For a person, the egress firewall is infrastructure. You rarely notice it, and when you do, it is someone else’s job. For an agent, where it is allowed to connect is part of its authority. An agent that discovers the systems it needs while it works is bounded not only by the token it holds but by the destinations its runtime will let it reach. The allowlist that decides where the agent may go is deciding what the agent may do.

That reframes egress from plumbing into policy. And once reachability is policy, it becomes a control point. Whoever controls an agent’s reachability controls which ecosystems the agent, and the enterprise behind it, can participate in. That is a larger claim than “firewalls block things.” It is a claim about market structure.

Network Policy Is Authorization

I argued the mechanics of this in A Blocked Agent Is a Captive Client. An agent runtime routes outbound traffic through an egress proxy that enforces a destination allowlist. When the agent tries to reach something not on the list, it gets an opaque failure, and the proxy is acting as a policy enforcement point whether or not anyone calls it one. As agents discover APIs at runtime rather than shipping with a fixed set, that enforcement point stops being a static safety rail and becomes a live authorization decision made on every hop.

Three kinds of block hide behind the same failure. A security block says the destination is not trusted. A governance block says this task was not approved for it. Both are requestable: an approver can say yes, and the recovery mechanism in the earlier post lets the agent ask. The third kind is different. A platform block says the enterprise would allow the destination, but the runtime only routes to its own vendor’s ecosystem. There is no approver who can grant it, because it is not a policy anyone can re-evaluate. It is the shape of the runtime. That third block is the one worth talking about, because it is not security and not governance. It is lock-in.

The Reachable Graph Is the New Perimeter

For most of the history of access control, the perimeter was the credential. Hold the right token and you were in, lack it and you were out. Agents move the boundary. An agent can hold a valid token and an approved mission and still do nothing, because the systems it needs are unreachable. The practical boundary of its authority is no longer the token. It is the set of destinations it can actually reach.

The new perimeter is not the credential. It is the reachable graph. An agent is only as autonomous as the destinations it is allowed to discover, and whoever draws that graph draws the limits of what the agent can be.

Portability Is What Makes an Ecosystem Competitive

Every open ecosystem that produced real competition did it by making the participants portable. Email federated, so no single provider owned your ability to send mail. The web standardized on open protocols, so a page worked in any browser. Identity portability, through SAML and later OpenID Connect and federation, created genuine competition among identity providers, because an enterprise could change providers without rebuilding every integration. Portability is the thing that keeps a market open. Take it away and switching cost does the work of a monopoly without anyone having to forbid competition.

Agents are heading for the same test. Agent portability, the ability to run the agent you choose against the systems you already use, is what will create competition among agent providers. And the quiet way to prevent it is not to forbid switching. It is to make the alternative unreachable. A platform does not have to lock you in with contracts if the agent it runs can only connect to endpoints it approves. The enterprise still owns its data and its other vendors. The agent just cannot get there.

The Multi-Vendor Reality Makes This Concrete

No serious enterprise runs on one vendor. The CRM is at one company, contracts live in Box, signatures happen in DocuSign, procurement data sits in Coupa, and HR is in Workday. An agent that is genuinely useful has to cross all of them, and the enterprise has authorized exactly that.

Now run that agent on a platform whose runtime egress only permits its own ecosystem’s endpoints. The agent discovers it needs the contract in Box and cannot reach it. It needs a signature in DocuSign and cannot reach it. Every one of those blocks is a platform block. The enterprise approved the destination. The runtime will not route to it. The enterprise has a captive client, and it may not even realize the constraint is architectural rather than a policy it can change.

OAuth Already Chose the Open Answer

This is not a new fork in the road. OAuth faced it and chose openness deliberately. An OAuth client can talk to many resource servers. Nobody designing OAuth expected a client that may only call APIs owned by a single vendor, because the whole point was to let a client act across the resources a user authorized, wherever they lived. Runtime connectivity controls can now produce the outcome OAuth was designed to avoid, not by changing the protocol but by deciding, below it, where the client is allowed to go.

The answer is the same one every open ecosystem eventually reached: portable, policy-governed connectivity. The enterprise, not the platform, should decide what an agent may reach. Governance should travel with the agent regardless of who built it. And a block should be a requestable denial the enterprise can widen, not a wall the vendor will not move.

The Three-Layer Story

It helps to see where reachability sits relative to the rest of the stack.

  • OAuth solved delegated access, assuming the destination was already known. It answers whether this client may call this resource.
  • Mission governs what authority survives runtime discovery, so a task approved once stays bounded as the agent finds new systems. It answers whether this work may do this.
  • Reachability governs whether discovery is even possible. It answers whether the agent can get to the system at all.

The first two do not matter if the third is closed. A perfectly delegated, perfectly mission-bound agent is still captive if its runtime will not route beyond one vendor’s walls. Reachability is the layer that decides whether the other two ever get a chance to apply.

The Practical Boundary

Reachability is becoming a competitive control point for agent ecosystems, and most enterprises are not looking at it that way yet. They evaluate an agent platform on its model, its tools, and its price, and treat egress as a security setting. The question they are not asking is who controls the reachable graph, and whether the agent they are buying can reach the systems they already run.

An enterprise that lets a platform own its agents’ reachability has chosen a captive client, whatever the contract says. The alternative is portable, policy-governed connectivity, where reachability is the enterprise’s decision, blocks are requestable, and no vendor’s runtime gets to draw the limits of what the enterprise’s agents can do. That is the same move email, the web, and OAuth all made. Agents will make it too, or they will not be open.