Kong hackathon winners show how agentic AI changes API governance

At a glance

What this is: Kong’s hackathon highlighted working agentic AI projects that used API infrastructure to preserve context, integrate MCP, and automate rollback decisions.

Why it matters: It matters because agentic AI shifts governance pressure onto the API layer, where IAM, NHI, and autonomous controls now intersect.

👉 Read Kong's announcement of the 2025 Agentic AI Hackathon winners

Context

Agentic AI changes the governance problem because systems can now take initiative, call tools, and act across a session rather than simply respond to a request. That matters for identity teams because API gateways, MCP connections, session state, and rollback automation all become part of the access control surface, not just the application stack.

Kong’s hackathon is a useful signal because it shows how quickly agentic patterns are moving into operational tooling. The practical question for IAM, NHI, and platform teams is no longer whether agents will use infrastructure, but which controls will govern their decisions, memory, and delegated access boundaries.

Key questions

Q: How should organisations govern agentic AI systems that can call tools and act on their own?

A: Organisations should govern agentic AI as a runtime identity problem, not only an application feature. That means binding tool access to explicit scopes, logging every action chain, separating recommendation from execution, and reviewing what the agent can do within a session rather than only what it was granted at setup.

Q: Why do AI agents complicate existing IAM and NHI controls?

A: AI agents complicate IAM and NHI controls because they can combine memory, tools, and timing into a sequence that changes effective privilege during execution. Traditional controls often assume a stable identity boundary. When an agent can decide and act mid-session, the governance unit becomes the whole action chain, not a single authentication event.

Q: What breaks when session history is treated as harmless state in agentic systems?

A: Session history stops being harmless when it preserves decisions, tool references, or operational cues that influence later actions. In that case, the session becomes part of the access surface. Teams then lose visibility into how earlier context shapes later authorisation, which makes review and containment much harder.

Q: How do security teams decide whether an autonomous rollback agent has too much power?

A: Security teams should compare what the agent can observe, what it can recommend, and what it can execute. If one actor can monitor failures and trigger remediation without any independent containment layer, it has too much power. The safest pattern is to narrow actuation rights and preserve a separate human or policy checkpoint for high-impact actions.

Technical breakdown

Session state in agentic systems

Agentic applications often need durable context across requests, which is why session identifiers and stored conversation history matter. The technical shift is that identity is no longer just about authenticating a caller once. It also includes preserving state safely across multiple interactions, summarising context when needed, and making sure the session object does not become an uncontrolled privilege container. In practice, that means the gateway or adjacent control plane starts participating in governance decisions that used to sit only inside the app.

Practical implication: treat session persistence as part of the access boundary and define what state an agent may carry forward.

MCP integration and tool access

Model Context Protocol connects agents to tools and data sources, which makes it an identity and authorisation issue as much as an integration pattern. Once an LLM-powered agent converts natural language into structured queries, the main control question becomes which tools it can reach, what data scopes those tools expose, and how the gateway logs or constrains those actions. The risk is not just misuse of a single API call. It is uncontrolled composition of multiple calls that can widen effective privilege during a session.

Practical implication: inventory MCP-connected tools as governed identities and bind them to explicit scopes, logs, and approval paths.

Autonomous rollback and decision authority

An autonomous rollback agent is a governance problem because it can observe failures and act without waiting for human approval. That is materially different from scripted automation. The control challenge moves from preventing execution to defining when the agent may decide that a configuration is unsafe, what evidence it must collect, and how far rollback authority extends. For identity teams, this means operational privilege and runtime decision-making have to be reviewed together, not in separate silos.

Practical implication: separate observation rights from actuation rights so autonomous agents cannot exceed their intended rollback authority.

NHI Mgmt Group analysis

Agentic AI turns the API gateway into an identity governance control point. The hackathon’s strongest signal is not the novelty of the projects but the placement of trust at the gateway layer. When agents carry session memory, call tools through MCP, and trigger operational actions, the gateway becomes the place where identity, policy, and execution meet. Practitioners should treat API infrastructure as part of the identity perimeter, not just the transport layer.

