MCP proxy control for AI agents: what IAM teams should change

TL;DR: Secure AI agents need a layered control plane around MCP, data orchestration, and gateway enforcement so models cannot reach raw APIs or bypass policy, according to Kong. The real governance issue is that agent security depends on protocol boundaries, not on trusting the model to behave correctly.

NHIMG editorial — based on content published by Kong: Building Secure AI Agents with Kong's MCP Proxy and Volcano SDK

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should security teams govern AI agents that access internal APIs?

A: Security teams should govern AI agents by placing authentication, authorisation, rate limiting, and logging at the tool boundary rather than trusting the model.

Q: Why do AI agents complicate existing IAM and PAM controls?

A: AI agents complicate IAM and PAM because they can invoke tools dynamically, chain actions quickly, and operate without a human deciding each step.

Q: What breaks when an LLM can call raw backend APIs directly?

A: Direct API access removes the sanitised boundary that prevents an agent from seeing schemas, guessing parameters, or reaching services it was never meant to use.

Practitioner guidance

• Place agent traffic behind a policy enforcement point Route all MCP and tool calls through a gateway that can authenticate the caller, enforce authorisation, apply rate limits, and log each request for later review.
• Expose task-specific capabilities, not raw APIs Create sanitised data and function views for agents so they consume only approved operations instead of discovering backend schemas or calling production services directly.
• Separate orchestration from business logic Keep agent runtime logic, data transformation, and security enforcement in distinct layers so changes in one layer do not silently expand access in another.

What's in the full article

Kong's full post covers the operational detail this post intentionally leaves for the source:

• Step-by-step architecture for exposing backend systems as MCP servers without direct model access
• Gateway enforcement details for authentication, authorisation, rate limiting, and observability across agent tool calls
• Quickstart workflow for connecting Volcano SDK, DataKit, and MCP Proxy in a working agent stack
• Semantic guardrail examples showing how prompt injection attempts are blocked at the protocol layer

👉 Read Kong's analysis of secure AI agents with MCP Proxy and Volcano SDK →

MCP proxy control for AI agents: what IAM teams should change?

Explore further

View Full Forum →  |  NHI Foundation Course →