Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Context as a service: what it means for IAM and AI governance


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Gartner’s view that 50% of software providers will need to expose their context layer externally by 2029 frames context as a governable asset, not just data, according to Kong’s summary of the research. The real governance challenge is that AI connectivity expands access paths, monetisation pressure, and policy complexity faster than most IAM and API controls were built to handle.

NHIMG editorial — based on content published by Kong: Gartner Just Described the Platform Enterprises Need to Compete in the Context Economy, Kong Already Built It

By the numbers:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern AI agents that consume enterprise context?

A: Security teams should treat each AI agent as a distinct consumer identity with explicit entitlements, approved context classes, and lifecycle ownership.

Q: Why do MCP servers create new IAM and NHI governance risk?

A: MCP servers create risk because they expose structured context to non-human consumers through a standard protocol, which can outpace existing identity controls.

Q: What breaks when context access is managed like ordinary API traffic?

A: What breaks is the assumption that endpoint control is enough.

Practitioner guidance

  • Define context privilege as a governed entitlement Classify which APIs, events, prompts, and MCP resources count as high-value context, then assign explicit owners, approvers, and review cadence for each access path.
  • Bind AI gateway policy to identity lifecycle Require service accounts, agent identities, and partner consumers to be provisioned, reviewed, and offboarded through the same lifecycle process that governs other privileged access.
  • Separate discoverability from authorisation Allow context to be searchable in a portal only when entitlement, purpose, and usage conditions are enforced at the point of consumption, not merely at registration.

What's in the full article

Kong's full article covers the operational detail this post intentionally leaves for the source:

  • Kong's mapping of Gartner recommendations to specific platform components such as AI Gateway, Konnect MCP Registry, Developer Portal, and Context Mesh.
  • The monetisation argument behind context delivery, including how metering and billing are positioned for internal chargeback and external revenue models.
  • The article's own explanation of how API traffic, event streams, and AI-native protocols fit into one managed context layer.
  • Kong's framing of why enterprises that keep context closed may be disintermediated at the context layer.

👉 Read Kong’s analysis of Gartner’s context-economy thesis and AI connectivity platform →

Context as a service: what it means for IAM and AI governance?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Context access is becoming an identity problem, not just an integration problem. Once context is distributed through MCP servers, AI gateways, and event streams, the question is no longer whether systems can connect. The question is which identities can consume which context, and how that access is governed over time. That shifts ownership from integration teams alone to IAM, NHI, and platform security together. Practitioners should treat context exposure as an entitlement surface.

A few things that frame the scale:

  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.

A question worth separating out:

Q: How can organisations monetise context without weakening governance?

A: Organisations should only monetise context when access control, metering, and audit records are aligned. If billing says one thing and security logs say another, the business cannot prove who consumed what, when, or under which entitlement. That creates compliance risk and revenue leakage at the same time.

👉 Read our full editorial: Kong’s context-economy thesis raises new AI connectivity governance risks



   
ReplyQuote
Share: