Claude Code governance needs an AI gateway control plane

At a glance

What this is: This is Kong’s analysis of governing Claude Code rollouts with an AI gateway, with the central finding that ungoverned agentic coding creates blind spots across security, cost, compliance, and data exposure.

Why it matters: It matters because IAM and security teams now have to govern autonomous LLM traffic, not just human users and service credentials, or they will miss how AI coding tools move data, spend, and access across the enterprise.

By the numbers:

• 85% of developers are either already using or are planning to use AI coding tools.
• 75% of hiring processes will include certification or testing for AI proficiency by 2027.
• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read Kong's analysis of governing Claude Code with an AI gateway

Context

Claude Code is an agentic coding tool that can read codebases, run commands, edit files, and call external tools during a development session. In practice, that turns each session into an identity and data governance problem, because the system is handling source code, credentials, and internal context while acting with more autonomy than a conventional assistant.

The control gap is not whether AI helps developers work faster. The issue is that enterprise IAM, PAM, and data controls were built to govern relatively stable identities and predictable access paths, while Claude Code introduces high-volume LLM traffic, delegated tool use, and compliance obligations that need central policy enforcement.

For teams already treating AI coding as production infrastructure, this is not a pilot problem. It is a governance design problem that sits between identity, security, engineering operations, and compliance, which makes it a typical rather than exceptional enterprise challenge.

Key questions

Q: How should teams govern AI coding agents that can call external tools?

A: Treat the agent as a governed execution path, not a chat interface. Put model requests, tool calls, and data handling behind a single policy layer so security, compliance, and platform teams can enforce the same controls across every session. That is the only practical way to keep access, logging, and content filtering consistent at scale.

Q: Why do AI coding agents create more risk than standard developer assistants?

A: Because they can move from suggestion to action. Once an agent can read code, execute commands, and reach external systems, it can expose secrets, change files, and consume services in ways that traditional review models do not observe in real time. The governance burden shifts from advice to runtime control.

Q: What signals show that Claude Code or similar tools are operating outside governance boundaries?

A: Look for inconsistent model routing, missing prompt logs, unexplained token spend, tool access that differs by team, and sessions that bypass the central gateway. Those are signs that the organisation has multiple unmanaged policy paths rather than one controlled identity and data plane.

Q: What should security teams do before expanding agentic coding to more developers?

A: Establish a common gateway, define what data the agent may send, decide which tools it may reach, and make audit logging mandatory from day one. If the programme cannot reconstruct a session and explain its access path, it is not ready for broad rollout.

Technical breakdown

Why agentic coding changes the identity problem

Claude Code is not just a prompt-and-response interface. It can inspect repositories, spawn subagents, execute shell commands, and iterate based on outputs, which means the identity layer is no longer only authenticating a person. It is mediating a stream of machine-generated requests that may carry source code, secrets, environment data, and tool actions. That changes the governance unit from user session to workflow session. When a system can independently shape what it sends to an API, policy has to address content, context, and downstream action, not just login state.

Practical implication: teams need policy controls that inspect and govern the full LLM request path, not just the developer account.

AI gateway enforcement for Claude Code traffic

An AI gateway sits between the client and the model provider to centralize authentication, token limits, logging, content filtering, and provider routing. In this pattern, Claude Code does not hold direct upstream keys for every environment and the gateway becomes the policy enforcement point for LLM traffic. That matters because the real governance risk is not only model access, but uncontrolled data exfiltration and inconsistent policy application across teams. The gateway model gives platform teams a way to apply common controls to all sessions, regardless of which developer workstation or IDE initiated them.

Practical implication: route Claude Code through a policy-enforcing gateway if you need auditability, redaction, and budget controls at scale.

MCP expands the governance surface beyond the model

Claude Code’s use of the Model Context Protocol extends the problem beyond model prompts into external tools and enterprise context. Once agents can reach into systems like Jira, Slack, file stores, or internal APIs, the governance question becomes which tools are reachable, what data can move, and how much context is exposed at each step. That is why MCP governance cannot be treated as a narrow integration issue. It is an access governance issue that combines identity, authorization, and data handling across multiple runtime systems.

Practical implication: treat MCP access as part of identity governance and review tool permissions with the same discipline used for privileged integrations.

Threat narrative

Attacker objective: The objective is to move sensitive code, credentials, and business context out of governed boundaries while avoiding centralized visibility.