Session history creates a new form of identity persistence that governance teams often overlook. A persistent session object can become an access container if teams do not define what state survives between requests. That changes the operational meaning of context, because the agent may carry forward prior decisions, references, and tool access cues that outlive the original user intent. The implication is that context retention must be governed like a credentialed capability, not like harmless application memory.

MCP-linked agents expose the runtime privilege composition problem. The issue is not a single permission but the way an agent can chain ordinary tools into a broader effective privilege set during execution. That is where conventional request-by-request controls start to lose explanatory power, because the risk emerges from sequence and combination. Security teams should understand that the control gap is in runtime composition, not merely in endpoint access.

Autonomous rollback shows why human review assumptions do not hold in agentic operations. Human-paced approvals were designed for operators who can interpret a failure, decide, and act in a visible workflow. That assumption fails when the actor is autonomous because the decision to rollback can happen inside the same operational window as the fault. The implication is that governance must be rethought around delegated decision boundaries, not around after-the-fact review alone.

Identity blast radius is now determined by the agent’s ability to chain decisions, not just by the original credential scope. In agentic environments, a narrow starting entitlement can still expand into a broad operational effect if the system can combine context, tools, and timing without human intervention. That makes blast-radius analysis a runtime exercise rather than a provisioning exercise. Practitioners should measure what an agent can actually do in session, not only what it was granted at onboarding.

From our research:

• 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
• Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
• For a practical governance baseline, see OWASP Agentic AI Top 10 for the runtime risks that should shape control design.

What this signals

Agentic programmes need policy before scale. With 92% of organisations saying AI agent governance is critical but only 44% having policies in place, the lag is already operational. Teams that are deploying agentic workflows without ownership, logging, and approval boundaries will discover that retrofitting governance is much harder than setting it upfront.

Session visibility is becoming a control plane requirement. If only 52% of companies can track and audit the data their AI agents access, then half the market is flying blind on breach investigation and compliance. That gap matters for IAM, IGA, and PAM teams because agent actions are only governable when the session trail is auditable end to end.

Runtime composition is the next access review blind spot. The problem is not just whether an agent has access, but whether it can assemble broader effective privilege during a live task. For teams mapping this to external guidance, OWASP Agentic AI Top 10 is the right lens for tool misuse, delegation, and scope drift.

For practitioners

• Map agent session state to governance scope Define which conversation history, summaries, and session identifiers an agent may retain across requests. Review whether session storage can carry forward tool access cues or context that should be expired sooner.
• Register MCP-connected tools as governed access paths List every tool exposed through MCP and assign an owner, scope, logging requirement, and review cadence. Treat each connected tool as a potential privilege boundary rather than a neutral integration.
• Separate decision rights from actuation rights For rollback, remediation, or other autonomous actions, define what the agent may observe, what it may recommend, and what it may execute. Keep actuation authority narrower than observation authority wherever possible.
• Review agent behaviour at runtime, not just at provisioning Test whether a deployed agent can combine ordinary permissions into a larger effective privilege during one session. Validate logs, traces, and approval paths against real execution chains rather than static policy documents.

Key takeaways

• Kong’s hackathon winners show that agentic AI is already changing where identity and policy decisions need to live.
• The practical risk is not only agent access, but the way session state, tool connections, and autonomous actions combine into broader effective privilege.
• IAM and platform teams should govern agents at runtime, with explicit scopes, auditability, and separated actuation rights.

Key terms

• Agentic AI: Agentic AI refers to software that can choose actions, use tools, and decide timing without requiring a human to approve each step. In identity terms, it introduces runtime governance questions about scope, delegation, and accountability that static access models do not answer cleanly.
• Session State: Session state is the data retained across a sequence of interactions so a system can preserve context and continuity. For agentic systems, it can also carry forward decision cues and tool context, which makes it part of the governance surface rather than simple application memory.
• Runtime Privilege: Runtime privilege is the effective access an identity can assemble while it is operating, not just the permissions it had at provisioning time. In agentic environments, it can expand through chained actions, tool calls, and context reuse, so teams must assess what the actor can do in session.
• Model Context Protocol: Model Context Protocol is a way for AI systems to connect to external tools and data sources. When agents use it, the protocol becomes an identity and access concern because each connection can expose a governed capability, not just a technical integration point.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Kong: Announcing the winners of Kong Agentic AI Hackathon. Read the original.