Workloft
▸ WORKLOFT RESEARCH NOTE №33 · 14 JUNE 2026

The Control Plane Was Always the Hard Part

WebMCP and agent-ready platforms move the contest from model quality to who governs tool access, context, and the audit trail

By Alfred Churchill · Workloft Labs · ~1,053 words · 5 min read
REG FIT ●●● · STRONG · APPLIES TO FCA SS1/23 §MRM, ICO AI GUIDANCE §11, UK GDPR ART.5(1)(c), EU AI ACT ART.12

§1The interesting bit is not the tools, it is who holds the keys

The Art of CTO piece on agent-ready platforms makes a claim that is easy to nod along to and easy to misread: standardised tools, governed context, and auditable execution are becoming the new control plane. WebMCP gets named as the connective tissue. The framing most people will take away is "great, tool integration is getting easier, we can plug agents into more things faster". That is the spectacle. The substrate question underneath is sharper and less comfortable: once tools are standardised, the only thing left to compete on, and the only thing left to govern, is the control plane itself. And almost nobody building agent infrastructure today owns theirs.

For regulated-AI buyers, this is the whole game. A UK Local Authority does not get audited on whether its agent called the right API. It gets audited on whether it can show, after the fact, which agent called which tool, with what context, on whose authority, and whether anyone could have tampered with that record. Standardising the tool layer does not answer any of those questions. It just removes the excuse that integration was too bespoke to govern.

§2Standardisation pushes the risk up a layer, it does not remove it

Here is the move the piece gestures at but does not fully name. When tool use was bespoke (every agent wiring its own auth, its own retries, its own context assembly) the failure modes were scattered and hard to reason about, but they were also contained. One broken integration broke one thing. WebMCP and the agent-ready platform pattern collapse all of that into a shared control plane. That is genuinely better for reliability and for the build cost. It also means the control plane is now the single point where governance either happens or does not.

Think about what "governed context" actually requires in a regulated setting. The ICO's guidance on AI and data protection (the explainability and accountability material around §11) does not care that your context was assembled cleanly. It cares whether the personal data that entered an agent's context window had a lawful basis, whether it was minimised, and whether you can reconstruct the decision trail. A standardised context layer makes it possible to enforce minimisation in one place. It also makes it catastrophic if that one place is misconfigured, because every agent inherits the mistake at once.

The same logic runs through "auditable execution". An audit log that the executing agent writes about itself is not an audit log; it is a diary. For FCA-regulated firms operating under the SS1/23 model risk management expectations, and for anyone who will eventually answer to AI Act Article 12 logging requirements, the record has to be produced by something that does not have an interest in how it reads. Producer and guardian cannot be the same component. The agent-ready platform pattern makes that separation buildable. It does not make it mandatory, and the piece is quiet on whether the platforms enforcing it are the ones generating the work.

§3What this means for anyone wiring agents into a regulated stack

If you are evaluating something like WebMCP for an orchestration layer, the integration ergonomics are the easy part to assess and the wrong part to obsess over. Three questions decide whether a standardised control plane is an asset or a liability under audit.

First: who writes the execution record, and can the agent that performed the action edit, suppress, or backdate it? If the answer is anything other than "a separate component the agent cannot reach", you have a diary, not a log. Second: where does context get assembled, and can you point to the single enforcement point where data minimisation and lawful-basis checks run before anything reaches a model? A standardised context layer is only governable if there is exactly one door. Third: when a tool call fails or behaves unexpectedly, does the control plane record the attempt and the decision, or only the successful outcome? Regulators care about the decisions you did not take and the actions that were blocked at least as much as the ones that went through.

The reason this matters now, rather than in eighteen months, is that standardisation creates lock-in fast. The moment a platform owns your tool definitions, your context assembly, and your execution path, switching costs become governance costs. You cannot easily move to a control plane with better audit properties once a hundred agents depend on the one you have. The decision to adopt WebMCP or any agent-ready platform is, quietly, a decision about who you will be explaining yourself through when an FCA supervisor or an ICO caseworker asks for the trail.

§4What the piece does not solve

The Art of CTO article is a useful map of a real shift, but it is an industry-trend piece, not a specification. It describes the control plane as emerging; it does not tell you whose control plane, on whose infrastructure, or with what tamper-evidence guarantees. "Auditable execution" is used as a property the architecture confers, when in practice auditability is a function of where the log is written, who can write to it, and whether it is cryptographically anchored against later edits. None of that is settled by adopting WebMCP.

It is also silent on multi-tenancy and jurisdiction. A standardised control plane operated by a vendor sits somewhere, under some legal regime, with some set of people who can see the context and execution data flowing through it. For a Local Authority bound by UK GDPR and FOIA, or a healthcare body handling special-category data, the convenience of a shared control plane and the question of who else can subpoena or inspect it are the same question. The standard does not answer it. You have to.

Our read: the control plane framing is correct, and that is precisely why it should not be left to whoever happens to ship the most convenient tooling. The substrate layer that regulated buyers actually need is a control plane where the producer of work and the guardian of the record are structurally separate, the audit log is tamper-evident, and context enforcement has exactly one configurable door. Standardisation makes that achievable. It does not make it the default, and the default is what most teams will ship.

Methodology note. This Note takes The Art of CTO's agent-ready platforms piece as a trend signal rather than a research result, because the control-plane framing maps directly onto a live substrate decision (evaluating WebMCP for OpenClaw/Composio). Triggers: substrate-relevant (tool standardisation moves the governance contest to the execution and context layer); non-duplicative (the piece treats auditability as conferred by architecture, we argue it is a property of who writes the log); regulated-buyer link (FCA SS1/23 model risk, ICO §11 accountability, AI Act Article 12 logging). Forthcoming: a teardown of WebMCP's execution-record model against tamper-evident logging requirements.

▸ Related

Note №32 — When Agents Stop Talking: KV-Cache Communication and the Audit Hole It Opens → Note №31 — Who Is Worth 10× the Token Budget? → Note №30 — The Action Interface Is the Audit Surface → Labs API + MCP — get a free key →