SecondBrain
Ask the Brain
Index/Sourceupdated Sat May 09 2026 08:00:00 GMT+0800 (Philippine Standard Time)

Governing AI Agents at Scale (Glean + Cvent, CXOTalk)

governanceaware-frameworkcisocioenterprise-aiagent-identityobservabilitygleancvent

Governing AI Agents at Scale (Glean + Cvent, CXOTalk)

CIO Pradeep Mannakkara and CISO Ben Mayrides of Cvent (~5,500 employees, 6,000+ agents in production) on how they govern at scale using the AWARE Framework developed by Glean's Work AI Institute with Databricks and Palo Alto Networks. Practical CIO/CISO partnership playbook, recorded at a Glean event in NYC.

Key claims

  • Traditional security architectures break in agentic systems. They were built for deterministic systems. Agents reason, plan, and delegate — existing IAM controls aren't architected for that. Same for observability: agent reasoning is opaque, hard to reconstruct for compliance (EU AI Act) or incident response.
  • The AWARE Framework (5 pillars): identity, context, guardrails, risk scoring & blocking, ecosystem observability. Designed as a technical control structure — fills the gap left by organizational frameworks like the EU AI Act and NIST RMF, which don't go deep enough into agent-architecture specifics.
  • 6,000 agents at Cvent — by deliberate design. They encouraged sprawl initially to build AI fluency. "We knew this was going to be a hot mess, but the purpose was different — get people interacting." Moderation and metrics layered in over a 3–4 month window via Glean. Of the 6,000 created, ~1,300 are actively used.
  • "Risk is too high for now." Never just "no" — always with a reason and a time horizon. Real example in the talk: Cvent declined to deploy Anthropic Claude Co-work in regulated environments — "risk is too high for now."
  • Agent identity is incredibly context-dependent. Same agent reading a Salesforce record to summarize for a salesperson vs reading and writing back to another resource = completely different scope, completely different risk profile. Identity must be evaluated per task.
  • CIO/CISO collaboration recipe: shared framework + shared questions = move the CISO from gatekeeper to business partner. "If we can answer these five questions and we agree on the answers, it eliminates the 'why don't you like it?' / 'gut thing' arguments."
  • Cvent's flow for new AI ideas (filter funnel):
    1. Business person sees a vendor demo, informs IT
    2. PMO + finance gate: is there real ROI?
    3. Sandbox / test-and-learn — workspace not connected to production data
    4. Once past sandbox, security/legal/privacy review using AWARE
    5. Production deploy By the time security sees it, ROI has already filtered noise out.
  • Mandatory AI training for all 5,500 employees. CEO went to the first session — signal of seriousness. Foundations + literacy + security + legal modules. Different in kind from a tool rollout.
  • Choose platforms with built-in controls. Glean bought Cvent ~9 months by giving users self-service access to email/Slack/Box/Salesforce with fine-grained ACLs already enforced. Removed the IT bottleneck for AI Council requests.
  • Go/no-go is iterative, not one-and-done. Tech evolves, use cases evolve, delegation chains pop up. Risk process must run "at speed and at scale" — Cvent is building an internal agent task catalog (not just software catalog) that legal/privacy/security can query.
  • Predictions worth tracking:
    • SOC 2 control criteria for AI agents within 18–24 months
    • Vendor consolidation: a governance overlay that works across enterprise AI platforms (the way security overlays work today)

Cross-source resonance

  • Strongly extends Enterprise OpenClaw Playbook (Synthesis) — the AWARE framework is the canonical 5-pillar governance recipe; Cvent's playbook is the most concrete enterprise rollout case in this wiki.
  • Confirms Praveen's "be careful with third-party agents" (Agentic AI in the Enterprise (Praveen Akkiraju, CXOTalk)) — Cvent's Claude Co-work decision is exactly that calculus playing out.
  • Confirms CIO Agenda 2026 (CXOTalk) on shadow AI: encourage with guardrails, don't ban. Cvent's deliberate sprawl is the realized version of this advice.
  • Sharpens Human in the Loop: the "risk is too high for now" framing is an iterative, time-bounded version of the H-I-T-L dial.
  • Adds to Harness (LLM Agents): agent identity, observability, and risk scoring are harness components that Cvent makes explicit.

Critique / caveats

  • Single-source single-vendor framing — both Glean (whose framework this is) and Cvent (a Glean customer) are in the room. Worth corroborating before treating AWARE as industry-standard vs vendor-coalition standard.
  • "6,000 agents" is impressive headline; "1,300 actively used" is the more honest number. Both are large.
  • 18–24 month SOC 2 prediction is testable; revisit in 2027.

Cross-links