Best Claude Code Gateway for Enterprises in 2026

The legal review for Claude Code at a Fortune 500 doesn’t start with throughput. It starts with a fifty-question security questionnaire, a SOC 2 Type II report dated within twelve months, a DPA naming every sub-processor, a Business Associate Agreement (or written reasoning why none is needed), and an architecture diagram showing where prompt and completion data lives. The platform team is excited about productivity. Procurement isn’t excited yet, and procurement decides whether the rollout happens.

This post is for procurement and IT directors. Sibling posts (linked at the end) cover the developer, SRE, and FinOps lenses.

“Claude Code gateway” means an AI gateway between Claude Code and api.anthropic.com, wired via ANTHROPIC_BASE_URL. Scoring is procurement-grade honest: where any vendor is in progress on a certification, it’s named.

TL;DR: pick by procurement constraint

Why Claude Code at a Fortune 500 is a procurement problem

Procurement picks on whether the vendor satisfies seven artifacts: SOC 2 Type II, ISO 27001, the DPA, the BAA (if any unit might touch PHI), a sub-processor list with right-to-object language, an audit-log retention policy aligned to the customer’s records-retention schedule, and an architecture diagram showing where prompt and completion data lives.

Three properties of Claude Code sharpen this beyond a stateless API gateway review. First, the data is source code, and some of it’s regulated. A health-tech subsidiary’s repo carries PHI in test fixtures; a bank’s repo carries material non-public information inside SOX scope; a government contractor’s repo carries CUI. The BAA has to be available if any unit is HIPAA-covered, even when today’s pilot isn’t. Second, sessions are long and the audit log is chain of custody, thirty to fifty turns, each carrying tens of kilobytes of source code. SOX-scope inherits seven years; HIPAA-scope inherits six years from creation or last in effect; default thirty-day retention is wrong by orders of magnitude. Third, the vendor list consolidated in 2026: Helicone went to Mintlify in March 2026; Mintlify went to Stripe in late 2025; Portkey announced PANW acquisition on April 30, 2026 (close expected PANW fiscal Q4). Three names on a typical 2025 shortlist now have a different parent and possibly a different sub-processor list than IT security reviewed last quarter.

The 7 procurement axes we score on

Partial credit on any axis isn’t disqualifying, most enterprise procurements close around partial credit with mitigations. The point is to surface the trade-offs before the committee discovers them eighteen months in.

How we picked

We started with AI gateways advertising an Anthropic-compatible endpoint and at least one publicly referenced 1,000+ Claude Code seat deployment. We removed vendors with no Type II report or in-progress observation period. We removed two names on 2026 trust events without clean remediation paths: Helicone (acquired by Mintlify, documentation-platform-first roadmap; Mintlify acquired by Stripe) and LiteLLM (March 24, 2026 PyPI supply-chain compromise affecting versions 1.82.7 and 1.82.8, exfiltrating SSH keys and cloud credentials per Datadog Security Labs).

1. Future AGI Agent Command Center: Best for BYOC plus open-source data layer

Verdict. Future AGI is the only entry where the entire data-collection layer (traces, evaluations, optimizer state) is Apache 2.0 code running inside the customer’s VPC under BYOC, with an AWS Marketplace listing that runs the contract against an existing AWS EDP commitment. Future AGI ships SOC 2 Type II + HIPAA + GDPR + CCPA certified per futureagi.com/trust; ISO/IEC 27001 is in active audit.

Attestation. SOC 2 Type II + HIPAA + GDPR + CCPA certified per futureagi.com/trust; ISO/IEC 27001 in active audit. Retention is tiered (hot thirty days, warm one year on Parquet, cold seven years on Glacier), configurable per repo class so SOX-scope repos inherit the seven-year cold tier.

** DPA aligned to 2021 EU SCCs with 2023 amendments. Sub-processor list is short. Anthropic, AWS, customer’s logging destination. HIPAA certified, BAA available via FAGI sales.

