The Agent Dilemma: Power vs. Control — and Why Orchestration Is Now the Missing Layer

Something is happening in the world of AI agents, and it is moving fast.

In the last few weeks alone: Peter Steinberger’s open-source project OpenClaw went viral, got absorbed into OpenAI within weeks of launch, and sparked a global conversation about what general-purpose agents actually mean in practice. Matt Shumer published what might be the most-shared AI essay of the year so far, arguing we are in the “this seems overblown” phase of something much larger than COVID — and making a compelling case that we are past the point of debate. Dario Amodei wrote a long and sober reflection on AI’s adolescence, drawing an analogy to a teenager who is suddenly enormously capable but whose judgment and self-regulation haven’t quite caught up. And services like RentAHuman.ai are appearing — a marketplace where AI agents hire humans for physical-world tasks they cannot perform themselves. The tagline is blunt: “Robots need your body.” Humans list their skills and hourly rates; agents book them via API. It is early, scrappy, and partly absurd — but it is also a signal. When agents start autonomously hiring people, managing task execution, and issuing payment, the question of who is responsible for what they do becomes genuinely urgent.

In our own work on AI Agents at Work (theaiagentbook.com), we have been tracking this trajectory carefully. The question we keep returning to is not whether agents will become central to enterprise workflows — that is already settled. The question is: on what terms?

The fundamental tension OpenClaw made visible

OpenClaw is worth spending a moment on, because it illustrated something important with unusual clarity.

The project is a general-purpose, always-on personal AI agent. It runs on your machine. It connects to WhatsApp, Telegram, Gmail, your calendar, your files, your browser. It can write its own skills and extend its own capabilities. It has persistent memory. It runs 24/7. The community reception was extraordinary — people described it as “the first time I’ve felt like I’m living in the future since the launch of ChatGPT.” Someone gave their OpenClaw a credit card. Another user noted their agent “accidentally started a fight with Lemonade Insurance.” A third described watching their agent open the Google Cloud Console, configure OAuth, and provision its own API key — without being asked to do so.

That last one should make any enterprise security officer sit up straight.

OpenClaw represents the extreme of one end of a spectrum: maximum power, maximum access, maximum autonomy. The results are genuinely impressive. The vision it paints of the future — where an agent manages your inbox, books your flights, runs your code, coordinates your other agents — is compelling and, in many ways, already real. It exists now. Steinberger was explicit that security concerns were consciously deprioritized in favor of capability. “The claw is the law,” the tagline goes. The community loved it.

OpenAI loved it too. Within weeks of going viral, Steinberger announced he was joining OpenAI to bring agents to everyone. The project moves to a foundation, stays open source, and Steinberger gets access to frontier models and research to continue his vision at much larger scale.

The fact that OpenAI absorbed this project is not just a talent acquisition story. It is a signal about where the industry thinks agents are going — and how fast.

Two failure modes, one spectrum

The OpenClaw story crystallizes a tension that everyone building or deploying agents is quietly navigating.

On one end: general-purpose, always-on agents with broad access to systems, data, and tools. These are maximally powerful. They are also, by design, operating with minimal constraints. The agent that books your flights can also send emails in your name. The agent that reads your contracts can also exfiltrate them. The agent that extends its own capabilities by writing new skills can extend them in ways you did not anticipate. These are not hypothetical risks — they are documented behaviors in current systems.

On the other end: narrow, task-specific agents with tightly scoped access. These are much safer to deploy. They are also far less useful. An agent that can only read your CRM and nothing else will never surprise you. It will also never do the 80% of the interesting work.

Enterprises are currently navigating this spectrum without any real infrastructure to help them. The typical approach is to try to make agents narrow enough to feel safe, then gradually expand scope, and hope that nothing goes wrong at the boundaries. That is not a compliance posture. It is an optimistic bet.

Why “just put it in the prompt” doesn’t work

When organizations start thinking about agent governance, the first instinct is usually to address it at the prompt level. “You should never send an email on behalf of the user without explicit confirmation.” “You should not access data outside folder X.” “You should not make purchases above €500.”