1. entry: The initial exposure occurs when Claude Code is allowed to operate directly against model endpoints without a centralized governance layer, creating an unmonitored session between developer context and the provider API.
2. escalation: As the session expands, the tool can send code, configuration, secrets, and operational context, while also reaching external systems through MCP and subagent activity.
3. impact: The result is data leakage, uncontrolled spend, weak auditability, and shadow AI fragmentation that make compliance and incident review difficult.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• New York Times breach — New York Times source code and credentials exposed via GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Claude Code governance is now an identity problem, not just a developer experience problem. Once a coding agent can read repositories, run commands, and call tools, the organisation is governing a non-human execution path that carries code, secrets, and business logic. That makes the control plane part of IAM, PAM, and data governance. The implication is that teams cannot keep treating agentic coding as a point solution sitting outside identity policy.

Centralised LLM governance is the missing control for enterprise-scale agentic coding. Without a gateway, every session becomes a separate policy exception with its own logging, filtering, budget, and routing behaviour. That is exactly the kind of fragmentation that creates shadow AI and audit failure. The implication is that organisations need one enforceable policy plane for model traffic before they allow broad Claude Code adoption.

LLM auditability is the new compliance boundary for AI-assisted development. Traditional access logs do not answer what was sent to the model, what context was exposed, or which downstream systems were reached. That leaves regulated teams unable to reconstruct AI-assisted changes with confidence. The implication is that security leaders should treat prompt and response logging as part of the evidence chain for software change control.

Claude Code plus MCP shows why tool access and model access can no longer be separated. The moment the agent can reach external services, governance shifts from model usage to cross-system delegation. That is where lifecycle reviews, access scope, and data exposure intersect. The implication is that engineering and identity teams must assess agent permissions as a unified access problem, not as isolated API integrations.

Agentic coding accelerates the collapse of the assumption that access can be reviewed after it is granted. Access review processes were designed for stable entitlements and identifiable owners. That assumption fails when an agent can create, route, and complete work across systems faster than a human review cycle can observe. The implication is that identity governance has to rethink what counts as a reviewable access event.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a broader view of the category risk, OWASP Agentic AI Top 10 helps teams map agent tool misuse and identity abuse into concrete controls.

What this signals

Agentic coding governance will increasingly converge with identity governance. The practical boundary is no longer the developer laptop or IDE. It is the managed path between an autonomous coding session, the model provider, and every tool the session can reach. Teams that already have centralized policy, logging, and access review processes will adapt faster because they can extend those controls to AI sessions rather than inventing a parallel model.

Runtime visibility will matter more than static approvals. If the organisation cannot see prompts, responses, token usage, and tool calls in one place, it cannot support either security investigations or compliance evidence. That is where the combination of gateway logging and governance policy becomes operationally essential, not optional.

Claude Code governance will also pressure secret-handling and workload identity practices. As AI-assisted development expands, teams will need to separate human access, service access, and model-mediated access more carefully. The organisations that do this early will reduce shadow AI, limit uncontrolled spend, and make their AI programmes more defensible under audit.

For practitioners

• Route agentic coding traffic through a central AI gateway Require Claude Code sessions to traverse a policy enforcement point that handles authentication, logging, content filtering, and model routing before any request leaves the environment.
• Separate developer identity from model authentication Do not let individual developers manage direct upstream credentials for model access. Issue and control access through shared, auditable service layers so entitlement ownership is visible and revocable.
• Log prompts, responses, and tool calls as change evidence Capture request content, response metadata, model selection, and any tool invocation so compliance teams can reconstruct what the agent saw and did during a session.
• Review MCP access as part of privileged integration governance Inventory every external tool reachable through MCP and apply approval, scope, and monitoring rules to those connections before developers expand agent use.

Key takeaways

• Claude Code turns AI-assisted development into a governed identity and data path, not just a productivity feature.
• The core risk is not model quality, but unmonitored session traffic that can leak code, secrets, and compliance evidence.
• A central AI gateway, backed by logging and access policy, is the control that makes enterprise rollout manageable.

Key terms

• Agentic coding: A development pattern where an AI system can plan and execute code-related actions rather than only suggesting text. It may read repositories, run commands, edit files, and call tools, which makes it an operational identity and governance issue as much as a productivity feature.
• AI gateway: A control layer placed between applications and model providers to manage authentication, routing, logging, filtering, and usage limits. In enterprise use, it becomes the enforcement point for policy, auditability, and provider abstraction across AI traffic.
• MCP governance: The practice of controlling what tools, data, and permissions an AI agent can reach through the Model Context Protocol. It matters because MCP extends agent behaviour beyond the model into enterprise systems, where normal access and data rules must still apply.
• Shadow AI: AI usage that happens outside approved governance, visibility, or policy controls. In practice, it creates fragmented access paths, inconsistent logging, and unmanaged data exposure, which makes compliance and incident response harder to execute reliably.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Kong: Governing Claude Code: How To Secure Agent Harness Rollouts with Kong AI Gateway. Read the original.