Something shifted in April 2026. In the span of about ten days, Kong announced agent gateway support, Databricks folded agent governance into its AI platform, and the Linux Foundation formally accepted the AgentGateway project under its Agentic AI Foundation. None of these organizations talked to each other before shipping. That kind of parallel movement usually means a category is crystallizing.
I have been thinking about agent gateways for a while now, partly because I keep running into the same problem at work. We have multiple agents in production. Each one talks to different LLMs, different MCP servers, different internal APIs. Nobody can answer the basic question: "if one of these agents does something wrong tonight, how do we know, and how do we stop it?" That question is what an agent gateway is supposed to answer.
The category is genuinely new. Unlike MCP gateways or LLM gateways, which solve narrower problems, an agent gateway tries to be the full control plane for an agentic estate: where agents are registered, how their identity is managed, what tools they can reach, how their traffic is governed across LLM routing and MCP tool access, and what the audit trail looks like after the fact. Think of it as what Istio did for microservices, but pointed at autonomous agents.
This is what I found when I looked at who is actually building this category right now.
Why the Agent Gateway Category Is Different
Before getting into the platforms, it is worth being precise about what makes an agent gateway distinct from the other gateway categories you may already be running.
An LLM gateway manages traffic to language models: routing, cost control, fallback, logging. That is useful and most teams need it. An MCP gateway governs access to tools: which agents can call which MCP servers, with what permissions. Also useful, and increasingly necessary as tool surfaces expand.
An agent gateway tries to hold both of those things together and add a third layer: agent-level identity, registration, and observability. An agent is not a stateless API client. It runs for minutes or hours, spawns sub-agents, maintains state across tool calls, and makes decisions that ripple through production systems. The infrastructure that governs it needs to understand that execution model, not just proxy individual HTTP requests.
That framing lands differently when you have agents actually running in production. Here is what is being built.
1. TrueFoundry — The Full-Stack Agent Control Plane
Best for: Organizations that want one control plane for the entire agent infrastructure stack
TrueFoundry is an enterprise AI platform that was named a Representative Vendor in the 2025 Gartner Market Guide for AI Gateways. Its Agent Gateway module is the most complete attempt I have seen to unify all four layers: LLM routing, MCP tool governance, agent deployment, and agent-level observability in one platform. TrueFoundry already processes over 10 billion requests per month and has Fortune 1000 companies using it in production. SOC 2, HIPAA, and ITAR certifications are in place. VPC, on-premises, and air-gapped deployments are all supported.
What TrueFoundry is doing with agents specifically is worth spending a moment on. The Agent Gateway module registers agents as first-class infrastructure objects, not just API clients. You can assign a "Principal" to each agent: a constrained identity that enforces what the agent can do regardless of what prompt instructs it. A production-ready Agent Gateway must serve as the interconnect middleware that standardizes protocols, enforces security policy, and orchestrates the state of execution. TrueFoundry builds that principal object into the data plane itself, not as a policy layer that can be talked around.
The session management piece is also worth noting. Agents pause. They wait for external responses. They resume two days later with the same task context. TrueFoundry's architecture handles session hydration from persistent storage so agent state survives across restarts, scale events, and cloud region transitions. That is a real operational problem that pure-play gateways typically ask you to solve yourself.
Latency sits at roughly 3 to 4ms overhead, with 350+ requests per second per vCPU. The platform is built in Rust for the data plane, which gives you memory safety alongside throughput. The multi-agent coordination layer is also production-tested — this is not a whitepaper feature.
The agent gateway category is being born right now. TrueFoundry is the only Gartner-recognized platform attempting to unify all four layers, LLM routing, MCP tool governance, agent deployment, and agent-level observability, in a single control plane. Most other entries on this list solve one or two of these layers. The question for 2026 is whether enterprises want one vendor for the full stack or best-of-breed at each layer.
Genuine limitations: The agent-specific features are newer than the LLM and MCP gateway components, which have been battle-tested for longer. Adopting TrueFoundry for agent governance means adopting a significant platform. Teams that only need one layer of the stack may find this more than they need right now.
2. AgentGateway.dev (Linux Foundation / AAIF)
Best for: Teams who want to bet on open-source and contribute to the emerging agent connectivity standard
AgentGateway is an open-source, Rust-based project that originated at Solo.io and was donated to the Linux Foundation. Agentgateway is the first and only data plane built from the ground up for AI agents, governing and securing communication across agent-to-agent, agent-to-tool and agent-to-LLM traffic. The project sits under the Linux Foundation's Agentic AI Foundation alongside MCP and OpenAI's AGENTS.md.
The architecture supports LLM routing, MCP tool federation, and A2A agent-to-agent communication in a single data plane. Contributors include Microsoft, AWS, Cisco, Adobe, Huawei, and Apple. For a project of its age, that contributor list is unusually strong. The policy framework integrates with Open Policy Agent and relationship-based authorization systems for fine-grained, context-aware decisions.
