MCP tool calls in 2026: what gateway controls actually matter?

TL;DR: As MCP becomes the default tool-calling layer for agents, organisations need gateways that can enforce tool-level policy, short-lived identity assertions, session-aware controls, and auditable decisions. Pomerium’s analysis argues that traditional API gateways miss the semantic and governance gaps that agentic workflows create.

NHIMG editorial — based on content published by Pomerium: Top 5 Agentic Gateways for Securing MCP Tool Calls in 2026

By the numbers:

• Recent research uncovered 1,862 internet-exposed MCP servers with zero authentication, a stark reminder that traditional API security practices are insufficient for agentic workflows.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams govern MCP tool calls in agentic systems?

A: Security teams should govern MCP tool calls at the tool and method level, not just at the server or network layer.

Q: Why do MCP-based agents need stronger controls than traditional API traffic?

A: MCP-based agents can chain tool calls, change context during a session, and pass parameters that affect downstream systems.

Q: What breaks when agents hold long-lived credentials for tool access?

A: Long-lived credentials expand the blast radius of agent compromise because the process can reuse those secrets outside the intended task.

Practitioner guidance

• Map MCP tools to explicit policy boundaries Inventory each MCP server, then separate safe, sensitive, and destructive methods into distinct authorisation groups so policy can deny tool misuse without blocking the whole server.
• Remove persistent secrets from agent runtime Prefer short-lived assertions or delegated tokens so the agent process never stores long-lived credentials that can be reused outside the task boundary.
• Test session-aware policy enforcement Validate that the gateway can carry approval state, prior user intent, and multi-step workflow context across several tool calls before the session closes.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• Detailed feature-by-feature comparison of the five gateways across tool-level authorization, session context, and audit logging.
• Implementation notes for upstream OAuth handling and assertion injection in MCP deployments.
• Capability limits and trade-offs for managed, self-hosted, and open-source gateway models.
• Selection guidance for teams balancing enterprise support, data sovereignty, and policy complexity.

👉 Read Pomerium's analysis of the top agentic gateways for securing MCP tool calls →

MCP tool calls in 2026: what gateway controls actually matter?

Explore further

View Full Forum →  |  NHI Foundation Course →