TL;DR: Direct LLM API integration creates brittle, hardcoded dependencies, scattered observability, inconsistent failover, and compliance gaps as AI usage scales, according to Kong's analysis and cited industry research. An AI gateway centralises routing, policy, and visibility, making provider change and governance structurally easier than per-service integrations.
At a glance
What this is: The post argues that direct LLM integrations do not scale well and that an AI gateway becomes the control layer for routing, resilience, observability, and policy enforcement.
Why it matters: It matters because IAM, NHI, and security teams need a governable pattern for AI traffic before provider sprawl, shadow AI, and inconsistent controls create operational and compliance debt.
By the numbers:
- 88% said they plan to increase AI-related budgets in the next 12 months.
- The GenAI infrastructure layer captured $18 billion in 2025, up 2x from $9.2 billion in 2024.
- 86% of respondents expect AI infrastructure budgets to increase over the next three years, with average budgets expected to more than triple.
- Prompt injection is ranked as the number one risk in OWASP's Top 10 for LLM Applications.
👉 Read Kong's analysis of AI gateway architecture versus direct LLM integration
Context
AI gateway architecture is the control problem behind scaling enterprise LLM use. Once multiple applications, providers, and prompts are involved, direct integration turns every service into a separate policy and resilience boundary, which is why provider sprawl quickly becomes an identity and governance issue rather than just an engineering choice.
For identity teams, the real question is how to govern AI traffic without embedding provider-specific logic into every application. That means centralising authentication, routing, observability, and policy enforcement so AI use can be reviewed, controlled, and changed without rewriting the whole application estate.
Key questions
Q: How should security teams govern direct LLM integrations at scale?
A: They should treat direct integrations as a temporary pattern and move policy, routing, and observability into a central control plane. The key is to remove provider-specific logic from application code so identity, logging, and failover are enforced consistently across services instead of being rebuilt per team.
Q: Why do direct LLM integrations create more operational risk as use grows?
A: Because every new service adds another embedded endpoint, credential path, prompt pattern, and retry model. That fragments accountability and makes provider outages, pricing changes, and model swaps harder to manage. The risk is not only technical brittleness, but governance debt that compounds with scale.
Q: What breaks when AI traffic is governed only inside application code?
A: Observability, policy consistency, and failover discipline break first. Teams see different logs, enforce different guardrails, and handle provider failures in inconsistent ways. At that point, finance, security, and engineering no longer share a reliable view of how AI is being used or controlled.
Q: Which frameworks are most relevant to AI gateway governance?
A: NIST Cybersecurity Framework, OWASP Top 10 for LLM Applications, and zero trust architecture are the clearest references because they all push toward central control, continuous verification, and consistent policy enforcement. That makes them useful for evaluating whether AI traffic is being governed as an enterprise control plane.
Technical breakdown
Direct LLM integration hardcodes identity and routing decisions
Direct integration means each application talks straight to an LLM provider with its own API key, endpoint, prompt format, and retry logic. That creates tight coupling at the application layer, so every model swap, policy change, or provider outage becomes a code change in multiple services. The result is not just technical fragility. It is fragmented accountability, because no single control point can see usage, enforce policy, or consistently manage failure handling across the AI estate.
Practical implication: map every direct provider call and identify where application code, not infrastructure, is carrying governance responsibility.
Why an AI gateway changes AI security and observability
An AI gateway sits between applications and model providers and handles routing, failover, rate limiting, authentication, observability, and policy enforcement centrally. Unlike a conventional API gateway, it also understands AI-specific traffic patterns such as token consumption, prompt filtering, semantic routing, and model-aware policy. That creates a common control plane for AI use, which matters when organisations need consistent logging, cost attribution, and guardrails across many teams and providers.
Practical implication: place policy, logging, and routing decisions in the gateway layer so AI governance is no longer reimplemented per service.
Migration effort falls when provider lock-in is removed
The article's core architectural claim is that abstraction reduces migration effort because providers become routing choices rather than embedded dependencies. Instead of rewriting code in every service, teams update gateway configuration, failover chains, and policy rules. That shifts the hardest work from application redeployment to controlled traffic management, which is why the switchover checklist is organised around audit, abstract, route, validate, and harden. In identity terms, the control surface moves from dispersed secrets and app logic to a single managed boundary.
Practical implication: treat provider abstraction as a governance project with a migration plan, not as a simple platform swap.
NHI Mgmt Group analysis
AI gateway architecture is now an identity governance decision, not just an infrastructure choice. Once LLM access is embedded directly in applications, each service becomes its own identity and policy island. That fragmentation is what makes auditability, cost control, and policy enforcement fail at scale. The practical conclusion is that AI traffic needs a single governance boundary before the number of consumers and providers makes change unmanageable.
