You're Running 7 AI Models. Nobody Built the Plumbing.

F5 released its 2026 State of Application Strategy Report this week, and the headline number is the one most enterprise AI strategy decks still won’t admit. 78% of enterprises now run AI inference as a core operation. The average enterprise operates or evaluates seven AI models simultaneously. And 72% of them have no single point where routing, fallback, and policy controls are managed.

Three out of four enterprises with production AI workloads are running them without a control plane.

The 2026 SOAS report pulled responses from over 1,000 IT and security leaders globally. The picture it paints is the one I’ve been watching land inside client conversations for the last six months. AI isn’t a pilot anymore. It’s plumbing. And most enterprises wired the plumbing without an inspection.

Quick Verdict

The Finding	What It Means for You
78% of enterprises run their own AI inference as a core op	AI is now production infrastructure, not an experiment
Avg enterprise operates or evaluates 7 AI models simultaneously	The single-vendor AI strategy is already extinct in the field
72% have no single management point for routing, fallback, policy	The cost isn’t the models. It’s the missing governance layer beneath them
Only 8% rely exclusively on public AI services	Multi-model portfolios are the default, not the exception
88% have faced AI-related security challenges in production	The attack surface scales with every model added
98% are preparing for agentic AI	The next 12 months compound the control problem, not solve it
93% operate across multiple clouds, 86% hybrid multicloud	Inference complexity multiplies with each environment
Your real lever this week	Map your current AI model inventory, then decide who owns the routing layer

The Real Cost Isn’t the Models

Two years of enterprise AI procurement focused on the wrong line item. Vendor selection. Token cost. Context window size. Benchmark scores on MMLU and HumanEval. The decks were full of model-vs-model spreadsheets.

What the F5 data makes clear is that the model bill isn’t where the pain is showing up. The pain is below the model. It’s in the routing layer that decides which model gets which request. It’s in the fallback path when the primary model 429s or hallucinates. It’s in the policy enforcement that prevents your customer-support agent from citing a competitor’s pricing. It’s in the audit log that proves to your auditor that the legal review agent didn’t exfiltrate a contract clause through a third-party API.

That layer has a name: the control plane. And 72% of enterprises don’t have one.

The reason most enterprises don’t have one is that nobody sold them one in 2024. The procurement question was “which model do we license,” and the answer was a single vendor contract, a SOC 2 report, and a budget line. Then the second model showed up because the data team needed something cheaper for batch summarization. Then the third model showed up because legal needed an on-prem option for contract review. Then the fourth, fifth, sixth, and seventh, each through a different requisition, each with a different SDK, each with a different observability story.

Now you’re running seven models, and the question is no longer “which model.” The question is “who controls the traffic between them, and what happens when one of them goes down.”

What is an AI control plane and why do enterprises need one?

An AI control plane is the governance and routing layer that sits between your applications and the underlying AI models, providing a single point to manage which model serves which request, how requests fail over when a model is unavailable, what data is allowed to leave the perimeter, what costs are incurred per workload, and what audit evidence is captured for compliance. It does for AI inference what an API gateway did for microservices a decade ago.

Five practical capabilities the control plane has to deliver:

1. Routing. Direct each request to the right model based on cost, latency, capability, and policy.
2. Fallback. Automatically retry on a secondary model when the primary fails, rate-limits, or returns garbage.
3. Policy enforcement. Apply data-loss prevention, PII redaction, and tenant isolation at the platform tier.
4. Cost governance. Cap spend per app, team, or model, and surface unit economics in real time.
5. Audit and observability. Log every request, response, and decision in a form an auditor can read.

If you can’t point to one system inside your stack that does all five of those things across every model your business uses, you have a control plane gap. The F5 data says you have plenty of company.

Why 7 Models Is the New Normal

The single-vendor AI strategy made sense in 2024. There were two or three frontier models worth running, and one of them dominated each workload class. By 2026, that has flipped. Frontier capability commoditized across Anthropic, OpenAI, Google, and a long tail of open-weight models. Specialization showed up. Tabular foundation models appeared as a separate category, which I covered in SAP’s Prior Labs acquisition. Cost arbitrage became real, with the same workload running 5-10x cheaper on a different vendor.

