Agents Don't Have IP. Workflows Do.

I want you to picture a specific kind of demo. The startup is eighteen months old. The CEO is on stage. The product is an “agentic AI for [some vertical].” The pitch is that the agent doesn’t just answer questions — it takes actions. It books the meeting. It files the ticket. It updates the record. It sends the message. The audience claps. There’s a Series B in the room, and three weeks later the round closes at a number that would have been remarkable five years ago and is now described as “in line with the market.”

Now picture that same product two years later. The vertical’s incumbent has shipped roughly the same agent as a feature inside the system of record those agents were calling. The startup’s API integrations work fine. The prompts have been refined further. The model behind it is better. None of this matters. The customers have moved to the incumbent’s version because the incumbent’s version is where the work already happens, and ripping out the new agent costs nothing because the new agent never owned anything that couldn’t be replaced.

This is the most common failure mode in agentic AI in 2026. It is also, importantly, the failure mode that the industry’s IP framing has actively encouraged, because the IP framing tells founders and operators that the protectable surface of an agentic product is the model weights, the system prompts, the orchestration code, the connectors, and the evaluation harnesses — when in fact none of these things, individually or collectively, are what kept any successful agentic AI business defensible.

The thing that’s defensible is the workflow. The agent is what runs inside it. And the agent without the workflow is, structurally, a feature waiting to be absorbed by the system of record that owns the workflow already.

The expanding-IP-surface argument, given its best shot

The dominant view in the agentic AI conversation right now is that agents have expanded the protectable surface beyond the model. The classic statement of this position — Mistral’s marketing materials say it; Google Cloud’s 2026 agent trends report says it; most of the major law-firm AI practices say it — is that as the AI stack has gotten more complex, the IP frame has just gotten richer. Where you used to have model weights, now you have model weights plus system prompts plus connectors plus orchestration logic plus evaluation harnesses plus reflection loops plus multi-agent coordination. Each layer is a place where work happens. Each layer is therefore a place where IP can attach.

I want to give this its strongest form, because the steelman matters for what comes next. The strongest version of the argument is not that every layer is patentable; it’s that the combination of layers, integrated for a specific domain, is genuinely valuable proprietary work. A medical-records agent that knows the right way to traverse Epic, the right way to interpret HL7 messages, the right way to chain reasoning across patient histories, with evaluation harnesses that catch the specific failure modes that matter in clinical settings — that combination represents months of skilled work by people who know the domain. The investment is real. The result is a working system that competitors cannot trivially reproduce.

I have built systems like this. I know what goes into them. I do not dismiss the labor.

But the steelman misidentifies what’s defensible about the result. The combination of layers is real proprietary work. It is not, on its own, a moat. The moat is downstream of the work — it’s whatever happens when that working system gets deployed into a workflow that customers run every day, where the system accumulates feedback signal, integrates with the data the customer was already producing, develops human-shaped habits in the people who use it, and becomes the place the work happens rather than a place the work briefly visits.

The work is what makes the agent capable. The workflow is what makes the agent defensible. The IP framing keeps people focused on the wrong half of the equation, and the half they’re focused on is the half that commoditizes fastest.

What actually makes an agent defensible

Here is the test I use when somebody tells me they’re building a defensible agentic AI business. Six yes/no checks. The score tells you, with uncomfortable specificity, whether what you’re building is a workflow moat or a prompt wrapper waiting to be eaten.

The first check is authoritative read access. Can the agent read the systems of record that matter — CRM, ERP, ticketing, file store, identity, finance — through integrations that took, and would take a competitor, six or more months to reproduce? Most agents that fail this check fail it because the founders mistook a great demo for an integrated system. The demo was real. The customer integration is a different kind of work, and it’s the kind of work that compounds into defensibility.

The second check is write or action authority. This is where the rubber meets the road on whether you have an “agent” or an “assistant.” Read-only agents are commodities; the foundation model providers are racing to make them free, and they’re winning. Agents that act — that create tickets, update records, send messages, move money, change state in the customer’s systems — are infrastructure. The asymmetry is enormous. Read-only is one model upgrade away from being a feature. Action authority requires trust the customer extended to you, plus integrations that survive across model generations because they’re integrations against the customer’s systems, not against any particular AI provider.

The third check is feedback loop closure. Does usage produce signal? When a user corrects, approves, or rejects an agent action, does that outcome flow back into the system as a measurable improvement on the next action? Or are you re-prompting from scratch every time, with the same model, with the same lack of accumulated context? The agents that compound are the ones with closed loops. The agents that don’t are running an expensive treadmill, and the treadmill speeds up every time the foundation model providers ship a new version.

The fourth check is switching cost in months, not days. If a customer decided to remove your agent tomorrow, how long would the project take? If the answer is under thirty days, you don’t own the workflow; you’re an installable feature that a competitor can replace at zero cost. If the answer is a quarter or more — because there are integrations to redo, training data to re-collect, user habits to retrain, evaluation harnesses to rebuild — you own something. The longer the answer, the more you own.

