TL;DR: As MCP becomes the default tool-calling layer for agents, organisations need gateways that can enforce tool-level policy, short-lived identity assertions, session-aware controls, and auditable decisions. Pomerium’s analysis argues that traditional API gateways miss the semantic and governance gaps that agentic workflows create.
NHIMG editorial — based on content published by Pomerium: Top 5 Agentic Gateways for Securing MCP Tool Calls in 2026
By the numbers:
- Recent research uncovered 1,862 internet-exposed MCP servers with zero authentication, a stark reminder that traditional API security practices are insufficient for agentic workflows.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams govern MCP tool calls in agentic systems?
A: Security teams should govern MCP tool calls at the tool and method level, not just at the server or network layer.
Q: Why do MCP-based agents need stronger controls than traditional API traffic?
A: MCP-based agents can chain tool calls, change context during a session, and pass parameters that affect downstream systems.
Q: What breaks when agents hold long-lived credentials for tool access?
A: Long-lived credentials expand the blast radius of agent compromise because the process can reuse those secrets outside the intended task.
Practitioner guidance
- Map MCP tools to explicit policy boundaries Inventory each MCP server, then separate safe, sensitive, and destructive methods into distinct authorisation groups so policy can deny tool misuse without blocking the whole server.
- Remove persistent secrets from agent runtime Prefer short-lived assertions or delegated tokens so the agent process never stores long-lived credentials that can be reused outside the task boundary.
- Test session-aware policy enforcement Validate that the gateway can carry approval state, prior user intent, and multi-step workflow context across several tool calls before the session closes.
What's in the full article
Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:
- Detailed feature-by-feature comparison of the five gateways across tool-level authorization, session context, and audit logging.
- Implementation notes for upstream OAuth handling and assertion injection in MCP deployments.
- Capability limits and trade-offs for managed, self-hosted, and open-source gateway models.
- Selection guidance for teams balancing enterprise support, data sovereignty, and policy complexity.
👉 Read Pomerium's analysis of the top agentic gateways for securing MCP tool calls →
MCP tool calls in 2026: what gateway controls actually matter?
Explore further
MCP security is now an identity governance problem, not an API management footnote. The article shows that agentic gateways are needed because MCP tool calls expose a control surface that traditional gateways were not built to understand. Tool identity, session context, and delegated actions now sit inside the trust decision, which means IAM and NHI teams have to govern the call path as well as the credential. Practitioners should treat MCP as an identity enforcement layer.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, or revealing access credentials.
A question worth separating out:
Q: How do teams evaluate whether an agentic gateway is actually working?
A: Teams should look for three signals: tool-level denial of unsafe methods, preserved session context across multi-step workflows, and audit logs that show who or what approved each call. If the gateway only blocks whole servers or records generic traffic, it is not governing agentic behaviour at the right granularity.
👉 Read our full editorial: Top agentic gateways for securing MCP tool calls in 2026
MCP security is now an identity governance problem, not an API management footnote. The article shows that agentic gateways are needed because MCP tool calls expose a control surface that traditional gateways were not built to understand. Tool identity, session context, and delegated actions now sit inside the trust decision, which means IAM and NHI teams have to govern the call path as well as the credential. Practitioners should treat MCP as an identity enforcement layer.
A few things that frame the scale:
- 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
- Only 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, sharing sensitive data, or revealing access credentials.
A question worth separating out:
Q: How do teams evaluate whether an agentic gateway is actually working?
A: Teams should look for three signals: tool-level denial of unsafe methods, preserved session context across multi-step workflows, and audit logs that show who or what approved each call. If the gateway only blocks whole servers or records generic traffic, it is not governing agentic behaviour at the right granularity.
👉 Read our full editorial: Top agentic gateways for securing MCP tool calls in 2026