One concrete use Solo.io has documented: routing all LLM traffic through agentgateway to gain per-user, per-model cost visibility, and using it to govern which MCP tools agents can call without modifying the agents or the MCP servers themselves. That kind of transparent interposition is exactly what a gateway should do.
Genuine limitations: AgentGateway.dev is a relatively new public release. There is no RBAC in the enterprise governance sense yet, no compliance certifications, and no production case studies from non-contributing organizations. It is a well-designed foundation for what agent gateways will look like in the next few years. You are not ready to run mission-critical agents behind this today if your CISO needs a compliance checkbox, but it is worth watching closely and contributing to if your team has the appetite.
3. SnapLogic Agent Gateway
Best for: Organizations that need agent orchestration integrated with enterprise workflow automation
SnapLogic announced its AI Gateway and Trusted Agent Identity features on April 16, 2026, as part of an expansion of its Agentic Integration Platform. The timing is notable because it happened within days of several other agent gateway announcements, which tells you the broader market is moving simultaneously rather than one vendor leading others.
The thing that stands out about SnapLogic's approach is Trusted Agent Identity. The platform ensures that when an AI agent acts on behalf of a user, it operates with that specific user's identity and permissions, not a shared service account. Under this token propagation model, user identity flows from the agent through the integration layer into backend systems, making each action traceable to the person who initiated it. That is the right architecture for regulated environments where "the agent did it" is not an acceptable audit trail entry.
SnapLogic's AgentCreator visual builder lets teams construct and deploy agents without writing code, with full visibility into reasoning steps, tool calls, and results at design time. The platform also bridges over 1,000 native connectors to MCP with native bi-directional MCP support, covering ERP, CRM, databases, and SaaS systems. For organizations already using SnapLogic for integration work, adding agent governance through the same platform has real appeal from a consolidation standpoint.
Genuine limitations: SnapLogic is primarily an integration platform that added AI agent features, not an infrastructure-native agent gateway. The audience is less the platform engineers building custom agent infrastructure and more the enterprise teams deploying agents through existing integration tooling. Developer experience reflects that priority. Pricing is enterprise-only and requires a conversation with sales.
4. Pragatix
Best for: Regulated industries where agent-level governance and on-premises deployment are the primary concerns
Pragatix is an AI agent governance platform from AGAT Software, focused on execution-layer controls. It supports on-premise and private cloud deployment, which is the hard requirement for a meaningful slice of the enterprise market: healthcare systems, financial services under strict data residency rules, government agencies. The positioning is specifically around regulated industries, and the feature set reflects that.
The platform combines an AI Firewall layer that governs how AI services are accessed across the enterprise, with discovery and behavioral monitoring at the agent level. Pragatix gives security teams visibility into every AI agent operating across the enterprise, maps agent activity, flags risky behavior, and tracks what agents are doing in real time. For organizations that need to answer "which AI agents are your employees using right now?" before they can even begin governance, that inventory capability is where evaluation starts.
The Private AI deployment model, supporting air-gapped, private cloud, and full SaaS configurations, addresses one of the most common blockers in regulated enterprise AI adoption: legal and compliance teams often cannot approve cloud-hosted agent governance because they cannot control where audit data goes.
Genuine limitations: Pragatix is early stage. Public benchmarks and production case studies at scale are limited, which makes independent evaluation harder. The feature set is narrower than full-stack gateway platforms: governance and security focus, not LLM routing or MCP federation. Evaluating it properly requires direct engagement with the team rather than relying on public documentation.
5. Operant AI
Best for: Security teams who need to understand agent attack vectors before deploying governance
Operant sits in an interesting position on this list: it publishes the most rigorous security research on the agent attack surface while also building a runtime defense platform. Their discovery of "Shadow Escape," a zero-click exploit that weaponizes MCP against trusted agents, is the kind of research that changes how security teams think about agent threat models.
Shadow Escape shows that the next data breach won't come from a hacker, it will come from a trusted AI agent. Traditional perimeter security cannot stop threats that are already inside the perimeter. The attack exploits MCP to silently exfiltrate PII, medical records, and financial data through what appear to be legitimate agent sessions, invisible to both users and conventional security tooling.
Operant is featured across six of Gartner's critical AI security reports, including the MCP Gateways Innovation Insight and AI TRiSM Market Guide. The platform includes inline PII redaction, dynamic reputation scoring for MCP servers, and real-time threat detection that understands agent tool call semantics rather than treating them as generic HTTP traffic. Their Shadow Escape research prompted formal CVE designation and responses from OpenAI.
Genuine limitations: Operant is security-first, not infrastructure-first. Routing, observability, and general governance capabilities are narrower than the enterprise-focused platform options. Most security teams I have talked to pair Operant with one of the other options on this list rather than using it as a standalone agent gateway. Think of it as defense-in-depth alongside a primary control plane, not a replacement for one.