Seven models is what happens when an enterprise actually rationalizes its AI portfolio against workload fit. One frontier reasoning model for high-stakes language work. One mid-tier model for batch summarization. One code-specialized model for the dev team. One on-prem model for regulated data. One vision model. One embeddings model for retrieval. One specialized vertical model. The list isn’t exotic. It’s what mature AI portfolios look like the moment you stop pretending one model fits every workload.

Only 8% of enterprises in the F5 sample rely exclusively on public AI services. The other 92% are building multi-model portfolios that mix public APIs, private deployments, and open-weight options. That mix is the right answer. It is also the answer that creates the control plane problem.

The single-vendor posture has one nice property. The vendor handles routing, fallback, and policy for you, because you only have one vendor. The moment you add a second model, that property evaporates. Now you own the integration. Most enterprises have been adding models for two years without owning the integration. The technical debt accrued quietly, and the F5 report is the bill landing in the inbox.

The 88% Security Tax

This is the number from the report I want every CIO to sit with. 88% of enterprises have faced AI-related security challenges in their production inference environments.

That is not a pilot statistic. That is a production statistic. Nine out of ten enterprises running AI in production have already had a security incident attributable to that deployment.

The shape of those incidents matters. Prompt injection through user input. Data exfiltration through tool calls. Unauthorized access to fine-tuned model weights. Cost denial-of-service through recursive agent loops. Each of these failure modes has a corresponding control. None of them have a corresponding control inside an enterprise that does not have a control plane.

The Galileo-style agent governance posture I covered earlier this year is one credible answer. There are others. Cloudflare AI Gateway, Portkey, LangSmith, Datadog’s AI observability layer, and the cloud-provider native options from AWS Bedrock and Azure AI Foundry all play in this space. None of them is the canonical winner yet. All of them are infinitely better than the status quo, which is “we’ll add observability when we have time.”

The right read on the 88% number is not that AI is unsafe. AI is fine. The deployment posture is unsafe. Running seven models with no central enforcement is the posture that produced the 88%, not the models themselves.

The Agentic Compounding Problem

Here is the part of the F5 report most strategy decks will skip and pay for in Q3.

98% of enterprises are preparing for agentic AI. That is essentially everyone. And agentic AI does not simplify the control plane problem. It compounds it.

A non-agent AI workflow is a single request and a single response. The control plane has one decision to make. An agent workflow is a chain of requests, tool calls, and external API hits, with branching logic, memory, and the ability to spawn sub-agents. The control plane has dozens of decisions to make per user interaction. Identity has to follow the agent across hops. Permissions have to be enforced at each tool call. Cost has to be capped at the agent level, not the request level. Audit logging has to capture the full reasoning chain, not just the final answer.

If your enterprise is in the 72% with no control plane today, and you are also in the 98% preparing for agentic AI, the math gets hard. The volume of decisions the control plane has to make is going to multiply by 50-100x in the next 18 months. Adding a control plane is harder while agents are running than before they ship. The window to install the plumbing is the next two quarters, before the agent rollout makes the work invasive.

This is the same pattern I flagged in the agent sprawl piece and the stuck-in-pilot-purgatory roadmap. The technical bill is small if you pay it before agents ship. The bill triples if you wait.

The Multi-Cloud Multiplier

93% of enterprises operate across multiple clouds. 86% run hybrid multicloud. The F5 report frames hybrid multicloud as permanent, not transitional, and the framing is correct. Anyone who told you multi-cloud was a phase has not run a regulated enterprise workload recently.

The interaction between multi-cloud and multi-model is the part most CIOs underestimate. Seven models running across three clouds and an on-prem environment is not seven control plane problems. It is roughly twenty-one. Each (model, environment) pair has its own latency profile, its own egress cost, its own identity boundary, and its own observability story. The combinatorial complexity is what burns AI ops teams.

The right architectural answer is one cloud-portable control plane that abstracts the underlying environment, sitting between your applications and the model endpoints regardless of where they run. The wrong architectural answer is a control plane per cloud, which is the default if you adopt your hyperscaler’s native gateway. AWS Bedrock’s gateway only governs Bedrock models. Azure AI Foundry’s gateway is similar. If your model portfolio crosses cloud boundaries, the cloud-native gateways do not solve the problem; they re-create it inside each silo.

This is the same model-agnostic posture I have argued for since last year, applied to the governance tier instead of the application tier. Pick one default platform. Keep credible swap paths. Make sure the control plane is portable across cloud and model.

The Strategic Read

Three things this report should change about how you read the rest of 2026.

