🇫🇷 Cet article est aussi disponible en français.

Agent Gateways: The New Control Plane for Enterprise AI Is Taking Shape

Agent Gateways: The New Control Plane for Enterprise AI Is Taking Shape
🇫🇷 Cet article est aussi disponible en français.
📑 Table of Contents

TL;DR — A new product category, the “agent gateway,” is rapidly crystallizing in the enterprise AI stack. In the span of six weeks, at least five vendors have planted flags: Nutanix shipped its Agent Gateway to GA, Arcade landed on the AWS and Azure marketplaces, Manufact opened its MCP hosting cloud, Palo Alto Networks acquired Portkey, and Solo.io donated agentgateway to the Agentic AI Foundation with 300+ contributors. The common thread: a centralized governance layer that sits between AI agents and everything they touch — models, tools, APIs, and databases. With Gartner predicting that 40% of agentic AI projects will be canceled by 2027 over cost and risk, the gateway category is emerging as the infrastructure answer to agent sprawl.


Introduction: Why Agent Gateways, Why Now

In May 2026, Nutanix shipped something that didn’t yet have a widely recognized name. It called it the Nutanix Agent Gateway, and it bundled it into Nutanix Enterprise AI 2.7 as a generally available component. Six weeks later, the same pattern has appeared under at least four other banners: Arcade, Manufact, Palo Alto Networks (via Portkey), and the open-source agentgateway project now under Linux Foundation governance via the Agentic AI Foundation. The category is forming faster than anyone’s taxonomy can keep up.

What changed? The answer is straightforward: enterprises moved agents from demos to production, and the operational mess followed immediately. An agent doesn’t just generate text — it calls models, spawns sub-agents, queries databases, hits Stripe, pushes to GitHub, and reads from internal APIs. Each of those actions consumes tokens, touches a system with its own permission model, and generates a log entry that nobody is reading. Without a central control point, an organization ends up with dozens of autonomous systems hitting production infrastructure directly, and no single pane of glass to see the traffic or stop it.

The agent gateway inserts one governed hop into that path. It’s the layer that answers three questions every enterprise CTO is now asking: who is spending what on tokens, which tools can each agent reach, and how do we prove compliance when the auditor shows up?


What Is an Agent Gateway?

At its simplest, an agent gateway is a reverse proxy for agentic traffic. An agent calls a unified endpoint instead of reaching models and tools directly. The gateway routes the request to the appropriate model — GPT on Azure, Claude from Anthropic, a self-hosted Llama instance — applies the same authentication, rate limiting, and logging regardless of the backend, and hands the response back.

But the real value proposition goes deeper than routing. In the Nutanix implementation, for instance, the gateway also sits in front of Model Context Protocol (MCP) servers, the emerging standard for how agents discover and invoke tools (Source: Nutanix — Introducing Nutanix Agent Gateway). It applies tool-level filtering so a customer-service agent gets read-only database access while a DevOps agent gets full GitHub write permissions. Every request is logged for audit. Token usage is metered per agent and per team — so finance can attribute spend to the right cost center.

This is significant because the problem isn’t theoretical. Gartner predicts that “by 2027, over 40% of agentic AI projects will be canceled due to escalating costs, unclear business value, or inadequate risk controls” (Source: Gartner — Top Actions to Drive Success in Building Agentic AI Solutions, April 2026).


The Players: Five Entry Points, One Category

The vendors converging on this space arrived from different directions, which is why the category still looks fragmented. Understanding their origins explains the market structure.

Nutanix: Infrastructure-First Governance

Nutanix came at the problem from private inference and hybrid infrastructure. Its Agent Gateway is tightly integrated with Nutanix Enterprise AI’s inference stack, unifying governance across public hosted models and self-hosted private models. The pitch: you get one control surface whether your model runs on Azure OpenAI, Anthropic’s API, or your own Kubernetes cluster. The MCP governance piece is currently in tech preview, but the token routing, observability, and rate limiting are GA and production-ready.

Arcade: Authorization as the Entry Point

Arcade took a different door. It comes from the authorization angle — agents get delegated user authority that is re-verified at the moment of every action. An agent doesn’t just receive a blanket permission at deployment time; each tool call triggers a fresh authorization check. On July 3, 2026, Arcade made its runtime available through both the AWS and Azure marketplaces, letting enterprises deploy it inside their own cloud environment with a single click (Source: Forbes — Agent Gateways Are Becoming The Control Plane For Enterprise AI). This is a deliberate move: Arcade wants to be adopted against existing cloud commitments without a fresh procurement cycle.

Manufact: The Developer Lifecycle Approach

Manufact entered from the developer experience side. Its MCP hosting cloud, opened on July 2, takes an MCP server from a GitHub push to a monitored production endpoint. The value proposition is lifecycle management: deploy an MCP server once, test it across ChatGPT and Claude, monitor it continuously, rather than demo it once and forget about it. Every MCP server becomes a governed resource, not a one-off script.

Palo Alto Networks (Portkey): Security Platform Consolidation

In May 2026, Palo Alto Networks completed its acquisition of Portkey, a standalone AI gateway, folding it into its broader security platform. The framing is specific: Portkey governs what Palo Alto Networks calls “privileged-insider agents” — autonomous systems that operate with elevated permissions inside the enterprise perimeter (Source: Palo Alto Networks — Completes Acquisition of Portkey). This is the security-first version of the same story.

Solo.io / agentgateway: The Open-Source Counterweight

On the opposite end of the spectrum, Solo.io donated agentgateway to the Agentic AI Foundation (AAIF) in June 2026, making it the fourth hosted project under the group’s Linux Foundation governance. The Apache 2.0 project handles MCP, agent-to-agent, inference, HTTP, and gRPC traffic through a single data plane. It counts more than 300 contributors across 60 organizations including CoreWeave, Red Hat, Adobe, Salesforce, and Microsoft (Source: AAIF — agentgateway Joins as an Open Gateway). This creates a genuine strategic tension: do you buy governance from a vendor’s suite, or do you adopt an open project that no single vendor controls?

The hyperscalers are mapping the same territory. AWS is building agent runtime and governance into Bedrock AgentCore. Security vendors like CyCognito introduced discovery of externally reachable MCP servers back in January 2026, adding them to external attack-surface inventories — many MCP servers reach the internet without their owners’ knowledge, exposing a publicly accessible catalog of business operations (Source: CyCognito — Discovery of Externally Reachable MCP Services).


The Stakes: What Breaks Without a Gateway

The case for agent gateways becomes clearer when you examine what breaks without one. Three failure modes dominate:

Token cost opacity. An agent that spawns sub-agents compounds token consumption silently. A single user request might trigger five model calls across three different providers, with no attribution to the originating workflow. Finance teams discover this at the end of the month, not in real time.

Permission sprawl. An agent deployed for customer support might have been granted read-only database access at design time. But six months later, that same agent has been repurposed for three other workflows, each adding new tool connections. Nobody has audited the aggregate permission set. This is the scenario CyCognito keeps finding in the wild: MCP servers with tool access nobody reviewed.

Audit blindness. When an agent makes a decision that has compliance implications — approving a transaction, modifying a customer record, pushing code to production — the system of record needs to show who authorized it, what model made the call, and which tools were involved. Without a gateway logging every interaction, the audit trail is scattered across a dozen different services.


Open Questions

The category isn’t settled; three questions will determine its shape over the next 12 months.

Does every tool call need a gateway? The strongest counter-argument came from Manufact’s own launch discussion, where developers pointed out that agents already handle human-built CLI tools and REST APIs when a project rules file directs them there. For a stable, repo-local script, wrapping every invocation in a gateway adds overhead nobody needs. The gateway earns its place where an integration is shared, permissioned, observable, or reused across many agents — but buyers need to be honest about how much of their tool access clears that bar.

