A2A and MCP metrics: what governance teams need to watch

TL;DR: AI tool adoption can be governed before shadow-AI patterns and cost drift outpace policy, as Kong’s A2A and MCP Metrics add visibility into agent-to-agent and Model Context Protocol usage, including request counts, latency, and tool consumption across agents, consumers, and task IDs, according to Kong.

NHIMG editorial — what this means for AI and NHI governance

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should teams govern AI agents that call enterprise tools through MCP and A2A?

A: Teams should govern those agents as runtime identities, not just applications.

Q: What breaks when AI tool usage is measured only by uptime and latency?

A: What breaks is governance.

Q: How do security teams know whether AI agent access is operating outside its intended scope?

A: They look for repeated blocked calls, unexpected tool combinations, unusual consumer patterns, and agents that access data or services beyond their intended task.

Practitioner guidance

• Correlate agent identity with tool consumption Join A2A method, MCP context, consumer, and task identifiers to the identity or workload that was authorised so reviews can distinguish approved use from drift.
• Set minimum tool scopes before broad rollout Require scope-based tool filtering for every production agent path and review those scopes alongside the credential or token that authenticates the call.
• Use blocked requests as governance signals Track denied calls, repeated retries, and unexpected method patterns to spot overreach, broken integrations, or policy settings that are too permissive or too restrictive.

What's in the full announcement

Kong's full product release covers the operational detail this post intentionally leaves for the source:

• Request-level breakdowns for A2A and MCP traffic across percentiles, methods, agents, consumers, and status codes.
• How Kong AI Gateway 3.14 applies native A2A traffic management, token exchange, and scope-based tool filtering in practice.
• What the telemetry can show about blocked requests, latency hotspots, and adoption friction across large AI deployments.
• How a regulated enterprise used governed MCP routing to scale access from 1,000 to 5,000 developers.

👉 Read Kong's release on A2A and MCP metrics for AI tool governance →

A2A and MCP metrics: what governance teams need to watch?

Explore further

View Full Forum →  |  NHI Foundation Course →