Back to Blog
Guides

Top Enterprise AI Gateways for Governing Claude Code in 2026

Five enterprise AI gateways scored on governing Claude Code in 2026: model whitelists, repo allowlists, approval workflows, departmental policy injection, audit trails, license attribution, and kill-switch controls.

·
20 min read
ai-gateway 2026 claude-code
Editorial cover image for Top Enterprise AI Gateways for Governing Claude Code in 2026
Table of Contents

A Chief AI Officer at a Fortune 500 bank doesn’t lose sleep over Claude Code’s throughput or its monthly bill. She loses sleep over the 11:40 PM email from internal audit: a developer pasted a regulated dataset into a Claude Code session, the model returned code that incorporated a verbatim snippet from a copyleft repo, and that code shipped to production three days later. The governance committee meets in twenty hours. The question is “show the committee the policy, the enforcement point, the audit trail, and the kill switch, in that order, by 9 AM.”

Token monitoring tells you what Claude Code cost. Procurement tells you whether the vendor is acceptable. Scaling tells you whether the gateway stays up. Governance tells you what Claude Code is allowed to do, who approved each exception, and how fast the kill switch trips. Those questions answer through one enforcement point: the gateway between Claude Code and api.anthropic.com.

This post is for the Chief AI Officer, Head of AI Governance, AI Risk Committee, and the working group writing the Claude Code policy. Five gateways scored on seven governance axes: model whitelist enforcement, repo allowlist, approval workflow for non-default models, departmental policy injection, activity audit trail, license and IP attribution per code suggestion, and rollback plus kill switch.

TL;DR: pick by governance posture

Governance posturePickWhy
Policy-as-code with feedback loop turning eval data into the next policy versionFuture AGI Agent Command CenterOnly entry where the governance policy is the eval-time gate, audit-grade by construction
Polished hosted control plane with mature guardrails and approval workflowsPortkeyDeepest pre-built guardrail catalog of the hosted picks; native virtual-key approval flow
Self-hosted policy plane with plugin-driven enforcement under an existing Kong footprintKong AI GatewayIf the platform team already runs Kong inside the policy boundary
VPC-default single-vendor policy bundle across inference + gateway + workspaceTrueFoundryIf governance wants one policy bundle and one audit trail across the AI stack
Open-source agent-gateway pattern with Kubernetes-native policyagentgateway.devIf policy is expressed as Gateway API resources and OPA / Rego policies in Git

Why governing Claude Code is a different problem

A governance committee doesn’t pick a gateway the way a platform team does. The platform team picks on throughput and tagging. The committee picks on what Claude Code is allowed to do before any of that matters. Three properties sharpen the question.

The blast radius is source code, not a chat reply. A poorly governed chat assistant returns a wrong answer to one user. A poorly governed Claude Code session writes code that ships to production. The shipped code may incorporate a copyleft snippet, leak a regulated dataset packed into context, call an internal API the developer’s role shouldn’t reach, or reference a model the AI use policy hasn’t approved. Governance has to fire before the code lands in the repo.

The policy surface is wider than approve / deny. Claude Code policy is a stack: which models are whitelisted; which repos are on the AI-assisted-contribution allowlist; what gates a non-default model; what injects into the system prompt for finance vs healthcare vs research; what evidence the committee gets; what license attribution applies; what the kill-switch posture is. The gateway is the only point that sees every dimension on every call.

The committee cares about the change log, not the dashboard. When audit asks “every policy change in the last twelve months, who approved each, what evidence supported each, and what eval impact followed,” the right answer isn’t a screenshot. It’s an immutable, versioned record where every diff is keyed to a change ticket, an approval signature, an evidence bundle, and the eval delta that followed. A gateway either produces that artifact by construction or it doesn’t.

The 7 governance axes we score on

AxisWhat the governance committee is asking
1. Model whitelist enforcementHard-block models off the whitelist at the request layer, no developer override?
2. Repo allowlist enforcementScope Claude Code to allowlisted repos; refuse on everything else?
3. Approval workflow for non-default modelsGate calls to non-default models on a documented approval with evidence trail?
4. Departmental policy injectionEach department gets a distinct system-prompt and tool allowlist, injected on every call?
5. Activity audit trailImmutable, versioned trail keyed to the committee’s evidence schedule, with eval scores?
6. License and IP attribution per code suggestionPer-suggestion provenance bundle queryable by the legal team?
7. Rollback and kill switchHard stop scoped to model, repo, department, or globally, sub-minute propagation?

Verdict line at each pick scores all seven.

How we picked

We started with AI gateways shipping an Anthropic-compatible endpoint and deployed at one or more enterprises under a written AI use policy. We removed gateways without a policy plane, where “policy” means a rule that fires at request time, not a dashboard rule after the fact. We removed two names on 2026 trust events: Helicone (acquired by Mintlify March 2026, Mintlify acquired by Stripe late 2025) and LiteLLM (March 24, 2026 PyPI supply-chain compromise affecting versions 1.82.7 and 1.82.8 per Datadog Security Labs).

1. Future AGI Agent Command Center: Best for policy-as-code with closed-loop governance

Verdict. Future AGI is the only gateway here where the governance policy is more than enforced, it’s the eval-time gate that produces the next version of itself. Every policy change is keyed to an evidence bundle, a versioned diff, and the eval-score delta that followed. The audit committee gets a queryable, immutable record, not a screenshot.

Model whitelist. Policy-as-code resource (fi.policy.model_whitelist) in the customer’s Git repo, versioned, code-reviewed. The gateway hard-blocks non-whitelisted models with a 403 carrying the policy version. No runtime override, the override path is a pull request.

Repo allowlist. Same resource shape, keyed to the git remote URL Claude Code sends. A call from an unlisted repo returns a 403 with the same evidence bundle. Queryable from the trace store.

Approval workflow. The resource declares default and non-default tiers. A non-default call requires a signed approval token scoped to developer, repo, model, and time window, short-lived and revocable. The audit trail captures the approver’s SSO claim, the evidence seen at signature, and the calls the token gated.

Departmental policy injection. Department-shaped scopes (finance, healthcare, research, platform). Each binds a system-prompt fragment, tool allowlist, model tier, and data-class filter. The gateway resolves the SSO claim to a department and injects on every call. Delegated administration is native.

Activity audit trail. Every turn produces a span tree via traceAI (Apache 2.0). Spans capture SSO claim, repo, department, prompt, completion, tool calls, model, latency, cost, policy version, and eval score. Tiered (hot 30 days, warm 1 year, cold 7 years), configurable per repo class so SOX-scope inherits the seven-year cold tier. Every policy change is a versioned diff keyed to a change ticket, approval signature, evidence bundle, and 24-hour eval delta.

License and IP attribution. Per-suggestion provenance on every trace: model, training-data class, prompt-completion delta, similarity score against a corpus of common copyleft snippets (Apache 2.0 evaluator from ai-evaluation), and a license-risk score with citation when a match fires. Legal team query: “every suggestion last quarter above the policy threshold, by repo, by developer.” One expression.

Rollback and kill switch. Policy is Git-versioned; rollback is git revert plus sub-minute propagation. The kill switch is a separate primitive: signed global stop, or model / repo / department-scoped stop, each propagating in under thirty seconds.

The loop. fi.evals scores every turn against task-completion, faithfulness, code-correctness, policy-compliance, and license-risk. Low-scoring sessions cluster, “Opus called on standard-class repos eight hundred times last week without an approval token.” fi.opt.optimizers (six optimizers (RandomSearchOptimizer, BayesianSearchOptimizer with Optuna teacher-inferred few-shot and resumable runs, MetaPromptOptimizer, ProTeGi, GEPAOptimizer, PromptWizardOptimizer), all sharing EarlyStoppingConfig) propose a next-version policy resource as a pull request, reviewed by the committee, merged, re-deployed. Protect ships ~65 ms text median time-to-label latency per arXiv 2510.13351; inline enforcement doesn’t break the interactive experience.

Where it falls short.