RBAC + SSO + SCIM. Four-level native hierarchy: org > business-unit > sub-business-unit > cost-center, with repo and developer scoping below. Delegated administration is native. SAML SSO across Okta, Azure AD, Google Workspace, Auth0. SCIM for Okta and Azure AD. The identity broker accepts signed JWTs from multiple IdPs and normalizes the user.id schema.

Data residency. Under BYOC the customer pins residency by AWS or Azure region (EU-West, EU-Central, US-East, US-West, Singapore, Tokyo, Mumbai, anywhere your cluster runs). Hosted plane runs in US and EU; non-US/EU residency uses BYOC, the same Apache 2.0 binary in the customer’s account.

SLA / private-link. Enterprise contracts to 99.9% monthly uptime with credits; 99.95% on multi-region BYOC active-active. AWS PrivateLink, Azure Private Link, and VPC peering all available.

Air-gap / BYOC. BYOC is the flagship deployment. Air-gapped enclaves run the same stack with egress either disabled (against an on-prem model) or routed through the customer’s controlled-egress proxy. Telemetry to Future AGI’s hosted plane can be fully disabled.

Vendor stability + retention. ~$1.9M raised as of May 2026 (Powerhouse, Snow Leopard, Arka, Wellfound Quant Fund), earlier-stage than Portkey or TrueFoundry. Mitigations: Apache 2.0 license on the entire data-collection layer (the customer can self-host indefinitely) and the AWS Marketplace listing (converts the contract path into an AWS contract path). Cold-tier storage runs roughly 10x cheaper per TB-year than single-tier hot.

The loop, briefly. Traces are scored by fi.evals; low-scoring sessions are clustered; fi.opt.optimizers rewrite prompts or routing rules; Protect ships ~65 ms text latency per arXiv 2510.13351. The loop produces an immutable, versioned audit trail of every policy change alongside the chargeback data, the SOC 2 control evidence the auditor asks for.

Where it falls short.

• ISO/IEC 27001 in active audit per futureagi.com/trust; SOC 2 Type II + HIPAA + GDPR + CCPA are certified today.
• ISO 27001 not on the certificate list. Gap with a documented timeline.
• Earlier-stage vendor than Portkey or TrueFoundry. Apache 2.0 data layer mitigates the exit path.
• BYOC active-active requires SRE time: two to three weeks during cutover plus cross-region transfer and hot-tier replica cost.
• Non-US/EU residency runs through BYOC (the same Apache 2.0 binary in the customer’s account, anywhere your cluster runs).

Pricing. Free tier with 100K traces per month. Scale starts at $99/month. Enterprise is custom with SOC 2 Type II, HIPAA, GDPR, and CCPA certified, BAA available via FAGI sales, BYOC, AWS Marketplace.

Score: 6.5 / 7 axes. Partial credit on attestation.

2. Portkey: Best for hosted gateway with mature compliance catalog

Verdict. Portkey is the most polished hosted Claude Code gateway in 2026, with the deepest pre-built compliance catalog among hosted-only products. Type II attested, ISO 27001 on the list, mature DPA. The 2026 variable is the Palo Alto Networks acquisition announced April 30, 2026, expected to close in PANW fiscal Q4. Inside the PANW stack the acquisition is upside; outside it, vendor-coupling is the question to answer before signing multi-year.

Attestation. SOC 2 Type II attested with report under NDA. ISO 27001 on the list. Retention configurable up to seven years on Enterprise with S3, Snowflake, Splunk export. SOX-aligned retention per workspace.

** DPA aligned to current EU SCCs. Sub-processor list published. BAA on request.For a federal civilian agency today, plan against the PANW federal channel.

RBAC + SSO + SCIM. Native four-tier hierarchy: org > workspace > project > virtual-key. Delegated administration via SAML role claims. SAML SSO across Okta, Azure AD, Google Workspace, Auth0, OneLogin. SCIM supported. Trade-off: five-plus-level org charts flatten one level into metadata.

Data residency. Hosted multi-region across US-East, US-West, EU-West, APAC (Singapore), pinned per workspace. BYOC runs data plane in the customer account; control plane stays in Portkey cloud unless private deployment is negotiated.

