Subscribe to the Non-Human & AI Identity Journal

Why do MCP gateways not solve multi-tenant governance by themselves?

Because gateways enforce, but they do not decide. They can validate tokens, scopes, and routing, but they cannot independently determine which tenant issued a request, which consent flow applied, or which credential backs a tool call. Without an identity layer behind them, teams end up rebuilding governance inside the application.

Why This Matters for Security Teams

MCP gateways are useful enforcement points, but multi-tenant governance fails when teams confuse policy enforcement with identity and consent decisions. A gateway can inspect a token, check a route, or block an unsafe method, yet it still needs an upstream trust model to know which tenant owns the workload, which consent boundaries apply, and which credential should back the call. That gap matters most when agents operate across tools and tenants in ways that are hard to predict.

Current guidance suggests that agentic systems should be governed as dynamic workloads, not as static users. That is why NHIMG’s Top 10 NHI Issues emphasizes lifecycle control, credential provenance, and auditability, while the OWASP Agentic AI Top 10 highlights tool abuse, overbroad delegation, and weak runtime controls as distinct risks. In SailPoint’s AI Agents: The New Attack Surface report, 80% of organisations said agents had already acted beyond intended scope, which is why governance cannot stop at the gateway boundary.

In practice, many security teams encounter cross-tenant leakage only after an agent has already chained tool calls through a gateway that was never meant to be the source of truth for ownership or consent.

How It Works in Practice

The practical answer is to place the gateway inside a broader identity architecture rather than treating it as the architecture itself. The gateway should enforce request-time checks, but the decision must come from an identity layer that can prove workload identity, tenant affiliation, and consent context before a tool call is allowed. That usually means pairing the gateway with short-lived workload credentials, policy-as-code, and tenant-scoped metadata that is evaluated at runtime.

For autonomous workloads, static RBAC alone is too blunt because the agent’s next action is not fixed in advance. A better pattern is context-aware authorisation: the gateway receives a request, the policy engine evaluates who the agent is, which tenant it is acting for, what data is in scope, and whether the action is still within the current task. This is consistent with the direction outlined in the NIST Cybersecurity Framework 2.0 and the Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs, both of which stress lifecycle governance rather than isolated control points.

  • Issue ephemeral credentials per tenant and per task, not shared gateway secrets.
  • Bind each tool call to workload identity and tenant context before routing occurs.
  • Evaluate policy at request time, not only at onboarding or configuration time.
  • Log consent, provenance, and credential lineage for each delegated action.

Where this gets real is in environments with shared gateways fronting multiple business units, because a valid transport token does not tell the gateway whether the current request belongs to the right tenant, the right agent, or the right consent envelope. These controls tend to break down when the gateway is forced to infer ownership from path names, headers, or application-side conventions.

Common Variations and Edge Cases

Tighter gateway enforcement often increases operational overhead, requiring organisations to balance stronger tenant isolation against slower delivery and more complex policy management. That tradeoff becomes visible when teams support customer-managed tenants, delegated admin models, or agents that can invoke tools on behalf of more than one principal.

There is no universal standard for this yet, but current guidance suggests three patterns are especially important. First, use short-lived credentials with explicit tenant binding so the gateway can reject reused or replayed access. Second, separate consent from transport: the gateway should verify that consent exists, but the consent record should live in a system of record that the gateway can query, not invent. Third, treat multi-agent workflows as a governance edge case because one agent may legitimately pass context to another without inheriting all permissions.

NHIMG’s AI Agents: The New Attack Surface report shows how quickly scope drift becomes operational risk, and the Ultimate Guide to NHIs — Regulatory and Audit Perspectives is clear that auditability depends on being able to trace who authorised what, when, and under which tenant context. In shared service meshes, proxy layers, or federated SaaS integrations, the gateway can still enforce rules, but it cannot resolve governance ambiguity by itself.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Agentic AI Top 10 A5 Tool abuse and overdelegation are the core gateway governance gap.
CSA MAESTRO CTRL-2 MAESTRO addresses runtime authorization for autonomous agent actions.
NIST AI RMF AIRMF governance fits the need for accountable, context-aware AI controls.

Establish AI governance that traces decisions, ownership, and authorised scope at runtime.