Kong and Noma target runtime security gaps in agentic AI

At a glance

What this is: Kong and Noma are positioning runtime AI security around unified governance for agent, MCP, and LLM traffic, with the key finding that conventional API and WAF controls miss AI-specific attack context.

Why it matters: For IAM, NHI, and AI governance teams, this matters because agentic runtime controls now sit at the intersection of identity, authorization, telemetry, and policy enforcement across autonomous workflows.

By the numbers:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so.

👉 Read Kong's analysis of agentic AI runtime security and governance

Context

Agentic AI security is the problem of governing systems that can act, select tools, and consume data across multiple services while still needing clear identity and policy boundaries. Kong’s article argues that the failure mode is not model quality alone, but the split between traffic orchestration, security context, and runtime enforcement in AI gateway architectures.

For identity teams, the important shift is that AI runtime now behaves like a governed execution layer rather than a simple application integration. That puts agent access, MCP tool use, and LLM traffic in the same control plane discussion as secrets, service accounts, and privileged workflows.

The article’s starting point is typical of the market: enterprises want agentic scale before they have agentic governance. That makes the integration discussion relevant beyond one vendor stack because the same control gap appears wherever AI systems are allowed to reach tools and data without unified runtime policy.

Key questions

Q: How should security teams govern AI agents that can call tools at runtime?

A: Security teams should govern agent tool use as a runtime authorization problem, not a static integration problem. Each tool call should inherit identity, policy, and context from the session that initiated it, with explicit controls for scope, data access, and allowed actions. If the agent can change tools dynamically, the policy must remain stable across that sequence.

Q: Why do AI gateways matter for agentic AI security?

A: AI gateways matter because they become the enforcement point where traffic, identity, and policy converge. In agentic environments, the gateway is not only routing requests. It is also deciding whether an agent may reach a tool, expose data, or continue a session after the risk context changes.

Q: What do security teams get wrong about prompt injection in enterprise AI?

A: Teams often treat prompt injection as a content-filtering problem, when it is really a control problem. The risk is not only that a model says the wrong thing. It is that manipulated instructions can cause tool abuse, data leakage, or unsafe actions across the wider runtime.

Q: What should organisations do before expanding autonomous AI workflows?

A: Organisations should prove that governance is enforced consistently across agents, tools, and models before they expand deployment. That means testing policy distribution, inventorying shadow AI connections, and confirming that runtime blocks happen before the action executes, not during cleanup.

How it works in practice

Why AI gateways need semantic context

Traditional API gateways and WAFs inspect requests structurally, but agentic AI traffic often needs semantic context to determine intent, tool use, and data sensitivity. Prompt injection, malicious output shaping, and unauthorized tool invocation can look like ordinary traffic unless the control layer understands the meaning of the exchange, not just the packet or token. That is why AI-native security layers pair policy decisions with runtime inspection, behavioral analysis, and context-aware enforcement. In practice, the gateway becomes a decision point for identity, authorization, and content risk at the same time.

Practical implication: security teams need controls that evaluate AI requests in context, not only route or filter them.

How MCP and A2A flows change the identity problem

Model Context Protocol shifts risk from simple model calls to tool access, because the agent can discover and invoke external capabilities during the session. A2A flows add another layer, where one agent’s output becomes another agent’s input, multiplying the importance of mediation and normalization. Once the agent is the runtime decision-maker, identity is no longer limited to authenticating a caller. The control problem becomes whether the agent is allowed to select, chain, and execute actions against tools and peers without losing policy state.

Practical implication: teams should treat MCP servers and agent-to-agent paths as governed identity surfaces, not just integration plumbing.

Why centralized policy distribution matters for AI runtime

The article describes a control plane that pushes configuration to data-plane nodes so policies stay consistent across gateways, clusters, and traffic types. That matters because agentic systems fail fastest when security decisions are fragmented across separate tooling for models, APIs, and runtime monitoring. Centralized governance reduces drift, but only if the policies themselves are specific enough to distinguish normal model use from tool abuse, unsafe outputs, or shadow AI connections. Without that, scale simply multiplies inconsistent enforcement.

Practical implication: standardise AI policy distribution across environments before expanding agent deployment.

NHI Mgmt Group analysis

Agentic AI runtime security is now an identity governance problem, not just an application security problem. Kong’s framing is accurate because the control surface is no longer limited to model prompts or API endpoints. Once agents can reach tools, data, and peers, the question becomes who or what is allowed to act at runtime and under which policy state. Practitioners should treat AI gateways as part of the identity control plane, not a separate security layer.