  • ISO/IEC 27001 in active audit; SOC 2 Type II, HIPAA, GDPR, and CCPA are certified today per futureagi.com/trust.
  • The optimizer compounds; teams wanting immediate whitelist-plus-kill-switch should run the policy plane on its own first.
  • BYOC active-active is two to three weeks of SRE time during cutover plus cross-region transfer and hot-tier replica cost.
  • Non-US/EU residency runs through BYOC (the same Apache 2.0 binary in the customer’s account, anywhere your cluster runs).
  • License-risk evaluator is a similarity-against-corpus check, not a legal opinion.

Pricing. Free tier with 100K traces / month. Scale starts at $99/month. Enterprise is custom with SOC 2 Type II, HIPAA, GDPR, and CCPA all certified, BAA available, BYOC, AWS Marketplace.

Score: 7 / 7 axes, with partial credit on attestation.

2. Portkey: Best for hosted policy plane with mature guardrails

Verdict. Portkey is the most polished hosted gateway with a usable governance posture. Native virtual-key approval flow, mature guardrails catalog, mature DPA, the fastest path when the security review accepts a managed control plane. The 2026 variable is the Palo Alto Networks acquisition announced April 30, 2026, inside the PANW stack this is upside; outside, vendor-coupling is worth answering before signature.

Model whitelist. Native through virtual keys: each key declares allowed models, non-listed calls return 403. Workspace-configured; code-as-policy export is manual.

Repo allowlist. Metadata-header rules: the gateway requires a metadata.repo header and refuses missing or out-of-allowlist values. The Claude Code wrapper has to set the header reliably; without a hardened wrapper, the developer can omit it.

Approval workflow. Native virtual-key flow: developer requests, approver signs, key issued for a scoped window. Workspace-scoped, multi-workspace approvals require external workflow tools.

Departmental injection. Workspace + virtual-key model. Each department maps to a workspace carrying a system-prompt template and a guardrail catalog. Trade-off: policy is set in the UI, not Git.

Activity audit trail. Up to seven years retention on Enterprise with S3, Snowflake, Splunk export. Tier economics less transparently published than Future AGI’s; negotiate the storage line item.

License and IP attribution. Custom guardrail or third-party integration. Not native for code-specific attribution; platform-team work to wire a similarity evaluator.

Rollback and kill switch. Workspace disable plus virtual-key revoke. Sub-minute propagation. Global kill switch through the org-level admin role. Less granular than Future AGI’s scoped switch.

Where it falls short.

  • Policy is configured in the UI by default; policy-as-code requires manual export.
  • Repo allowlist depends on a client-side header, harden the wrapper.
  • License-attribution evaluator isn’t native.
  • PANW acquisition adds a vendor-coupling axis. Add assignment-and-novation with a termination-without-penalty trigger.
  • No closed-loop optimizer proposing the next policy version.

Pricing. Free tier with 10K requests/day. Pro starts at $99/month. Enterprise custom with SOC 2 Type II, ISO 27001, BAA.

Score: 5.5 / 7 axes. Partial credit on policy-as-code shape and license attribution.

3. Kong AI Gateway: Best for self-hosted policy under an existing Kong footprint

Verdict. Kong AI Gateway is the right pick when the platform team has standardized on Kong inside the policy boundary and the committee accepts Lua-shaped enforcement. Path of least resistance: extend Kong with the AI Proxy plugin and apply governance through the same plugin model used for the rest of the API estate. Strength: operational maturity. Weakness: AI-specific governance is plugin-driven, not native.

Model whitelist. AI Proxy plugin’s allowed-models list, declared per route in declarative YAML, Git-reviewable.

Repo allowlist. Consumer + tag + Lua. Platform team writes enforcement in a custom plugin. Heavier than Future AGI’s resource or Portkey’s header rule.

Approval workflow. Not native. Pattern: a consumer per developer, a tag indicating approved tier, a Lua plugin enforcing tag-to-model matching, an external ticketing system issuing the tag. Approval evidence lives in the ticketing system, not the gateway.

Departmental injection. Workspace per department, system-prompt template applied through a transformer plugin, tool allowlist applied through request-validation. Reviewable as Kong configuration. Plugin-stacking is operationally heavy.