The fifth check is provider-substitution resilience, and this is where the Anthropic-Pentagon crisis of February 2026 stops being an anecdote and starts being a stress test. If the LLM provider behind your agent is blacklisted tomorrow, does the workflow keep running?

I want to be honest about the evidence here, because the temptation is to tell a story I cannot actually substantiate. There is, as of this writing, no publicly named organization whose agentic AI product demonstrably survived the February crisis intact because of gateway architecture. The public reporting documents the opposite — defense contractors scrambling for replacements, HHS staff given hours to save their work, eight other AI companies stepping in to fill the gap on classified networks, the Pentagon estimating months to fully transition. Anthropic lost its appeals court bid in April; the ban remains in effect; the operational damage is well-documented. The “we survived because we had architectural abstraction” story has not been told publicly by any specific named organization.

That absence is instructive in two directions at once. The organizations that would have had real gateway abstraction during the crisis — defense primes, intelligence-adjacent contractors, regulated enterprises — are exactly the kind of customers who do not publish case studies about how their architecture handled a procurement crisis. The silence is consistent with the story being true and intentionally unpublished. But silence is not evidence, and I am not going to tell you a story I cannot back. What I will tell you is that the architectural lesson is forward-looking, not backward-looking. The question is not “who survived February.” The question is “who is positioned to survive whatever comes next.”

This is the posture I designed into AOSentry from the start. I spent the two years before founding AOCyber exploring gateway architectures and AI tooling, watching the industry build directly against single providers as though that were a defensibility strategy, and AOSentry is the product I built in response. The product’s design starts from the assumption that any single AI provider can become unavailable to any given customer on any given day, for reasons ranging from policy decisions to commercial disputes to acquisitions to outages to regulatory actions, and that the customer’s workflow has to keep running regardless. Multi-provider routing, model aliasing, automatic failover, and provider-agnostic audit and policy enforcement aren’t features I added in response to the Anthropic crisis. They were design constraints before the crisis happened. The crisis was a confirmation of the assumption, not an inspiration for it. I cannot prove to you that any specific customer survived February better because of AOSentry. I can tell you that the next adverse event in the AI stack has not happened yet, and the customers building this kind of architecture today — through AOSentry or through equivalent in-house work — will be in a strictly stronger position when it does.

The agents that score low on substitution resilience are the ones whose value proposition is secretly “we’re a great wrapper around whichever model is most popular this quarter.” The market was not patient with that posture in February, and the next crisis will reveal it more decisively than the last one did.

The sixth check is human muscle memory. Have users built habits, shortcuts, rituals, mental models, and informal training around your agent? Have they made it part of how their team works rather than something they consult? Trained habits are the most durable switching cost in software, and they almost never show up in TCO comparisons. They show up in resistance to migration, in soft refusals to evaluate competing products, in the kind of customer love that survives a price increase. They are also, importantly, something you build with the customer over time. They are not something you ship.

A score of five or six is a workflow moat. The “AI” is the least valuable thing about what you’ve built; you’d still have a defensible product if you replaced the underlying model tomorrow with something only half as capable, because the position is the asset and the model is a tunable parameter. A score of three or four is a real product whose position is forming but not locked; you should be investing in items four through six and treating items one through three as table stakes. A score of zero through two is a prompt wrapper. It is fundable, sometimes for impressive amounts, and the right strategy for that situation is to use the funding to climb the scorecard before the foundation model providers eat the value proposition entirely.

The challengers’ opening, briefly

I want to push back on something I might have suggested in earlier essays in this series, which is the implication that workflow ownership is an incumbents’ game. It isn’t. It is open to challengers in 2026 in a way that it wasn’t open to them in any of the previous five years, and missing this is a mistake that some otherwise smart people are making.

The reason it’s open is that AI is, for the first time, dissolving the integration moats that incumbents had built. Salesforce’s moat in CRM, Workday’s moat in HR, Atlassian’s moat in ticketing — these moats were built on the assumption that switching cost from these systems was insurmountable, partly because rebuilding the integrations was painful and partly because retraining the user base was expensive. Both of those costs are coming down sharply. Agents that can read across multiple systems of record, that can absorb the workflow rather than be subordinate to it, that can train themselves on the specific patterns of the customer’s organization, can in principle reach system-of-record status faster than the incumbent can react.

This is not an automatic win for challengers. The incumbents are responding by absorbing agentic AI into their existing products at speed, and they have the home-field advantage of already having the data and the workflow. The challengers’ window is real but narrow, and it is open specifically for products that score five or six on the scorecard above. Products that score lower do not have a window at all; they have a feature that an incumbent will ship next quarter.