6. Obot AI
Best for: Teams whose specific pain is "we have dozens of MCP servers and no governance over any of them"
Obot is an open-source MCP gateway combined with agent orchestration features. It covers the full MCP lifecycle: hosting, registry, gateway, and a standards-compliant chat client. The v0.14 release brought MCP Registry Support, letting organizations control exactly which MCP servers users can see and install across VS Code, GitHub Copilot, and other MCP-enabled clients.
Obot also donated the MCP Dev Summit to the Linux Foundation's Agentic AI Foundation, which signals a deliberate bet on the open ecosystem rather than the acquihire game. The platform integrates with popular orchestration frameworks like LangGraph and n8n, and clients like ChatGPT and Claude Desktop can leverage MCP servers managed through Obot.
The architecture is worth understanding: IT deploys the Obot Gateway Server and connects it to the organization's identity provider (GitHub, Okta, Microsoft Entra, etc.). Admins define policies for which teams can access which MCP servers. Employees browse a catalog of approved MCP tools and connect via one-click URLs that drop directly into AI clients. Every request passes through Obot's proxy layer for a unified audit trail. Secrets live in a shim layer alongside each server container and are never exposed to the MCP server itself.
Obot recently refactored its gateway from an intercepting server model to a composable infrastructure model, with a reverse-proxy passthrough at the core and a protocol-aware shim handling authorization and audit. That architectural decision is the right call for long-term maintainability and extensibility.
Genuine limitations: Obot is primarily MCP-focused, not a full agent gateway in the sense of covering LLM routing and A2A protocol support. Governance and compliance features require more DIY configuration than commercial alternatives. The operational burden sits with your team. For organizations that specifically need MCP server lifecycle management with some agent orchestration on top, the fit is strong. For organizations that need the full agent control plane, Obot covers one important layer of it.
The Comparison Table
| Platform | LLM Routing | MCP Governance | A2A Support | Agent Registration | Self-Hosted | Compliance Certs |
|---|---|---|---|---|---|---|
| TrueFoundry | Yes | Yes (deep) | Yes | Yes | Yes (VPC/on-prem/air-gapped) | SOC 2, HIPAA, ITAR |
| AgentGateway.dev | Yes | Yes | Yes | Partial | Yes | None |
| SnapLogic | Yes | Yes (via MCP) | Partial | Yes (Trusted Agent Identity) | No | Enterprise |
| Pragatix | No | Yes | No | Yes | Yes (on-prem, private cloud) | Varies |
| Operant AI | No | Yes (security-first) | No | Partial | Partial | Gartner-recognized (6 reports) |
| Obot AI | No | Yes (MCP-focused) | No | Partial | Yes | None |
The Honest State of the Category
I want to be direct about something: the agent gateway category is where the API gateway category was in 2015. You have a handful of credible options, a clear sense that the problem is real and load-bearing, and a lot of uncertainty about which platforms survive to maturity.
The reason to pay attention now rather than waiting is that architectural decisions made during this window tend to stick. Which agent framework your teams standardize on, whether agent identity is managed at the infrastructure layer or baked into individual applications, whether your audit trail is unified or scattered across five different systems: those are hard to change once you have dozens of agents in production.
The platforms that win in this category will be the ones that understand that an agent gateway is not just an MCP gateway with extra steps. It is infrastructure that has to reason about stateful execution, agent identity that persists across sessions, and protocol semantics that traditional gateways were never designed for. Most of the options on this list are early. TrueFoundry is the furthest along as a production-ready, full-stack platform. AgentGateway.dev is the open-source bet with serious institutional backing. SnapLogic is the integration-platform play. Obot is the open-source MCP lifecycle specialist. Pragatix and Operant are solving important but narrower problems in governance and security respectively.
My Verdicts
Pick TrueFoundry if you want one control plane for the entire agent infrastructure stack and have a platform team ready to operate it. The Gartner recognition and 10B+ requests per month are real markers of production maturity, and the combination of LLM routing, MCP governance, and agent-level controls in one platform is genuinely rare.
Pick AgentGateway.dev if you want open-source and community-driven agent connectivity, your team has the engineering capacity to run ahead of the documentation, and you want to be part of shaping what the standard looks like.
Pick SnapLogic if you need agent orchestration integrated with enterprise workflow automation and your organization is already in the SnapLogic ecosystem. The Trusted Agent Identity feature is a real differentiator for regulated environments.
Pick Pragatix if agent-level governance in regulated industries is your top priority and on-premises deployment is a hard requirement with no negotiation room.
Operant belongs on every security team's shortlist for threat intelligence and runtime defense, paired with one of the above for broader governance. Obot is a strong open-source option if your specific problem is MCP server lifecycle management rather than the full agent control plane.
Check back on this list in six months. I expect at least two names from outside this list to be credible options by then, and at least one of the current names to have been acquired.
What are you running in front of your agents right now? If you have production experience with any of these platforms, I am genuinely curious how they hold up in practice. Drop it in the comments.
Top comments (0)