Activity audit trail. Request-logging plugin exported to the customer’s SIEM (Splunk, ELK, Datadog) or S3. Inherits Kong Konnect’s SOC 2 Type II. Rich on REST-shaped data; LLM-shaped data (cost, eval score, license risk) lives in custom plugin output.

License and IP attribution. Not native. Custom plugin running a similarity-against-corpus check at response time, attaching the score to the request log.

Rollback and kill switch. Native through plugin disable, route disable, consumer revoke. Sub-minute under Konnect; self-hosted depends on the control plane’s reconciliation cadence.

Where it falls short.

  • AI-specific governance is plugin-driven, not native.
  • AI Spend plugin is newer than rate-limiting and still maturing.
  • Approval-workflow story is external.
  • No optimizer.
  • Plugin-stacking is operationally heavy; small platform teams will feel it.

Pricing. Kong OSS is open source. Konnect starts free. Enterprise plans with SLA and AI Proxy support start around $1.5K/month; six figures at 5,000-engineer scale.

Score: 5 / 7 axes. Partial credit on approval workflow and license attribution.

4. TrueFoundry: Best for a single-vendor policy bundle across the AI stack

Verdict. TrueFoundry is the pick when governance wants one policy bundle and one audit trail across inference, gateway, and MLOps, deployed VPC-default. Advantage: a single point of policy review. Disadvantage: vendor coupling, if any component falls short, consolidation flips.

Model whitelist. Native through the model registry: only registered models can be served or proxied. Platform-wide, with workspace-level overrides.

Repo allowlist. Workspace + project metadata. Calls from a non-allowlisted project are refused. The Claude Code wrapper carries project context through the gateway’s metadata pass-through.

Approval workflow. Native through the platform’s approval workflow: registration, deployment promotion, and gateway-route changes all flow through a configurable approval. Shared with inference and MLOps, the governance officer signs one policy across the stack.

Departmental injection. Workspace + project + role hierarchy: three levels native, fourth via metadata. MLOps-shaped hierarchy fits a department-to-workspace mapping.

Activity audit trail. Bundled across gateway, model serving, workspace. Up to seven years retention with S3 export. One audit query covers the AI stack. Trade-off: general-purpose, not Claude Code-aware. Per-turn granularity requires custom work.

License and IP attribution. Not native. Custom evaluator in the platform’s evaluation framework.

Rollback and kill switch. Native through deployment management. Sub-minute propagation. Platform-wide and scope-configurable.

Where it falls short.

  • Claude Code integration is general-purpose, not tuned. Per-session governance views require custom work.
  • License attribution is custom.
  • Vendor coupling: if inference or MLOps falls short, consolidation flips.
  • No optimizer.
  • Smaller community footprint than Portkey’s or Kong’s.

Pricing. Free trial. Production tier in the low four figures per month. Enterprise bundled; six figures at 5,000-engineer scale.

Score: 5 / 7 axes. Partial credit on Claude Code-aware depth and license attribution.

5. agentgateway.dev: Best for Kubernetes-native policy in Git

Verdict. agentgateway.dev is the pick when the committee wants Claude Code policy in the same shape as the rest of the platform’s. Kubernetes Gateway API resources, OPA / Rego, GitOps reconciliation, kept in Git alongside cluster policy. Strength: policy-as-code in the language the platform already speaks. Weakness: AI-specific catalog younger than Portkey’s or Kong’s; operational maturity at 5,000-engineer scale not yet what Kong’s is.

Model whitelist. ModelRoute Gateway API resource declaring allowed models per route. A Git-versioned YAML reviewed through pull requests.

Repo allowlist. Rego policy attached to the route, evaluating metadata.repo against an allowlist resource. The wrapper has to set metadata reliably; missing-metadata fails closed.

Approval workflow. Not native. Pattern: a Rego policy permits the non-default model only when a ModelApproval resource exists for the developer-repo-model-window tuple, created by a separate approval workflow. Audit lives in Git and the approval system.

Departmental injection. Rego policies and request-mutation filters parameterized by department label. Each department is a label or namespace; system-prompt fragment and tool allowlist injected through filter configuration.

