Tool exposure becomes a flat capability set instead of a bounded decision surface. That increases the chance that the agent will call systems it does not need, chain actions across services without review, or leave security teams unable to prove which tools were used in a session. Gateway mediation is what makes the trail visible.
Why This Matters for Security Teams
When agent tool access is not mediated through a gateway, the security boundary shifts from a managed decision point to whatever the agent can directly reach. That removes a practical choke point for policy checks, logging, and session attribution. The result is not just broader access, but weaker accountability when an agent chains tools, retries actions, or touches systems outside its intended task.
This is especially dangerous in MCP-style environments, where tool exposure can look like a flat list of capabilities unless there is explicit mediation and scoping. NHIMG research on the Astrix Security findings shows that only 18% of MCP server deployments implement any form of access scoping for tool permissions, which helps explain why direct tool exposure keeps producing governance gaps. The agent does not need to be malicious for this to become a problem; a normal planning error is enough to trigger overreach.
Security teams also lose the ability to prove which tools were used in a session, which is a major issue for incident response and control validation. That is why current guidance in OWASP Agentic AI Top 10 and NHIMG's OWASP NHI Top 10 treats tool mediation as a core control, not an optional architecture choice. In practice, many teams discover uncontrolled tool reach only after an agent has already chained across systems they never intended to connect.
How It Works in Practice
A gateway turns tool use into a bounded decision surface. Instead of giving an agent direct network or API reach, the agent submits an action request to the gateway, and the gateway evaluates identity, context, purpose, and policy before allowing the call. This is where runtime controls matter more than static role design, because agent behaviour changes by task, prompt, and tool output.
In practice, the gateway can enforce:
- Tool allowlists and explicit per-session scoping
- Just-in-time credential issuance with short TTLs
- Request-time policy checks using policy-as-code
- Logging that ties each tool call to an agent session and action intent
- Revocation when the task completes or the agent deviates from policy
That architecture aligns with NIST AI Risk Management Framework expectations around governance and measurement, and with CSA MAESTRO agentic AI threat modeling framework guidance on attack-path reduction. It also fits the NHI model described in Ultimate Guide to NHIs, where visibility, rotation, and privilege containment are central, not peripheral.
The best implementations treat the gateway as an enforcement layer for workload identity, not just an API proxy. That means the agent presents cryptographic proof of what it is, the gateway decides what it may do right now, and the tool only executes if the policy engine agrees. These controls tend to break down when legacy services require direct trust relationships or when teams bypass the gateway for “temporary” debugging access, because those exceptions become the easiest path for uncontrolled tool use.
Common Variations and Edge Cases
Tighter gateway mediation often increases latency and operational overhead, so organisations have to balance control depth against the need for low-friction agent execution. Best practice is evolving, but there is no universal standard for how much context a gateway must inspect before a decision is considered sufficient.
Some teams use a central gateway for all tools, while others apply mediation only to high-risk actions such as credential retrieval, data export, or write operations. That selective model can be reasonable, but it creates blind spots if low-risk tools can be chained into higher-impact outcomes. This is why NHIMG's 52 NHI Breaches Analysis remains useful: real incidents often begin with access that seemed harmless in isolation.
Another edge case appears in multi-agent systems, where one agent may be authorised to request actions on behalf of another. Without gateway mediation, delegation becomes hard to audit and easy to overextend. Current guidance suggests that direct tool access should be avoided wherever an agent can discover, combine, or repeat tool calls without human review. In environments with highly dynamic tool catalogs, embedded scripts, or shared service accounts, even a well-designed gateway can be bypassed unless it is the only approved path to the underlying systems.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | T5 | Covers unsafe tool use and over-privileged agent actions. |
| CSA MAESTRO | TRM | Addresses threat paths created when agents can reach tools directly. |
| NIST AI RMF | GOVERN | Gateway mediation supports accountable AI governance and auditability. |
Use gateway enforcement to reduce tool chaining and uncontrolled delegation.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
