The agent gateway: one control plane for every model and tool

The defining shift of 2026 is that AI stopped being a chatbot and became an agent. A chatbot answers; an agent acts — it reads a file, queries a CRM, books a slot, runs a search. To act, it has to reach out of the model and into your tools. That single change quietly doubled the surface every security and platform team has to govern.

From one model call to many tool calls

A chatbot made one kind of request: a call to a model. An agent makes two. It still calls a model, but it also calls tools — and the connective tissue the industry standardised on for that is the Model Context Protocol (MCP), the open standard Anthropic published in late 2024 to let agents discover and call tools and data sources. MCP is genuinely useful; that is why it spread. But it also means your attack surface is now every agent multiplied by every model multiplied by every tool it can reach.

The ungoverned middle is already leaking

This is not theoretical. GitGuardian counted 24,008 unique secrets exposed in MCP configuration files in 2025 alone — API keys and tokens scattered across config because MCP has no central place to hold them. In February 2026 Trend Micro found 492 MCP servers on the public internet with zero authentication and zero encryption, and BlueRock Security reported that of more than 7,000 MCP servers it analysed, 36.7% were potentially vulnerable to server-side request forgery — in one proof of concept they pulled AWS credentials out of an instance metadata endpoint through Microsoft’s own MarkItDown MCP server.

The root cause is structural: MCP has no native role-based access control and no usage metering. A tool an agent can see is a tool it can call, with whatever credentials it was handed, and nobody is counting.

• Identity — which agent, acting for which user, made this call
• Least privilege — limiting each agent to the tools its role actually needs
• Audit — a record of every model and tool call, after the fact
• Cost and rate limits — a ceiling on spend and a brake on runaway loops
• Content safety — PII masking and prompt-injection checks at the boundary

This month the industry agreed on the answer: a gateway

The fix everyone landed on is the same one that tamed the API sprawl of the 2010s: put a gateway in the middle. On 16 June 2026, at its Data + AI Summit, Databricks announced Unity AI Gateway — governance over the runtime interactions between models, agents, MCP services and tools, with a central registry, the ability to enable or disable individual tools, usage auditing, hard spend caps and policy enforcement against PII exposure, prompt injection and jailbreaks. Two weeks earlier, on 3 June, NetFoundry launched zero-trust MCP and LLM gateways that give agents their own machine identities so the gateways are not reachable by anything unauthorised. Different companies, same shape: one control plane in front of both the models and the tools.

We have been building the model half of this for years

None of this is new to us. Qevron is our gateway: point your code at a single OpenAI-compatible endpoint and reach our five in-house model families plus 43+ external providers, with routing, caching, monitoring and cost analytics in one place — and no lock-in to any single vendor. The discipline a gateway is supposed to add — one identity, one policy, one audit trail, one cost view — is exactly what Qevron already applies to model traffic. The agent shift simply extends that same seam to the tools an agent reaches, which is the architecture the whole market is now copying.

The half most gateways still can’t give you: your own perimeter

There is a catch in most of the answers shipping this month: the gateway itself usually runs on someone else’s cloud. That means the one component that sees every agent action — every model prompt, every tool call, every credential — lives outside your control, and under a foreign provider it can fall under a foreign jurisdiction. Arpanet is built the other way. The models and the gateway are ours, so the whole stack can run on-prem or in an isolated deployment, with your own SSO and an audit trail, inside a perimeter you control. The choke point that governs your agents stays on your side of the line — which, for a team under Türkiye’s KVKK, is the difference between a control you can prove and a promise you have to trust.

One control plane. Every model, every tool, every call — on infrastructure you control.

An agent is only as governed as the layer it passes through. The market spent this month agreeing that the layer should be a gateway; the question left for you is who runs it. Arpanet’s stack is engineered so the answer can be “we do,” with the platform built for the KVKK from the first line of code. Pricing depends on your deployment and scale — contact us and we will scope it with you.