Today, the Linux Foundation announces the Agentic AI Foundation (AAIF) bringing together three foundational Agentic projects under a neutral, open governance framework: the Model Context Protocol (MCP) from Anthropic, Goose from Block, and Agents.md from OpenAI. This move will ease tensions about single-vendor lock-in, spur ecosystem innovation, and give transparency and community driven evolution. For MCP, this move signals that agentic AI is maturing from experimentation to enterprise infrastructure. Enterprises don't bet on protocols controlled by single vendors, they bet on open standards with transparent governance. AAIF provides exactly that foundation.
We work with organizations adopting and scaling agentic architectures and infrastructure, and by far the top concern in these engagements is “how to secure and govern our agentic architecture based on MCP?”. Agentgateway, already in the Linux Foundation, is a perfect complement to these projects and the AAIF initiative. Agentgateway focuses on security, guardrails, observability, and governance for MCP, LLM, and Agent communication.
Together, this enables:
- Enterprises can confidently adopt MCP knowing there's production-grade infrastructure
- Developers can build MCP servers knowing there's a security and governance story
- The ecosystem can scale agentic AI without compromising on security or observability
When enterprises evaluate MCP adoption, they immediately hit familiar authentication and authorization challenges. Agentgateway addresses these head-on with patterns we've refined through real enterprise deployments:
SSO Integration and Identity Federation. Agents need to operate within your existing identity infrastructure, not alongside it. Agentgateway integrates with enterprise SSO providers (Azure Entra ID, Okta, etc.) so agents inherit the same identity and access controls as human users. No parallel identity systems, no credential sprawl.
On-Behalf-Of (OBO) Flows. When an agent acts on behalf of a user, token delegation needs to be explicit and auditable. Agentgateway handles OAuth 2.0 OBO flows and token exchange patterns, ensuring agents carry proper authorization context through their MCP interactions. This prevents confused deputy attacks where an agent might be tricked into performing actions its user isn't authorized for.
Policy-Based Authorization with ABAC/ReBAC. Simple role-based access isn't enough for complex agentic systems. Agentgateway integrates with policy engines like Open Policy Agent (OPA), Kyverno, and relationship-based authorization systems like OpenFGA/SpiceDB. This enables fine-grained, context-aware decisions: "Can this agent access customer data based on the user's department, the time of day, and the data classification level?" These policies are evaluated at the gateway, consistently enforced across all agent interactions.
AI Guardrails and Content Filtering. Beyond traditional security, agentic systems need guardrails against prompt injection, jailbreaking attempts, and malicious content. Agentgateway can apply input validation, output filtering, and behavioral constraints before requests reach MCP servers or LLMs. This includes validating URLs before they're resolved, enforcing allowlists for external domains, and detecting prompt injection patterns that could manipulate agent behavior.
Token Exchange and Step-Up Auth. Not all MCP tools require the same trust level. Agentgateway supports token exchange protocols that let you enforce step-up authentication for sensitive operations, e.g., reading data might use a standard token, but executing a financial transaction requires fresh, high-assurance credentials.
URL Elicitation for Secure Credential Acquisition. When MCP servers need to call upstream APIs in external trust domains (GitHub, Slack, Google), agentgateway can handle the secure credential acquisition flow. Rather than passing credentials through the MCP client or server, the gateway manages URL elicitation prompting users through a secure authorization portal, handling OAuth callbacks, and injecting credentials only when needed. This keeps sensitive upstream API tokens away from both the MCP client and server, while enforcing enterprise policy about which users can access which external services.
Standards + Infrastructure: Both Are Essential
The AAIF announcement signals that agentic AI is ready for enterprise adoption. But protocol standards alone won't get you there: you need infrastructure that enforces security, provides observability, and enables governance at scale. Agentgateway and MCP together provide the complete stack: open standards for interoperability, and secure infrastructure for production deployment.
Solo.io’s commitment to open source agentic projects doesn’t end with Agentgateway. We’ve also recently announced Agent Registry which integrates with Agentgateway for comprehensive discovery and governance, and we’re also the founding contributor to the CNCF Kagent project for building SRE style agents on Kubernetes.
%20a%20Bad%20Idea.png)
%20For%20More%20Dependable%20Humans.png)