Direct integration creates governance debt by spreading credentials, prompts, and fallback logic across the application estate. The article's examples show how hardcoded endpoints and per-service failover turn every provider change into a multi-team exercise. That is the same pattern identity teams already recognise in unmanaged secrets and shadow access paths, except the blast radius is now AI-specific. Practitioners should see this as dispersed control, not a tooling preference.
Prompt injection and policy bypass become harder to contain when policy lives in code instead of infrastructure. Centralising guardrails at the gateway layer means the organisation can apply one policy point to many applications rather than relying on each team to implement the same controls correctly. That does not eliminate risk, but it changes the operating model from inconsistent local enforcement to auditable central enforcement. The implication is that AI security should be designed as a shared control plane.
Identity blast radius is the right named concept for this architecture shift. The more LLM integrations are hardcoded, the more every provider outage, pricing change, or model deprecation expands the blast radius of a single upstream dependency. This is not a vendor lock-in slogan. It is a governance failure mode where one external identity and routing decision cascades across many services. Practitioners need to model that blast radius explicitly before production scale makes it expensive to unwind.
From our research:
- Prompt injection is ranked as the number one risk in OWASP's Top 10 for LLM Applications, according to AI Agents: The New Attack Surface report.
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.
- The governance problem extends beyond one control point, and practitioners can explore OWASP Agentic Applications Top 10 for a broader identity and policy lens.
What this signals
Identity blast radius: when provider dependencies, credentials, and fallback logic are spread across applications, the organisation loses the ability to apply one governance model to many AI use cases. That is why centralisation is not only an efficiency play, it is a control design choice. For practitioners, the immediate signal is whether AI traffic can be observed and governed from a single boundary or only through scattered application logs.
With 92% of organisations agreeing that governing AI agents is critical to enterprise security, yet only 44% having implemented any policies, the gap is no longer conceptual. Teams that are scaling AI should expect governance pressure to move from experimentation into architecture review, procurement, and audit readiness. The control question is whether provider abstraction can be enforced before application sprawl makes it irreversible.
For practitioners
- Audit every direct LLM integration Inventory each service, the provider it calls, the authentication method it uses, and where prompt templates or fallback logic live. Include shadow AI paths outside official architecture so the migration picture is complete.
- Centralise AI routing and policy enforcement Move provider selection, failover chains, rate limits, and prompt guardrails into a gateway layer so changes happen in configuration rather than in multiple codebases.
- Separate application logic from provider-specific identity Remove hardcoded endpoints and embedded credentials from service code, and replace them with managed access to a common control plane for AI traffic.
- Validate governance controls on production traffic Test latency, error handling, and logging on live workloads before cutover, then confirm the gateway can enforce PII sanitisation, audit logging, and cost quotas consistently.
Key takeaways
- Direct LLM integration pushes identity, routing, and governance decisions into application code, which makes AI estates harder to secure as they scale.
- AI gateway architecture centralises policy, observability, and failover, which reduces the operational blast radius of provider changes and outages.
- Practitioners should treat AI traffic governance as an enterprise control plane problem, not as a series of app-level implementation choices.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A2 | Direct LLM integrations and prompt filtering map to agentic routing and tool-use risk. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Provider API keys and embedded credentials are classic non-human identity control problems. |
| NIST CSF 2.0 | PR.AC-4 | Centralised access control and policy enforcement are required for AI traffic governance. |
Centralise AI traffic controls so prompt handling, routing, and policy enforcement are consistent across services.
Key terms
- AI Gateway: An AI gateway is a control layer between applications and model providers that centralises routing, authentication, policy enforcement, observability, and failover. In practice, it reduces the number of places where AI access logic must be implemented and reviewed, which makes governance and change management more consistent across the estate.
- Direct LLM Integration: Direct LLM integration means each application connects straight to a model provider using its own endpoint, credentials, prompt format, and error handling. This creates tight coupling and makes security, resilience, and audit controls depend on application teams rather than on a shared infrastructure boundary.
- Prompt Guardrails: Prompt guardrails are policy controls that limit what prompts can request, transmit, or trigger before the model responds. They are most effective when enforced centrally because application-level implementations drift over time and often fail to stay consistent across many services and teams.
- Identity Blast Radius: Identity blast radius is the amount of operational and security impact that can result when one credential, provider, or access path is reused widely. In AI architectures, the blast radius grows quickly when every service embeds its own provider access, routing logic, and fallback behaviour.
What's in the full article
Kong's full blog post covers the operational detail this post intentionally leaves for the source:
- The six-dimension comparison framework for direct integration versus an AI gateway.
- The five-phase switchover checklist with definition-of-done and failure modes.
- The migration effort rationale behind the 60 to 80 percent reduction claim.
- The production-oriented hardening sequence for routing, guardrails, and cost controls.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-02.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org