Semantic context is the missing control in most gateway architectures. Traditional API security assumes the meaning of traffic is either obvious or irrelevant. That assumption fails when the payload itself can instruct a model, trigger a tool, or alter downstream behaviour. The implication is that runtime policy must understand AI intent and tool context, not just authenticate transport and rate limit traffic.

Shadow AI is a governance failure mode created by fragmented control planes. When teams manage AI services, model access, and security enforcement in separate systems, they lose visibility into unauthorized LLM connections and unsanctioned agent workflows. This is not a tooling inconvenience, it is a structural governance gap that makes policy unenforceable. Practitioners should treat undiscovered AI connections as a control-plane deficiency, not an inventory nuisance.

Runtime guardrails only work when they are enforced before execution, not after observation. The article’s core claim is that proactive defense must intervene while the interaction is still in flight. That is the right model for agentic systems because post-event review cannot undo an unauthorized tool call or a leaked prompt context. Security teams should assume that delayed detection is insufficient for autonomous workflows.

Dynamic tool discovery creates identity blast radius across the AI stack. When agents can discover and consume tools through MCP, access scope is no longer fixed at provisioning time. That increases the blast radius of any single trust decision because one session can reach multiple systems through chained integrations. Practitioners should re-evaluate how they define least privilege for agent workflows across both NHI and autonomous contexts.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
• That governance gap becomes more urgent as agent deployment scales, which is why OWASP Agentic AI Top 10 is useful for framing the runtime controls practitioners need next.

What this signals

Shadow AI discovery needs to move from asset management into identity governance. When developers can spin up unauthorized LLM connections, the problem is not just missing inventory. It is missing authority over which runtime identities are allowed to create new AI pathways at all. Teams should expect discovery programmes to become a prerequisite for agent governance, not a separate housekeeping exercise.

Runtime policy needs to be verified under real traffic, not just in design reviews. Agentic systems fail at the point where a policy is supposed to stop a tool call, leak, or unsafe output, so synthetic validation matters more than paper controls. That is why AI runtime security should be measured with live enforcement tests and not only control documentation.

With 52% of companies able to track and audit the data their AI agents access, the remaining 48% face a compliance problem that is already operational. That gap should push security teams toward closer alignment with NIST AI Risk Management Framework governance expectations and agent logging requirements before deployment widens the blind spot.

For practitioners

• Define runtime policy for agent workflows Map every AI agent, MCP server, and LLM path to an explicit policy owner, then require approval for any tool or data connection that is not already in the governed inventory.
• Separate model access from tool access decisions Treat model selection, tool invocation, and data exposure as distinct authorization events so one permission does not silently grant the others.
• Instrument shadow AI detection at the control plane Monitor for unauthorized LLM connections, unregistered gateways, and agent traffic that bypasses central configuration distribution.
• Validate AI runtime policies before scale-out Test whether prompt injection, tool abuse, and unsafe outputs are blocked in real traffic patterns before broad deployment increases the blast radius.

Key takeaways

• Agentic AI expands the identity control surface because runtime decisions now include tool access, data exposure, and inter-agent communication.
• The practical risk is not just model misuse. It is governance fragmentation that leaves shadow AI, prompt injection, and unauthorized actions outside enforceable policy.
• Security teams need runtime enforcement that can inspect context before execution, otherwise autonomous workflows will outrun post-event review.

Key terms

• Agentic AI runtime security: Security controls that govern AI agents while they are selecting actions, using tools, and moving data in live sessions. It combines identity, policy, telemetry, and behavioural enforcement so the system can intervene before unsafe actions complete.
• MCP flow: The communication path between an AI agent and external tools or services through the Model Context Protocol. In practice, it is the point where agent intent becomes tool access, making authorization, validation, and logging essential for governance.
• Shadow AI: Undiscovered or unmanaged AI systems operating outside formal governance. In agentic environments, shadow AI includes unapproved LLM connections, agents, and integrations that can reach data or tools without central policy control.
• Runtime guardrail: A control that evaluates and blocks AI behaviour during execution rather than after the fact. For autonomous systems, runtime guardrails matter because post-event review cannot undo a leaked prompt, an unsafe tool call, or a misrouted action.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or operational governance, it is worth exploring.

This post draws on content published by Kong: Kong and Noma Partner to Deliver Advanced Agentic AI Security and Runtime Protection. Read the original.