In the space of a week, two more vendors planted a flag in a part of the AI stack that had no name a year ago. On July 3, Arcade made its agent authorization and tool-execution runtime available through the Microsoft Azure and AWS marketplaces, so enterprises can deploy it inside their own cloud with one click. A day earlier, Manufact opened its MCP hosting cloud to take a Model Context Protocol server from a GitHub push to a monitored production endpoint. Both arrivals point to the same conclusion. The layer that sits between an agent and everything it touches is turning into a product category of its own.
Nutanix gave that category a clear shape in late May. It shipped the Nutanix Agent Gateway as a generally available part of Nutanix Enterprise AI 2.7. The gateway is a centralized control point that manages traffic from agents to large language models and from agents to the business tools they call. For a decision-maker watching agent pilots multiply across departments, this is where cost, access and audit either get governed or get out of hand.
What Is An Agent Gateway?
Let’s look at how enterprise agents actually reach the outside world. An agent rarely acts alone for long. It calls a model to reason, then calls tools such as GitHub, Stripe, a database or an internal API to do the work. Increasingly, it spawns sub-agents that repeat the pattern. Every one of those calls consumes tokens and touches a system with its own permissions. Left ungoverned, an organization ends up with dozens of agents hitting production systems directly, and no single place to see the traffic or stop it.
An agent gateway inserts one governed hop into that path. In the Nutanix implementation, an agent talks to a unified endpoint that routes to the appropriate model. The options span OpenAI’s GPT on Azure, Claude from Anthropic and a self-hosted Llama model, with the same authentication and rate limiting applied across all of them. If the primary provider fails or hits a limit, traffic falls over to a configured backup. The same gateway sits in front of Model Context Protocol servers, the standard way agents now discover and call tools. It applies tool-level filtering, so a customer service agent can get read-only database access, while a DevOps agent gets full GitHub write permissions. Every request is logged for audit. Token usage is metered per agent and per team so finance can attribute the spend.
Nutanix ships the MCP server governance and the bundled test agent as tech preview, so those pieces are not yet meant for production. The token routing, observability and rate limiting are the generally available core.
A Category With Several Front Doors
The vendors circling this space entered from different directions, which is why the category still looks fragmented. Nutanix comes at it from private inference and hybrid infrastructure. Its pitch is that the gateway is the governed layer over both hosted and self-hosted models. Arcade comes at it from authorization. It gives background agents delegated user authority that gets re-checked at the moment of every action, and its marketplace listing lets a team adopt it against existing cloud commitments without a fresh procurement cycle. Manufact comes at it from the developer lifecycle, where an MCP server is something you deploy, test across ChatGPT and Claude, and monitor rather than demo once.
Security vendors are mapping the same territory from the outside. In January, CyCognito introduced discovery of externally reachable MCP servers, adding them to external attack-surface inventories. Many MCP servers reach the internet without their owners’ knowledge, and an exposed server is a publicly accessible catalog of business operations. The hyperscalers are not standing still either, with AWS building agent runtime and governance into Bedrock AgentCore. So the same buyer can meet an agent gateway sold as inference infrastructure, an authorization runtime, a developer platform, or a security-posture tool and the definitions do not yet align.
The category is already consolidating, and it is doing so along two opposite paths. On one side, security and platform incumbents are buying the layer outright. Palo Alto Networks completed its acquisition of Portkey in May, folding a standalone AI gateway into its security platform to govern what it calls privileged-insider agents. On the other side, the plumbing is being pushed toward neutral ground. Solo.io donated agentgateway to the Agentic AI Foundation in June, making it the fourth hosted project under the group’s Linux Foundation governance. The Apache 2.0 project handles MCP, agent-to-agent, inference, HTTP and gRPC traffic through one data plane, and it already counts more than 300 contributors across 60 organizations including CoreWeave, Red Hat, Adobe, Salesforce and Microsoft. A buyer now has to decide whether the control point belongs within a vendor’s security suite or within an open project that no single vendor owns.
The Open Questions
Not every tool call needs a gateway. The strongest objection to this layer came from Manufact’s own launch discussion, where developers argued that agents already handle human-built command-line tools and REST APIs when a project rules file points them there. For a stable, repo-local script, that critique holds, and wrapping every small command in a gateway adds surface area no one needs. The gateway earns its place where an integration is shared, permissioned, observable or reused across many agents, and buyers should be honest about how much of their tool access clears that bar.
Cost is the second open question. A gateway promises to control token spend, yet it is another service to run, and its pricing logic often assumes that agent volume will keep climbing. Gartner has predicted that more than 40% of agentic AI projects will be canceled by 2027 over escalating costs, unclear value or weak risk controls. That is the exact failure the gateway vendors position against, and also the risk that could shrink their own market. The tech-preview status of the MCP governance features across several of these products is a reminder that the security story is still maturing, even as the agents are already in production.
What Enterprises Should Do Now
For a technology buyer, the practical move is to treat the agent gateway as a diligence checklist rather than a purchase. The first question is ownership: which parts of the governance are proprietary, and which are thin wrappers around an AWS or Azure primitive you already pay for. The second question is cost behavior, meaning what the bill does when tool calls double and when agent volume falls short of the vendor’s assumptions. The third question is enforcement: ask whether authentication is required for every tool and every MCP method, or only for the obvious ones, because inconsistent enforcement is the failure mode CyCognito keeps finding in the wild.
For the vendors, the pressure runs the other way. Nutanix, Arcade and Manufact each own one strong entry point and will be pushed to cover the others, or to pick a side, before the market settles. Portkey answered by selling into a security platform, and agentgateway answered by moving to open governance, which leaves the independents to prove they can stand alone. If a gateway can show it lowers token spend and passes an audit without slowing developers down, it becomes the layer enterprises standardize on as agents move from pilots into daily operations. That is the prize worth watching as this category takes shape.