This is understandable and almost entirely ineffective as a security or compliance mechanism.

Prompts are instructions, not enforcement. An agent that is told not to send emails can still send emails if the underlying tool access permits it, if a sufficiently complex multi-step task involves email as an intermediate step, or if a future model version interprets the instruction slightly differently. Prompt-level governance is the equivalent of writing “please don’t speed” on a car’s dashboard and calling it a safety feature.

The next instinct is to address it at the documentation level — governance frameworks, AI principles, implementation guidelines. This is important for organizational accountability and risk management. But documentation does not reach into the runtime behavior of an agent executing a task at 2am on a Tuesday. It describes how agents should behave. It does not verify that they do.

What is missing is something that operates at the right level of the stack: between every step an agent takes when executing a task.

The orchestration layer enterprises are missing

This is what Kyvvu is built to address.

The core insight is simple: an agent executing a multi-step task is, at every step, proposing an action. Before that action is taken — before the email is sent, before the file is written, before the API is called — there is a moment where a policy can be evaluated. “Am I allowed to carry out this next step?” That moment is where compliance infrastructure belongs.

Kyvvu sits at that layer. Not at the model level. Not at the documentation level. At the runtime orchestration level, in between each step, before each action is committed.

This enables three things that enterprise deployments actually need:

Cross-platform monitoring. Enterprises are not running a single agent on a single platform. They are running Copilot agents, LangChain pipelines, custom-built orchestrations, third-party tools — often simultaneously. A compliance layer that only works for one platform is not a compliance layer; it is a feature. Kyvvu monitors agent behavior across platforms using a consistent policy framework.
Flexible, updatable policies — including EU AI Act coverage. The policies that govern agent behavior need to be manageable, auditable, and changeable without redeploying the underlying agents. Kyvvu’s policy engine separates policy from implementation. A CISO can update a policy; the agent picks it up at the next step. The policy set includes coverage for EU AI Act requirements out of the box, but is extensible for organizational-specific rules, sector-specific regulations, and use-case-specific constraints.
Direct intervention in agent behavior. When a policy is violated — or when an action falls into a category that requires human review — Kyvvu can block, pause, or redirect the agent before the action is taken. This is not retrospective logging. It is real-time governance.

Why OpenClaw joining OpenAI makes this more urgent, not less

Some people will read the OpenClaw story and conclude that the trajectory is toward more powerful, less constrained agents, and that compliance infrastructure is swimming against the tide.

We think the opposite is true.

The more capable agents become, the more access they are granted, and the more autonomously they operate — the more critical it is to have a layer that can evaluate, constrain, and audit their behavior in real time. The vision of a general-purpose agent that manages your calendar, writes your code, sends your emails, and provisions its own API keys is compelling precisely because it is powerful. And powerful things that operate autonomously in regulated environments, with access to sensitive data and external systems, are exactly what the EU AI Act is designed to address.

Amodei’s framing of AI’s “adolescence” is apt here. The teenager analogy is useful not because it implies we should slow things down, but because it implies we need the right kind of structure. Not a cage. Not a prompt. An actual governance layer — one that can operate at the speed and scale of the agents it governs.

The question for enterprises is not whether to deploy agents. That ship has sailed, and the ROI case is too strong to resist. The question is how to deploy them in a way that keeps risk manageable, audit trails complete, and regulatory posture defensible.

An agent that manages your inbox, books your flights, provisions its own API keys, and coordinates ten other agents — that exists now. The compliance infrastructure that governs it, that sits between every step it takes and asks am I actually allowed to do this — that also exists now.

There is no longer an excuse to deploy one without the other.

Kyvvu provides runtime compliance infrastructure for AI agents. We are currently running pilots with enterprise clients in financial services and healthcare. If you are navigating agent deployment in a regulated environment, we would be glad to share what we are learning.

*→ kyvvu.com

More on AI agents at work: aiagentsatwork.com*