The AI procurement conversation just split. Models are one column. Plumbing is the other. Most enterprise AI budgets in 2025 were 90% model spend and 10% everything else. By Q4 2026, the buyers running ahead will be 60% model and 40% control plane, observability, security, and ops tooling. The ratio shifts because the model spend is commoditizing and the plumbing spend is just starting.

The control plane vendor wars are about to start in earnest. Today, the market for AI control planes is fragmented across five or six credible vendors with different ancestry. API gateway companies. Observability companies. Identity companies. Cloud providers. Pure-play AI governance startups. By Q3 2026, expect consolidation. The buyers who pick a default control plane in the next two quarters lock in pricing and integration depth before the category prices firm up. The buyers who wait pay enterprise pricing on a more mature category 12 months later.

Coverage on the enterprise AI ROI question is going to start citing the control plane gap. Most of the disappointing AI ROI stories from the last 18 months are not model failures. They are integration failures, security incidents, and cost overruns from agents that ran in loops nobody was watching. The 88% security challenges number, the recursive agent stories, the per-team cost surprises, and the audit findings all trace back to the missing governance layer. The control plane is going to become the named root cause in the back half of 2026, the way “we didn’t redesign the operating model” became the named root cause for IBM’s AI Operating Model frame.

Your Move This Week

Three concrete actions, all doable by Friday. Works for a Fortune 500, a mid-market business, or an SMB running its first three agents.

1. Inventory your current AI models. Pull a list of every AI model in production or active evaluation across your business. Include API-based models, on-prem deployments, embedded models inside SaaS tools, and model usage by individual contributors through their own subscriptions. The list is almost always longer than the CIO expects. The artifact is one page. If the count surprises you, the control plane gap is real. If the count surprises your security team more than you, the gap is bigger.

2. Designate one owner for the AI routing and policy layer. Most enterprises do not have a named owner. The work falls between platform engineering, security, and the data team, which means it falls on no one. Pick one person, give them the mandate, and let them evaluate two or three control plane options against your current workload mix. The mandate is not “buy a tool.” The mandate is “give me a unified plan for routing, fallback, policy, cost governance, and audit across every AI model we run, regardless of vendor or environment.” The plan is the artifact. The tool decision flows from the plan.

3. Pilot a control plane on one workload before agentic AI lands. Pick one production AI workload, ideally one with multiple models in the request path, and put it behind a control plane this quarter. Cloudflare AI Gateway, Portkey, LiteLLM Proxy, or your hyperscaler’s native option are all reasonable starting points depending on your stack. The goal is not full enterprise rollout. The goal is a working reference architecture and an honest read on time-to-deploy, observability quality, and operational overhead. You will need that reference architecture before agentic AI multiplies your control problem by 50x. The pilot is a two-to-four week effort. Run it now.

If you are in a regulated industry, add a fourth action: have your audit team review what AI evidence they would need to produce in a regulator request next quarter. The gap between what they would need and what your current logs capture is your audit risk number. It is almost always larger than the security risk number, and it is the one that ends careers.

Bottom Line

For two years, the enterprise AI conversation was about models. Which one to license. How big the context window. What the per-token cost is. The F5 SOAS 2026 data says that conversation is over, or at least no longer the bottleneck. 78% of enterprises run AI inference as a core operation. They run seven models on average. They face security incidents in production at an 88% rate. And 72% have no central system to manage any of it.

The cost is not the models. The cost is the missing plumbing beneath them. According to F5’s reporting on the SOAS findings, enterprises that invest in observability, authentication, and unified control across every AI environment are the ones converting AI capability into measurable business value. The rest are paying full price for half-price results, and the bill compounds with every new model and every new agent.

Multi-model is permanent. Multi-cloud is permanent. Agentic AI is one quarter away. The control plane is not optional, and the window to install it before agents make the work invasive is open right now and closing fast.

Inventory the models. Name the owner. Pilot the control plane. The plumbing is the strategy.

---

Related Reading:

• SAP’s €1B Bet on the AI LLMs Can’t Do
• IBM Named the AI Divide. Here’s Which Side You’re On.
• Microsoft Lost Its OpenAI Lock. Here’s Your Move.
• The Agent Governance Layer Every SMB Is Missing
• Agent Sprawl Is Killing SMB Productivity
• Your AI Stack Has an Expiration Date
• Stuck in AI Pilot Purgatory? A 5-Step Roadmap to Production