Context as a service: what it means for IAM and AI governance

TL;DR: Gartner’s view that 50% of software providers will need to expose their context layer externally by 2029 frames context as a governable asset, not just data, according to Kong’s summary of the research. The real governance challenge is that AI connectivity expands access paths, monetisation pressure, and policy complexity faster than most IAM and API controls were built to handle.

NHIMG editorial — based on content published by Kong: Gartner Just Described the Platform Enterprises Need to Compete in the Context Economy, Kong Already Built It

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern AI agents that consume enterprise context?

A: Security teams should treat each AI agent as a distinct consumer identity with explicit entitlements, approved context classes, and lifecycle ownership.

Q: Why do MCP servers create new IAM and NHI governance risk?

A: MCP servers create risk because they expose structured context to non-human consumers through a standard protocol, which can outpace existing identity controls.

Q: What breaks when context access is managed like ordinary API traffic?

A: What breaks is the assumption that endpoint control is enough.

Practitioner guidance

• Define context privilege as a governed entitlement Classify which APIs, events, prompts, and MCP resources count as high-value context, then assign explicit owners, approvers, and review cadence for each access path.
• Bind AI gateway policy to identity lifecycle Require service accounts, agent identities, and partner consumers to be provisioned, reviewed, and offboarded through the same lifecycle process that governs other privileged access.
• Separate discoverability from authorisation Allow context to be searchable in a portal only when entitlement, purpose, and usage conditions are enforced at the point of consumption, not merely at registration.

What's in the full article

Kong's full article covers the operational detail this post intentionally leaves for the source:

• Kong's mapping of Gartner recommendations to specific platform components such as AI Gateway, Konnect MCP Registry, Developer Portal, and Context Mesh.
• The monetisation argument behind context delivery, including how metering and billing are positioned for internal chargeback and external revenue models.
• The article's own explanation of how API traffic, event streams, and AI-native protocols fit into one managed context layer.
• Kong's framing of why enterprises that keep context closed may be disintermediated at the context layer.

👉 Read Kong’s analysis of Gartner’s context-economy thesis and AI connectivity platform →

Context as a service: what it means for IAM and AI governance?

Explore further

View Full Forum →  |  NHI Foundation Course →