What does the pricing model assume about growth? Every gateway vendor’s business case depends on agent volume continuing to climb. But if Gartner’s 40% cancellation rate materializes, the market for governance layers shrinks with it. Portkey answered this risk by selling into a security platform; agentgateway answered by going open-source. The independents — Arcade and Manufact — will need to prove they can survive a consolidation wave.

Is the MCP governance story fully production-ready? Nutanix’s MCP governance features remain in tech preview. Arcade’s authorization model is production-grade but covers a narrower surface than a full gateway. Manufact is shipping but early. The security story is maturing even as the agents are already in production, and that gap is where enterprises get burned.


What Happens Next

For enterprise buyers, the practical move is to treat the agent gateway not as a purchase yet but as a diligence checklist with three questions: who owns the governance components (are they proprietary or thin wrappers around cloud primitives you already pay for?), what does the bill do when tool calls double, and is authentication enforced for every tool and every MCP method, or only the obvious ones?

For vendors, the pressure runs the other way. Nutanix, Arcade, and Manufact each own one strong entry point and will be pushed to cover the others — or pick a side — before the market settles. The open-source versus proprietary split is the axis to watch. If agentgateway gains enough adoption under AAIF governance, it could become the Kubernetes of agent infrastructure: a neutral control plane that every vendor integrates with. If Palo Alto Networks and AWS consolidate fast enough, the gateway becomes a feature of the security or cloud platform you already buy.

Either way, the message from the last six weeks is unambiguous: the layer between an agent and everything it touches has stopped being an afterthought. It is now a category with a name, a growing vendor roster, and an open-source counterweight. The only remaining question is who ends up owning it.


FAQ

Q: How is an agent gateway different from an API gateway?

An API gateway routes and secures REST/GraphQL traffic between clients and services. An agent gateway does the same for agentic traffic, but with additional dimensions: it understands MCP tool discovery, token metering and cost attribution, model fallback routing, and the permission model of delegated agent authority. It’s API gateway thinking applied to a new interaction model where the client is an autonomous system rather than a human-driven application.

Q: Do I need an agent gateway if I’m only running one or two agents?

Probably not yet. The gateway’s value scales with the number of agents, tools, and model backends in play. If you have a single agent calling a single model with a handful of well-understood tools, your existing monitoring and access controls likely suffice. The inflection point is when you have multiple teams deploying agents that share tools, when token costs become material enough to require attribution, or when compliance demands an audit trail for agent decisions.

Q: Can’t I just use my cloud provider’s built-in governance?

Partially. AWS Bedrock AgentCore, Azure AI Agent Service, and Google Cloud’s agent platform all include varying degrees of governance. The catch is that multi-cloud and hybrid deployments — where some models run on-prem and some in the cloud, or where agents span multiple providers — need a layer that isn’t tied to one vendor’s stack. That’s the gap standalone gateways aim to fill.

Q: What’s the relationship between agent gateways and MCP?

The Model Context Protocol (MCP) is the standard for how agents discover and invoke tools. An agent gateway typically includes MCP server governance — controlling which tools each agent can access, logging MCP interactions, and applying rate limits. In this sense, the gateway is a control point for MCP traffic, much like a firewall is a control point for network traffic.

Q: Is the open-source agentgateway project production-ready?

The agentgateway project under AAIF governance is Apache 2.0 licensed, with 300+ contributors across 60 organizations — including production users like CoreWeave and Red Hat. That said, it’s a young project (donated in June 2026) and the governance model is still maturing. For organizations that need a battle-tested, commercially supported solution today, Nutanix or Palo Alto Networks/Portkey are the more conservative choices. For organizations that prioritize vendor neutrality and are willing to invest in operationalizing open-source infrastructure, agentgateway is the most credible open alternative.


Further Reading