Palo Alto Networks acquires Portkey for AI agent governance

At a glance

What this is: Palo Alto Networks is folding Portkey’s AI Gateway into Prisma AIRS to unify governance for autonomous AI agents.

Why it matters: This matters because practitioners now have to govern agent behaviour, tool access, and policy enforcement as one identity problem across NHI, autonomous, and human control planes.

👉 Read Protect AI's analysis of unified AI gateway governance for autonomous agents

Context

AI agents change the identity problem because they do not just authenticate, they initiate actions, select tools, and reach into data and systems at runtime. That shifts governance from static access provisioning to continuous control over what an agent can do, when it can do it, and which data it can touch.

The acquisition of Portkey by Palo Alto Networks signals that AI agent governance is moving into the mainstream security stack. For IAM, IGA, PAM, and NHI teams, the question is no longer whether to treat agents as identities, but which controls can actually keep pace with their runtime behaviour.

Key questions

Q: How should security teams govern autonomous AI agents in enterprise environments?

A: Security teams should govern autonomous AI agents as runtime identities, not as simple applications. That means enforcing task-scoped permissions, controlling tool access at the point of action, and maintaining audit trails for every decision and downstream effect. If the agent can change actions mid-session, governance must move with it rather than relying on static provisioning or periodic review.

Q: Why do autonomous agents complicate least privilege and access review models?

A: Autonomous agents complicate least privilege because their intent is not fixed at provisioning time. They may select tools and access paths dynamically, so traditional role design and access reviews cannot fully predict or certify future behaviour. The result is a governance gap between what was approved and what the agent actually did during execution.

Q: What breaks when AI agent permissions are managed like ordinary service accounts?

A: What breaks is the assumption that access patterns are stable and human-readable in advance. Autonomous agents can chain actions, move across systems, and generate new execution paths based on context. Managing them like ordinary service accounts leaves runtime decisions under-governed and increases the chance of unintended data access or system impact.

Q: Who should own accountability for AI agent governance and policy enforcement?

A: Accountability should sit with the teams that can see both identity intent and operational execution, usually IAM, PAM, and cloud security functions working together. If ownership is split too loosely, no one can answer for tool access, policy exceptions, or incident reconstruction. Clear governance is as important as technical enforcement.

How it works in practice

Why AI gateway controls sit inside the identity plane

An AI gateway is not just traffic mediation. In agentic systems, it becomes a control point for prompt routing, tool invocation, policy checks, logging, and data exposure boundaries. That makes it part of the identity plane because the gateway governs what the agent can access and under what conditions. If those checks are only applied at session start, they miss the runtime decisions that make autonomous agents different from ordinary workloads. The architectural issue is not visibility alone. It is whether identity policy can be enforced at the moment the agent chooses an action.

Practical implication: place agent policy enforcement where tool calls and data access actually happen, not only where sessions begin.

Policy-based least privilege for autonomous agents

Least privilege for autonomous agents cannot be defined once and assumed stable. An agent may branch across tools, datasets, and workflows based on context, which means privilege has to be scoped to task, intent, and time. Traditional entitlements models often assume the access pattern is known in advance, but agentic behaviour breaks that assumption. The more the agent can decide at runtime, the more policy has to constrain action paths rather than broad access tiers. This is where human IAM abstractions stop being sufficient on their own.

Practical implication: define agent permissions around task-scoped actions and bounded tool sets, not broad role assignments.

Auditability and blast radius in agentic workflows

Agent governance depends on traceability. If an agent can query data, call tools, and chain actions without a durable audit trail, incident response becomes guesswork. The key architectural question is whether you can reconstruct what the agent accessed, why it acted, and which downstream systems were touched. That matters because blast radius in agentic systems is usually created by chained decisions, not one large action. Control planes that capture only the final outcome miss the intermediate steps that matter for containment, review, and accountability.

Practical implication: require end-to-end audit trails for every agent action, including tool selection, data access, and downstream effects.

NHI Mgmt Group analysis

AI gateway governance is becoming the control layer where agent identity and policy collide. The acquisition shows that runtime mediation is now being treated as a security primitive, not a convenience feature. That matters because autonomous agents do not fit neatly into static IAM or pure application security controls. The practitioner implication is that agent governance has to sit at the point where action is decided and executed, not only where access is initially granted.

Least privilege for autonomous agents is not a role design problem, it is a runtime constraint problem. Agent sessions can branch across tools and data sources in ways that provisioning-time models cannot predict. The implication is that teams must stop assuming that an agent's future intent can be captured fully in advance. This is the same structural issue that makes classic entitlement review incomplete for autonomous behaviour.

