AI Agents Are Creating a New Security Nightmare for Enterprises and Startups

This blog post was originally posted by The NewStack and can be found here.

The proliferation of AI into enterprise applications is introducing a new, complex type of network traffic: autonomous AI agents making outbound API calls. This “agentic traffic” represents a missing layer in current AI infrastructure, creating significant challenges in visibility, security, and cost management.

As AI agents move beyond simple text generation to independently plan tasks, utilize tools, and fetch data, their outbound requests often bypass traditional infrastructure monitoring, leading to unpredictable costs, security vulnerabilities, and a lack of control.

This scenario is reminiscent of earlier pivotal moments in software architecture. The rise of web APIs necessitated API gateways for managing inbound traffic, and the advent of microservices led to service meshes to govern internal communication. In both instances, a dedicated mediation layer became apparent only as systems scaled and pain points emerged.

AI agents are now on a similar trajectory, and their independent operation in production quickly surfaces issues like runaway API call loops and insecure access. This underscores the urgent need for a new infrastructure layer specifically designed to manage AI-driven outbound traffic.

Gartner has recognized this gap, introducing “AI Gateways” in their 2024 Hype Cycle for APIs as a nascent solution for managing AI consumption. My previous article for The New Stack, “AI Gateways: Transform Experimentation into Scalable Production” explored these initial concepts.

However, the scope of AI gateways is rapidly expanding beyond just governing LLM traffic to encompass all agentic communication, including calls made via emerging protocols like Anthropic’s Model Context Protocol (MCP) and Google’s Agent2Agent (A2A). This growing need for a new kind of control layer in cloud infrastructure is designed specifically to govern agentic traffic.

Emerging Protocols Creating New Enterprise Security Vulnerabilities

Traditionally, applications handled inbound API traffic. With agentic AI, this model is inverted: AI components within applications are now generating outbound API calls to fulfill user prompts and execute tasks. This shift creates critical blind spots, as these agent-initiated calls often appear as standard outbound HTTP requests, bypassing existing API gateways.

The challenge is further amplified by the emergence of new protocols and frameworks designed to facilitate AI agent capabilities. This includes not only AI agent applications themselves, which might act autonomously or as co-pilots within workflows, but also developers using AI-powered tools like Cursor, Windsurf, or Claude Desktop. These developer co-pilots, when connected to external resources via protocols like MCP, can unknowingly pose significant organizational security threats if their outbound communications are not governed.

Let’s look at the emerging protocols:

• Model Context Protocol (MCP): Anthropic’s MCP is an emerging standard for connecting AI agents to tools and data. It allows developers to define connectors once, enabling any MCP-compliant agent to utilize them. While simplifying integrations and enabling model-agnostic architectures, MCP also introduces new security and trust issues, particularly concerning agents misusing connectors with overly broad permissions.
• Agent2Agent (A2A): Google’s A2A protocol focuses on enabling collaboration between multiple AI agents, allowing them to pass tasks and data amongst each other. While supporting more complex workflows, this inter-agent communication increases the risk of cascading failures or misuse if not properly overseen.

These innovations, while expanding agent capabilities, also necessitate a robust governance layer to prevent unintended consequences and potential widespread system failures. The urgency lies in establishing an aggregation point that can manage not only LLM API calls but also the intricate web of interactions enabled by protocols like MCP and A2A, encompassing both AI agent applications and developer co-pilots.

Excessive Agency: The Critical Security Risk Every Enterprise Must Address

The absence of a dedicated control layer for agentic traffic introduces several significant risks:

