TL;DR: 90% of enterprises are adopting AI agents and 79% expect full production rollout within three years, according to Kong. The real shift is that AI connectivity is becoming a control problem, not just an integration problem, and identity governance has to catch up, while 72% are already implementing formal governance layers.
NHIMG editorial — based on content published by Kong: The 2025 Kong Year in Review
By the numbers:
- Kong research found 90% of enterprises are adopting AI agents.
- 79% expect full production rollout within three years.
- 72% of organizations are already implementing formal governance layers.
Questions worth separating out
Q: How should security teams govern AI agents that consume APIs and event streams in real time?
A: Treat AI agents as governed machine actors, not just application clients.
Q: Why do AI gateways matter for IAM and NHI programmes?
A: AI gateways matter because they concentrate policy decisions for agent traffic, model calls, and downstream tool access in one place.
Q: What do organizations get wrong about governing MCP-based agent access?
A: The common mistake is assuming the agent is trusted once the session starts.
Practitioner guidance
- Map AI gateways to identity control objectives Define which policy decisions the gateway must enforce for agents, APIs, and event streams, including authentication, token limits, logging, and runtime authorization.
- Inventory every agent-facing integration path List all routes where agents can reach models, tools, and downstream APIs, then mark which ones share credentials, policies, or event subscriptions.
- Separate billing governance from access governance Treat metering and billing controls as adjacent to, but not a substitute for, identity and authorization policy.
What's in the full article
Kong's full year-in-review covers the operational detail this post intentionally leaves for the source:
- Version-level product notes for AI Gateway, MCP Gateway, Event Gateway, and Kong Identity
- Funding, office expansion, and organizational growth details tied to Kong's 2025 operating model
- Customer stories and summit highlights showing how teams are using the platform in practice
- References to the broader Kong content library on API management and agentic AI operations
👉 Read Kong's 2025 year in review on AI connectivity and agentic governance →
AI connectivity and agentic governance: what 2025 changed?
Explore further
AI connectivity is becoming the new identity control plane. Kong's year-in-review reflects a market shift that identity teams should already be planning for. The practical issue is not whether agents can connect to tools, but whether those connections can be governed with the same clarity that IAM expects from human and workload identities. Practitioner conclusion: treat AI connectivity as an identity governance domain, not an integration feature.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who should own governance when AI, API, and billing controls converge?
A: Ownership should sit with a cross-functional model that includes IAM, platform security, and engineering, with clear accountability for policy, telemetry, and lifecycle management. Billing can inform usage and abuse detection, but it cannot replace identity governance. If no single team owns the runtime decisions, the control environment will drift as adoption grows.
👉 Read our full editorial: Kong's 2025 year in review shows the rise of AI connectivity