Identity does not stay bounded long enough for periodic review when the actor is autonomous. Access review cadences were designed for access that persists long enough to be observed and certified. That assumption fails when an agent can acquire permissions, use them, and release them within one session or workflow path. The implication is that governance must move from periodic certification toward continuous enforcement and traceable execution controls.

Agent gateway consolidation signals a market shift from point tools to unified control planes. Security buyers are likely to face pressure to map agent governance into broader identity and security platforms rather than managing it as a niche add-on. That complicates existing operating models because IAM, PAM, and cloud security teams will need a shared view of policy, telemetry, and exception handling. The practitioner implication is to re-evaluate ownership before control sprawl becomes the new blind spot.

Portkey’s integration into a security platform underscores a broader category change: AI agent governance is now part of identity architecture. That does not mean every agent needs a separate stack, but it does mean identity programmes can no longer treat agent controls as experimental. The field is moving toward policy, audit, and containment patterns that must work across human users, NHIs, and autonomous systems. Practitioners should plan for convergence rather than parallel governance silos.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
• Only 17% incident rates were reported for least-privileged AI access, compared with 76% for over-privileged systems in the same survey.
• That gap is why practitioners should read OWASP NHI Top 10 alongside agent gateway design, because runtime policy and privilege scope now determine containment.

What this signals

Privilege inflation is already the default risk pattern in agentic environments. With 70% of organisations granting AI systems more access than human employees, the governance problem is no longer theoretical. The practical response is to treat agent entitlement design as a core IAM and PAM workload, not an experimental AI project.

Agent gateway programmes need to be designed for containment, not just orchestration. If a control plane can mediate tool calls but cannot prove what data was touched or what actions followed, the audit story is incomplete. That is where alignment with NIST AI Risk Management Framework principles becomes operationally useful.

Identity teams should expect agent controls to converge with zero trust patterns. The next phase is not simply more visibility, but continuous enforcement across identity, data, and execution paths. CSA MAESTRO agentic AI threat modeling framework is a useful lens for understanding why the control boundary has shifted.

For practitioners

• Map agent governance to the identity control plane Identify where AI agents are created, what tools they can call, which data they can reach, and where policy is actually enforced during runtime. Treat the gateway, the workflow engine, and the identity layer as one control path rather than separate concerns.
• Bound agent privileges to task scope Replace broad agent entitlements with narrow, task-scoped permissions that expire with the work unit. Review whether the agent can branch into systems that were never required for the declared task, especially where sensitive data or administrative actions are involved.
• Require full action-level audit trails Log prompt context, tool selection, data access, and downstream effects in a way that supports incident reconstruction. If a security team cannot explain an agent's sequence of actions after the fact, the control design is incomplete.
• Align IAM, PAM, and cloud teams on ownership Assign clear accountability for agent policy, exception handling, and containment before deployment scales. Avoid splitting control ownership so far that no team can answer for an agent's access path end to end.

Key takeaways

• Palo Alto Networks’ Portkey acquisition reflects a broader shift: autonomous AI agents now need identity-style governance at runtime, not only static application controls.
• The core failure mode is privilege inflation, with agentic systems often granted broader access than comparable human users and then left under-governed during execution.
• Practitioners should focus on task-scoped policy, action-level auditability, and shared accountability across IAM, PAM, and cloud teams before agent sprawl expands further.

Key terms

• AI Gateway: A control layer that mediates how an AI agent reaches tools, data, and downstream services. In practice it can enforce policy, log activity, and block unsafe requests, but it only works if those checks happen at runtime, not just when the session starts.
• Autonomous AI Agent: A software identity that can decide what to do, select tools, and choose when to act without a human approval gate for each step. That autonomy changes governance because the access path can evolve during execution, making static entitlement models insufficient on their own.
• Task-scoped Privilege: Access limited to the exact work a system needs to complete, with no persistent standing permission beyond the task boundary. For autonomous agents, this has to be enforced dynamically because the relevant scope can change as the agent branches across tools or workflows.
• Action-level Audit Trail: A record that captures what an identity did, which tools it used, what data it accessed, and what changed as a result. For AI agents, action-level tracing is essential because incident response depends on reconstructing the sequence of runtime decisions, not just the final outcome.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Protect AI: Securing and Governing AI Agents At Scale Through a Unified AI Gateway. Read the original.