SLA / private-link. Enterprise contracts to 99.9% monthly uptime; 99.95% on multi-region. AWS PrivateLink on Enterprise. Azure Private Link on the roadmap.

Air-gap / BYOC. BYOC available; air-gap is custom, not default.

Vendor stability + retention. Series A, disclosed funding above $10M, post-close PANW backing ($100B+ market cap public parent). Upside on stability with a vendor-coupling consideration. Retention tier economics aren’t as transparently published, negotiate the storage line item explicitly.

Where it falls short.

• PANW acquisition is a procurement variable. Add assignment-and-novation with a termination-without-penalty trigger if post-close terms degrade.
• Four-tier RBAC is the deepest native; deeper org charts flatten into metadata.
• Air-gap is custom, not default.

Pricing. Free tier with 10K requests/day. Pro starts at $99/month. Enterprise is custom with SOC 2 Type II, ISO 27001, BAA, BYOC.

**Score: 6 / 7 axes.

3. Kong AI Gateway: Best for FedRAMP-aligned federal procurement

**Verdict.Weakness: the AI Proxy plugin is newer than rate-limiting and the AI-native compliance catalog is plugin-driven.

Attestation. SOC 2 Type II attested for Kong Konnect. ISO 27001 on the list. Self-hosted plane is the customer’s audit scope, mitigated by Kong’s reference architecture.

** Mature DPA. Konnect sub-processor list published. BAA on request.The procurement path is “extend the existing Kong ATO to include the AI Proxy plugin.”

RBAC + SSO + SCIM. Consumer-and-workspace-shaped RBAC with tag-based scoping. Three-plus levels configurable but heavier than Portkey’s native four-tier. SAML SSO via OIDC and JWT plugins. SCIM via Konnect.

Data residency. Self-hosted Kong runs anywhere; region pinning is the customer’s choice. Konnect supports multi-region.

SLA / private-link. Konnect Enterprise contracts to 99.95% monthly uptime. Self-hosted inherits the customer’s infrastructure. PrivateLink, Azure Private Link, VPC peering all standard.

Air-gap / BYOC. Self-hosted Kong is the reference air-gap deployment in this cohort, deployed inside federal enclaves for years.

Vendor stability + retention. Series E, funding above $200M, with a public-market path. Retention runs through request-logging plugins to the customer’s SIEM (Splunk, ELK, Datadog) or S3, the customer’s existing records-retention schedule applies directly.

Where it falls short.

• AI observability is plugin-driven; default dashboard is REST-shaped, and the chargeback view finance wants takes two to four weeks of platform-team time.
• AI Spend plugin is newer than rate-limiting and still maturing.
• Plugin stacking is operationally heavy; small platform teams will feel it.
• No optimizer.

Pricing. Kong open source is free. Kong Konnect starts free. Enterprise plans with SLA and AI Proxy support start around $1.5K/month; at 5,000-engineer scale expect a six-figure annual contract.

Score: 5.5 / 7 axes. Partial credit on AI-native compliance catalog depth.

4. TrueFoundry: Best for single-vendor MSA across the AI stack

Verdict. TrueFoundry is the pick when procurement wants to consolidate inference, gateway, workspace, and MLOps under one MSA, DPA, and BAA, with VPC-default deployment. Advantage: simplification. Disadvantage: vendor coupling, if any component falls short the whole stack is coupled.

Attestation. SOC 2 Type II attested. ISO 27001 on the list. Retention bundled across gateway, model serving, workspace under one platform-wide policy.

** Mature DPA aligned to current EU SCCs. Sub-processor list published. BAA on request.

RBAC + SSO + SCIM. Workspace + project + role: three levels native, fourth via metadata. SAML SSO across major IdPs. SCIM supported. The MLOps-shaped hierarchy maps to model deployments and experiment tracking, an advantage if the same team will stand up internal models alongside Anthropic.

Data residency. VPC-default across AWS, Azure, GCP. Region pinning is the customer’s choice.

