agentic Development: https://news.sap.com/2026/05/new-joule-studio-enterprise-scale-agentic-development/ – IgniteSAP — SAP AI Agent Hub and Agent Governance: https://ignitesap.com/sap-ai-agent-hub-and-agent-governance/ – UX4Tech — SAP’s AI Agent Hub: The Governance Layer Every Enterprise Needs Before It Has 100 Agents: https://www.ux4tech.com/blog/sap-ai-agent-hub-enterprise-governance – Bain & Company — Google Cloud Next 2026: The Agentic Enterprise Control Plane Comes into View: https://www.bain.com/insights/google_cloud_next_2026_the_agentic_enterprise_control_plane_comes_into_view/ – Lyzr — Understanding Enterprise AI Agents: The 2026 Guide to Deployment, Governance, and Scale: https://www.lyzr.ai/blog/enterprise-ai/