AI
Agents Need a Deterministic Control Plane
Every agentic system has two layers. The reasoning layer interprets intent probabilistically. The control plane handles governance, authentication, business logic, and state mutations deterministically. The reasoning layer may fail. The control plane must be correct every single time. A wrong charge or a bad prescription has real consequences. The industry builds agents faster than governance keeps up. The control plane closes that gap.
Governed Operations Wrap What Protocols Leave Out
MCP and other agentic protocols are thin by design. They handle specific reasoning-layer concerns. Enterprise requirements like authentication, authorization, and compliance sit outside the protocol. Regulated industries need even more protection. Turner said not to force authentication into places it was not designed for. The control plane must own all creates, writes, and deletes. The reasoning layer should never get direct access to state it could destroy.
Intent-Based Communication Hides Implementation from LLMs
Tool calls should express intent, not leak implementation details. Exposing raw API surfaces swamps LLM context with complexity. Abstracting the API chain behind a single intent call leaves more tokens for reasoning. It also shrinks the exfiltration surface. The reasoning layer does not need to know which system it talks to or the 17 underlying APIs. Bounded access applies least privilege for the agentic era. A prompt-injected agent hits a minimized blast radius.
Safe Retries and Recovery Contracts Handle Probabilistic Callers
Probabilistic callers cannot distinguish first calls from retries. Idempotency keys alone may not deduplicate correctly. Recovery contracts must tell the caller whether retrying is safe instead of returning a static error code. Structural observability captures what happened, what intent was called, and which system responded. LLMs cannot be trusted to report their own actions truthfully. Observability must come from the deterministic layer, not from asking the model.
Seven Factors Framework Is Open for Contribution
Workato published the framework at workato.com/7factors with white papers released at the talk. The seven factors are governed operations, deterministic mutations, intent-based communication, bounded access, safe retries, recovery contracts, and structural observability. Seligman and Turner invited the industry to contribute an eighth factor. The open-source Dewey Resort application demonstrates these patterns in practice for developers to study.
Notable Quotes
that probabilistic layer may or may not do things correctly, as we’ve talked about. But the control plane needs to be correct every single time because in business there are consequences Zayne Turner · ▶ Watch (2:24)
the protocols themselves, things like MCP or as we’re seeing people talking about skills MD, agents MD, these agentic protocols, they’re thin by design Adam Seligman · ▶ Watch (4:06)
Don’t try to put it in a place where it doesn’t belong, forcing authentication into a place where it wasn’t designed to handle it Zayne Turner · ▶ Watch (4:43)
Even if you ask it to tell you what it did, you’re not guaranteed to get a truthful answer Adam Seligman · ▶ Watch (9:14)
Key Takeaways
- Agents need a deterministic control plane that owns governance, authentication, and state mutations.
- Intent-based communication hides implementation from LLMs, reducing context pressure and exfiltration risk.
- Workato’s seven-factor framework is open for industry contribution at workato.com/7factors.
About the Speaker(s)
Adam Seligman is CTO of Workato, the enterprise MCP company and the leader in orchestration. He is ex-AWS, Google, Salesforce, Heroku, and Microsoft. He is passionate about developers and empowering anyone to make software.