The path for challengers, then, is the inverse of what the IP framing suggests. Instead of trying to build a moat around the agent’s clever orchestration, build a moat around the workflow the agent runs. Take on integration depth. Take on action authority. Build feedback closures. Build switching costs that have to be paid in time, not money. Become the place the work happens, not a place the work briefly visits. The IP frame puts attention on the agent. The right frame puts attention on the workflow the agent is colonizing.

What the AOSentry architecture has shown us

I keep coming back to AOSentry — the AI gateway product I founded AOCyber to build, after two years exploring gateway architectures and AI tooling — not because it’s the only data point, but because it sits at exactly the layer where this question gets stress-tested. The product is, in part, an agentic AI infrastructure layer: it provides a unified API across model providers, hosts assistants and tool-call orchestration, integrates the Model Context Protocol for external tools, handles batch processing, and manages prompts as version-controlled organization assets. It is, in other words, exactly the kind of stack the dominant view would call “rich in IP.”

What the production deployments have shown us is that the protectable surface of this stack, when it gets deployed into a customer’s environment, is almost never the components by themselves. The unified API is not a moat — gateway architectures are well-understood. The orchestration logic is not a moat — every serious agentic-AI product has its own variant. The MCP integrations are not a moat — they’re literally a public protocol. The evaluation harnesses are not a moat — they’re catching up to a moving target.

What is a moat is what happens when these components are bound to a specific customer’s identity graph, budget hierarchy, audit log, knowledge base, and policy enforcement. The prompts are versioned against that customer’s organization. The integrations target that customer’s systems of record. The audit log accumulates that customer’s history. The PII tokenization is bound to that customer’s perimeter. The whole apparatus is configured against that customer’s reality, and reconfiguring it for someone else takes time that is measured in quarters, not weeks. The moat is the configuration depth, not the components.

This is the move available to every serious agentic AI product. The components — every component — will commoditize. The configuration depth, when it’s built honestly, doesn’t.

What to do instead of “agentic IP strategy”

The practical implications, like everything in this series, fall out cleanly once the framing shifts.

Stop talking about agentic IP strategy as though it is the locus of defensibility. It isn’t. It hasn’t been for at least eighteen months. Continue to do the legal hygiene — keep your trade-secret labeling in place on the components that qualify, sign your NDAs, contract appropriately — but stop pretending that hygiene is strategy.

Move the strategic attention to the scorecard. For each product or feature you ship, score it. Be honest about the score. The score will tell you exactly where to invest, and the investment in items four through six will outperform any investment in components-as-IP for as far as anyone can see ahead.

Be especially honest about the provider-substitution resilience check. The Anthropic-Pentagon crisis was not the last time a provider will be removed from your stack on short notice. Build, or buy, the architectural decoupling that makes that event a non-event. AOSentry is one way to do this; in-house gateways are another; certain other vendor products are another. The choice of implementation matters less than the architectural commitment.

If you’re a founder pitching VCs in 2026, lead with the scorecard. The investors who matter are already evaluating your product against this kind of test, even if they’re not using these specific words. If you can articulate why your product scores five or six, the conversation goes one way. If you can’t, the conversation goes the way that ends in the polite “we’ll keep watching” that means no.

If you’re a buyer evaluating agentic AI products, run the scorecard against every vendor in your stack. Vendors who score low are vendors whose products will, on a timeline you can almost set, be replaced by a feature in a system of record you already pay for. Plan accordingly. The vendor who scores high is a vendor whose product is becoming infrastructure for your business, and pricing them like a SaaS feature is missing the strategic reality of what you’re buying.

The line, again

The thesis is the same line as it has been since the first essay in this series, and I keep finding new angles from which it’s true.

Stop protecting. Start owning the loop.

For agentic AI, the version is sharper still. Stop treating the agent’s components as IP that can be protected. Start treating the workflow the agent inhabits as a position that can be deepened. The components will commoditize on a clock you cannot beat. The position can compound on a clock that benefits you, if you build the things — integration depth, action authority, feedback closure, provider resilience, human muscle memory — that turn an agent into infrastructure for the customer’s business.

The agent without the workflow is a prompt wrapper waiting to be eaten. The workflow with an agent inside it is a moat the foundation model providers cannot disintermediate, because what’s defensible isn’t anything they can replicate by shipping a new model.

In the next and final post in this series, I’ll close the loop by showing what all of this means for the lawsuits everyone is watching — NYT v. OpenAI, Bartz v. Anthropic, Thomson Reuters v. Ross — and why the doctrinal questions everyone is following are not the questions that actually matter for builders or buyers in 2026. The market has been telling us a different story than the courtroom, and once you can hear it, the contractual posture you’ll want to adopt for AI vendors falls out almost automatically.

Justin Donnaruma is the founder and CEO of AOCyber. He built AOSentry from scratch after two years exploring gateway architectures and AI tooling. AOSentry is an AI security gateway and governance platform that gives organizations one API across every major AI provider, with PII tokenization, immutable audit logs, and post-quantum cryptography from Day 1. If you’re building agentic AI and want to stress-test the workflow ownership case, start a conversation.