Notifications
Clear all
Topic starter
22/06/2026 10:09 am
TL;DR: Enterprise AI governance breaks down when APIs, gateways, agent frameworks, MCP routers, event pipelines, and context stores are fragmented, leaving 86% of organisations blind to AI data flows, according to Kong. The practical lesson is that data-path control, not model tuning, becomes the gating factor for governing GenAI and agentic AI at scale.
NHIMG editorial — here’s why we think this discussion matters
By the numbers:
- 95% of AI initiatives go nowhere because the infrastructure underneath them is ungoverned, fragmented, and flying blind.
- 86% of organizations are completely blind to their AI data flows.
- Only 13% of organizations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
Questions worth separating out
Q: How should security teams govern AI data paths across APIs and agent frameworks?
A: Start by mapping every request path, then align authentication, authorisation, logging, and data handling across the layers that actually process AI traffic.
Q: Why does API fragmentation create such a large AI governance risk?
A: Fragmentation breaks the chain of visibility and enforcement.
Practitioner guidance
- Map the full AI data path end to end Inventory every hop from API gateway to agent framework, MCP router, event pipeline, context store, and model call so you can see where policy is actually enforced.
- Consolidate policy enforcement across AI traffic paths Align gateway rules, tool-call policies, and context access controls so the same request cannot receive different treatment depending on which layer processes it first.
- Extend monitoring to context and memory stores Treat context stores and short-term memory as governed data surfaces, not passive plumbing.
What to expect at the briefing
Kong's full webinar covers the operational detail this post intentionally leaves for the source:
- Walkthrough of the full AI data path from API to context to model so implementation teams can map enforcement gaps.
- Discussion of how gateway bypass patterns and fragmented policy create production risk for GenAI and agentic AI.
- Examples of where token spend, prompt injection, and PII exposure surface across different layers of the stack.
- Framing for a unified AI control tower that brings APIs, MCP, and agent governance into one operating model.
👉 Read Kong's webinar on API modernization and AI data path governance →
API modernization for AI governance: are your controls keeping up?
Explore further
22/06/2026 10:55 am
API modernization is the control plane prerequisite for AI governance. Legacy API estates were built for bounded request-response traffic, not for AI systems that chain data access, tool calls, and model invocations across multiple layers. When the path is fragmented, policy becomes local and accountability becomes partial. The practical conclusion is that AI governance fails first as an API architecture problem, not as a model problem.
A few things that frame the scale:
- 70% of organizations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organizations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: What should teams do when AI tool calls bypass existing API controls?
A: Treat tool invocation as a governed access path and require the same policy standards used for direct API traffic. Then test whether the bypass is architectural, procedural, or caused by a missing control at the router, agent layer, or context store. The fix depends on where enforcement was lost, not on the label of the tool.
👉 Read our full editorial: API modernization is the prerequisite for AI data path governance