• Unpredictable Costs: AI agents can easily spiral into runaway loops, leading to excessive and unnoticed consumption of LLM or API resources. A single misconfigured or misbehaving agent can trigger a budget blowout by repeatedly invoking external services.
• Security Vulnerabilities, Especially “Excessive Agency”: Granting AI agents broad credentials poses substantial security risks. A prime example is “Excessive Agency,” a critical vulnerability where an AI agent is given more permissions than it needs to perform its intended function. This can lead to severe data breaches, as seen in cases where prompt injection attacks exploited over-permissioned access to leak sensitive data. Without proper access controls to agents connected to protocols like MCP, the risk of misuse or unauthorized data access escalates dramatically. The OWASP Top 10 for Large Language Model Applications (LLMs) highlights this and other critical LLM security concerns, emphasizing the need for robust access management and sandboxing of agent permissions.
• Lack of Observability and Control: When an AI agent behaves unexpectedly or dangerously, engineering teams often lack the necessary visibility into its actions or the underlying reasons for its behavior. Without proper telemetry and control loops, debugging and intervening in real-time become exceedingly complex, turning minor glitches into potentially expensive or dangerous failures.

AI Gateways: Building the Missing Control Layer for Autonomous Agents

AI gateways are emerging as the foundational control layer for all agentic traffic. Conceptually, an AI gateway acts as a middleware component — whether a proxy, service, or library — through which all AI agent requests to external services are channeled. Instead of allowing agents to access APIs independently, routing calls through a gateway enables centralized policy enforcement and management.

This “reverse API gateway” model allows organizations to enforce crucial guardrails on AI-driven traffic while gaining comprehensive visibility and control over agent actions. The evolution of AI gateways now extends to providing critical security and compliance for autonomous AI agents and developer co-pilots utilizing agentic protocols. This includes:

• Authentication and Authorization for all Agentic Interactions: AI gateways are evolving to enforce the principle of least privilege by mediating credentials and injecting short-lived, scoped tokens for every agent-to-tool interaction, regardless of the underlying protocol. This is paramount to address “Excessive Agency” risks by treating all agents, including developer co-pilots, like untrusted users and sandboxing their permissions.
• Human-in-the-Loop Controls: For sensitive actions, the gateway can pause execution until manual approval is given. This acts as a circuit breaker, balancing automation with oversight.
• Monitoring & Auditing across all Agentic Traffic: Aggregating all agent traffic, including LLM calls and MCP-driven interactions, through a gateway enables rich logging. These logs — capturing who made what request, to where, with what result — should be fed into observability and SIEM tools. This allows teams to trace incidents, detect anomalies (such as usage spikes or access to new endpoints), and alert on unusual behaviors.
• Regulatory Compliance for Autonomous Actions: Gateways can filter or tag sensitive data, ensuring agents comply with data privacy rules. They also provide clear, auditable records for how AI is used, crucial for meeting regulatory and ethical standards.

Preparing Your Infrastructure for the Agentic AI Future

The agentic AI landscape is still in its nascent stages, making it the opportune moment for engineering leaders to establish robust foundational infrastructure. While the technology is rapidly evolving, the core patterns for governance are familiar: Proxies, gateways, policies, and monitoring.

Organizations should begin by gaining visibility into where agents are already running autonomously — chatbots, data summarizers, background jobs — and add basic logging. Even simple logs like “Agent X called API Y” are better than nothing. Routing agent traffic through existing proxies or gateways in a reverse mode can eliminate immediate blind spots. Implementing hard limits on timeouts, max retries, and API budgets can prevent runaway costs.

While commercial AI gateway solutions are emerging, such as Lunar.dev, teams can start by repurposing existing tools like Envoy, HAProxy, or simple wrappers around LLM APIs to control and observe traffic. Some teams have built minimal “LLM proxies” in days, adding logging, kill switches, and rate limits. Concurrently, defining organization-wide AI policies — such as restricting access to sensitive data or requiring human review for regulated outputs — is crucial, with these policies enforced through the gateway and developer training.

Encouraging safe experimentation within sandboxed environments, using fake data, and ensuring that any experiment can be quickly halted are also vital strategies. The goal is to assume failures and design for containment.

The rise of agentic AI promises transformative capabilities, but without a dedicated governance layer, it also invites chaos. Just as companies built cloud governance in the last decade, today’s organizations need AI agent governance. Fortunately, many of the patterns are familiar: Proxies, gateways, policies, and monitoring. Start now, while the stakes are low. A well-designed AI gateway and governance layer will be the backbone of future AI-native systems, enabling scale safely.

‍