Your developers install agent plugins every day: pulling from unmanaged GitHub repos, copying Cursor commands out of Slack, pointing Codex at a personal Git fork. Each of those is a new, uncontrolled distribution channel inside your software development lifecycle, and your platform team has zero visibility into any of it. A plugin is not a preference file. It is executable software, and right now it’s arriving on developer machines with no versioning, no provenance, and no audit trail.