SLA / private-link. Enterprise contracts to 99.9% monthly uptime. VPC peering and PrivateLink standard. Multi-region active-active is the customer’s SRE responsibility.

Air-gap / BYOC. VPC-default. Air-gap supported via the same VPC pattern with customer-controlled egress.

Vendor stability + retention. Series A, disclosed funding above $20M, growing enterprise customer base. Retention configurable up to seven years with S3 export.

Where it falls short.

• Claude Code integration is general-purpose, not tuned. Per-session dense views require custom work.
• Vendor coupling: if inference or MLOps falls short, the consolidation advantage becomes a coupling disadvantage.
• No optimizer.
• Smaller community footprint than Kong’s or Portkey’s.

Pricing. Free trial. Production tier starts in the low four figures per month. Enterprise pricing is bundled; expect a six-figure annual contract at 5,000-engineer scale.

**Score: 5.5 / 7 axes.

5. Cloudflare AI Gateway: Best for existing Cloudflare enterprise customers

Verdict. Cloudflare AI Gateway is the pick when the enterprise already has a Cloudflare MSA covering DDoS, WAF, Workers, and edge security, and procurement wants to extend it rather than onboard a new vendor. Strength: the existing MSA, DPA, and posture review. Weakness: Cloudflare AI Gateway is a Cloudflare-hosted data plane, wrong pick for VPC-only or air-gapped requirements.

Attestation. Cloudflare maintains SOC 2 Type II, ISO 27001, ISO 27018, and a long additional certification list. AI Gateway inherits the enterprise catalog. Retention via Logpush to R2, S3, or a SIEM applies the customer’s records-retention schedule.

** Cloudflare’s DPA is among the most mature in the industry. Sub-processor list published. BAA available.

RBAC + SSO + SCIM. RBAC via Cloudflare Access plus Worker logic, the hierarchy is what the customer writes in TypeScript inside a Worker. SAML SSO via Access. SCIM supported.

Data residency. Data localization suite pins processing to specific regions. Prompt traffic touches Cloudflare’s infrastructure, acceptable for most enterprise requirements, not for VPC-only.

SLA / private-link. Enterprise contracts to a 100% uptime SLA on the edge layer with service credits on missed minutes. AI Gateway inherits at Enterprise. Cloudflare’s data plane is Cloudflare’s infrastructure, so PrivateLink isn’t the deployment model; Magic Transit and the broader networking stack provide private connectivity.

Air-gap / BYOC. Not the deployment model.

Vendor stability + retention. Publicly traded (NYSE: NET) with a $25B+ market cap as of May 2026, strongest in the cohort. Retention is Logpush-driven, applied at the customer’s SIEM.

Where it falls short.

• Wrong deployment model for VPC-only or air-gap.
• AI-native dashboards are shallow.
• No optimizer.
• Worker model is TypeScript-first; deep RBAC and per-developer chargeback are platform-team work.

Pricing. AI Gateway free at low volume. Workers Paid is $5/month plus per-invocation fees. Enterprise rolls AI Gateway into the broader Cloudflare bundle.

Score: 5 / 7 axes. Partial credit on AI-native depth; full miss on BYOC / air-gap.

Procurement axis matrix

Decision framework: Choose X if

Choose Future AGI if the priority is BYOC with an Apache 2.0 data layer, AWS Marketplace contract path, SOC 2 Type II + HIPAA + GDPR + CCPA all certified with BAA available, and a feedback loop that produces audit-grade evidence of every policy change. Best for enterprises with an AWS EDP commitment.

Choose Portkey if the priority is a hosted gateway with the mature compliance catalog and you can accept the PANW acquisition as a vendor variable. Negotiate assignment-and-novation carefully.

Best when the platform team is sized to wire the AI Proxy and AI Spend plugins.

Choose TrueFoundry if procurement wants to consolidate the AI stack under one MSA and DPA with VPC-default deployment. Best when the customer is also standing up internal models alongside Anthropic.

Choose Cloudflare AI Gateway if the enterprise already runs Cloudflare as the trusted edge and the threat model accepts a Cloudflare-hosted data plane.

