TL;DR: AI traffic is shifting from human-facing API consumption to agent-to-agent token flows, making the traffic layer the new control point for security, governance, and performance as hypervolume growth accelerates, according to Kong. That re-centres identity decisions on access, routing, auditability, and blast-radius control instead of only API management.
NHIMG editorial — based on content published by Kong: The Age of AI Connectivity
Questions worth separating out
Q: How should security teams govern AI agent access to enterprise APIs?
A: Treat AI agent access as a machine identity problem, not a user-experience problem.
Q: Why do AI agents require different governance than human API consumers?
A: AI agents can discover, sequence, and repeat actions at machine speed, which makes their access patterns more dynamic than human-driven requests.
Q: What breaks when AI traffic is managed only through downstream services?
A: Controls fragment when each service tries to enforce its own policy, because the system loses a single view of identity, context, and blast radius.
Practitioner guidance
- Map AI traffic to a governed control plane Identify where prompts, tokens, MCP sessions, and model calls enter or leave the environment, then place policy enforcement and audit logging at those choke points so access is governed before it reaches downstream systems.
- Define blast-radius limits for agent-driven access Set explicit routing and permission constraints for agent sessions so a compromised workflow cannot fan out across multiple systems without containment or review.
- Separate human and machine access patterns Do not reuse approval flows built for people when designing access for agents.
What's in the full article
Kong's full blog post covers the architectural detail this post intentionally leaves for the source:
- Kong's framing of AI gateways as the traffic-layer control tower for prompts, tokens, and agent sessions.
- The article's own discussion of hypervolume scale, including why token throughput and latency are becoming economic variables.
- The reasoning behind its control-plane thesis for agentic AI, including routing, governance, and observability at the point of transit.
- Kong's examples of how MCP and future protocols fit into the emerging AI connectivity stack.
👉 Read Kong's analysis of AI connectivity and the agentic traffic layer →
AI connectivity and agent traffic: what IAM teams need to know?
Explore further
AI connectivity is becoming an identity governance problem, not just an infrastructure problem. The article is strongest when it describes the traffic layer as the place where security, observability, and policy meet. That framing matters because the same access decision can now be exercised by APIs, models, and agents in different combinations. Practitioners should read this as a signal that governance boundaries are shifting upward into the control plane.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How can teams tell whether their AI connectivity model is mature enough?
A: Look for three signals: you can trace every agent path, you can bound the tools each path can reach, and you can stop or isolate traffic without breaking the wider platform. If those three capabilities are missing, the organisation is still experimenting with AI access rather than governing it.
👉 Read our full editorial: AI connectivity is becoming the control plane for agentic traffic