Common procurement mistakes when buying a Claude Code gateway

How Future AGI closes the loop on the procurement question

Procurement scores on artifacts: MSA, DPA, BAA, SOC 2 report, sub-processor list, architecture diagram. All five gateways above produce those. The artifact procurement doesn’t always ask for at signature but does ask for at audit is the immutable, versioned trail of every policy change, prompt rewrite, and routing-rule update made on the basis of evaluation data.

The other four gateways treat the gateway as the policy enforcement point. Policy is configured by humans; the dashboard tells humans what is happening; the audit log records human-driven changes. The audit artifact is “here are the policy changes the platform team made over the last twelve months.”

Future AGI treats the captured trace as the input to a closed loop. Every Claude Code turn is traced via traceAI (Apache 2.0); scored by fi.evals; low-scoring sessions are clustered; fi.opt.optimizers (six optimizers (RandomSearchOptimizer, BayesianSearchOptimizer Optuna-backed with teacher-inferred few-shot templates and resumable studies, MetaPromptOptimizer, ProTeGi, GEPAOptimizer, PromptWizardOptimizer), all sharing an EarlyStoppingConfig (patience + min_delta + threshold + max_evaluations) and the same unified Evaluator over 60+ FAGI rubrics) rewrite the prompt or routing on the basis of clustered failures; the gateway applies the updated policy; the trace store records the change, the evidence that drove it, and the version diff. The audit artifact is “here are the policy changes the system made on the basis of evaluation data, with the evidence chain that drove each change.” For a SOX auditor the trace store is a single query point; for GDPR lawful-basis review, trace tags carry consent metadata. The Protect guardrail ships with ~65 ms text latency per arXiv 2510.13351, inline policy enforcement doesn’t break Claude Code’s interactive experience.

Apache 2.0 building blocks: traceAI, ai-evaluation, agent-opt (github.com/future-agi). Hosted Agent Command Center adds the failure-cluster view, Protect guardrails, four-level RBAC, SOC 2 Type II + HIPAA + GDPR + CCPA all certified with BAA available, AWS Marketplace, and BYOC deployment.

What we did not include

Helicone. Acquired by Mintlify in March 2026; Mintlify acquired by Stripe in late 2025. The AI gateway product is on an uncertain roadmap inside a documentation-platform-first parent. Planned migration window, not continued procurement.

LiteLLM. The March 24, 2026 PyPI supply-chain compromise (versions 1.82.7 and 1.82.8, exfiltrating SSH keys and cloud credentials per Datadog Security Labs) raises the operational bar beyond what most Fortune 500 committees will accept without a clean post-incident audit.

**OpenRouter.

Related reading

• Best 5 AI Gateways to Monitor Claude Code Token Usage in 2026, scored on per-developer attribution, per-repo budgets, session traces, and alert routing.
• Best 5 AI Gateways for Scaling Claude Code in the Enterprise in 2026, scored on multi-region HA, zero-downtime upgrades, IdP federation, audit retention at 1M+ req/day.
• What Is an AI Gateway? The 2026 Definition
• Best AI Gateways for Agentic AI in 2026

Sources

• Anthropic Claude Code documentation, claude.ai/docs/claude-code
• Future AGI Agent Command Center, futureagi.com/platform/monitor/command-center
• Future AGI Protect latency benchmarks, arxiv.org/abs/2510.13351 (65 ms text, 107 ms image)
• Portkey AI gateway, portkey.ai
• Palo Alto Networks press release on Portkey acquisition (April 30, 2026), paloaltonetworks.com/company/press/2026
• Kong AI Gateway and AI Proxy plugin, konghq.com/products/kong-ai-gateway
• TrueFoundry AI Gateway, truefoundry.com/ai-gateway
• Cloudflare AI Gateway, developers.cloudflare.com/ai-gateway com/lp/government
• Datadog Security Labs LiteLLM PyPI supply-chain writeup (March 24, 2026), securitylabs.datadoghq.com