Activity audit trail. Structured logging exported to the customer’s logging stack. Audit-grade view depends on what the customer wires on top; the gateway doesn’t ship its own retention or eval-tied trail.

License and IP attribution. Not native. Response-filter pod running similarity-against-corpus and attaching the score to the log.

Rollback and kill switch. Gateway API resource updates plus GitOps reconciliation. Sub-minute under a tight reconciliation loop; longer under default cadences.

Where it falls short.

  • AI-specific catalog is younger than Portkey’s and Kong’s.
  • Operational maturity at 5,000-engineer scale isn’t yet what Kong’s is.
  • Audit-trail depth depends on the customer’s logging stack.
  • No optimizer.
  • Approval workflow is GitOps-shaped; committees expecting click-through workflows don’t pick this up easily.

Pricing. Open source. Commercial support and managed offerings emerging; pricing varies by support vendor.

Score: 4.5 / 7 axes. Partial credit on audit depth, license attribution, operational maturity.

Governance axis matrix

AxisFuture AGIPortkeyKongTrueFoundryagentgateway.dev
Model whitelistPolicy-as-code, hard-block, Git-reviewedVirtual-key whitelist, UIAI Proxy plugin, YAMLModel registryModelRoute resource
Repo allowlistPolicy resource, nativeMetadata-header, client-dependentLua + tag, platform-team workWorkspace + projectRego on metadata
Approval workflowSigned token, scoped, evidence-tiedNative virtual-key approvalExternal ticketing + tagNative platform-wideGitOps resource
Departmental injectionDepartment-scoped policyWorkspace + system-promptWorkspace + transformer pluginWorkspace + project + roleRego + namespace
Audit trailEval-tied versioned diffs, immutableUp to 7-year retentionSIEM-exported request logBundled platform auditCustomer logging stack
License + IP attributionNative similarity, queryableCustom guardrailCustom pluginCustom evaluatorCustom response filter
Rollback + kill switchScoped, <30sWorkspace + key revoke, <60sPlugin / route / consumer disablePlatform-wide, scope-configurableGitOps-paced

Decision framework: Choose X if

Choose Future AGI if the committee’s evidence schedule asks for policy-as-code, eval-tied audit trails, and a closed loop that proposes the next policy version, and procurement values continuously certified attestations across SOC 2 Type II, HIPAA, GDPR, and CCPA.

Choose Portkey if the priority is a polished hosted policy plane with a mature guardrails catalog, the security review accepts a managed control plane, and the committee accepts UI-configured policy. Add assignment-and-novation carefully ahead of the PANW close.

Choose Kong AI Gateway if Kong already sits inside the policy boundary and the platform team has headroom to write Lua plugins.

Choose TrueFoundry if governance wants one policy bundle and one audit trail across inference, gateway, and MLOps, and procurement wants a single MSA.

Choose agentgateway.dev if the platform’s policy is already expressed as Gateway API resources and OPA / Rego policies, GitOps is the lingua franca, and the committee accepts the AI-specific catalog being younger than Portkey’s.

Common governance mistakes when rolling out Claude Code through a gateway

MistakeWhat goes wrongFix
Model whitelist as a soft defaultDeveloper flips to claude-opus-4-7 on a SOX-scope repo; audit catches it three months laterHard-block with a 403 and policy-version reference; override through a pull request
Repo allowlist configured client-sideDeveloper points Claude Code at a non-allowlisted repo; gateway accepts on missing metadataFail closed on missing metadata; harden the wrapper to set the repo header from git remote
Unbounded approval tokensAn Opus approval for a one-week investigation is still active eight months laterShort-lived, scoped, signed tokens; revoke on time window or change-ticket close
Departmental policy injected only at the IDETerminal CLI bypasses injection; finance-org policy hits autocomplete but not shell turnsInject at the gateway hop; set ANTHROPIC_BASE_URL in the shell profile
Default 30-day audit retentionAudit asks for year-over-year; the trail has rolled overMap each repo class to a records-retention schedule (SOX 7 years, HIPAA 6 years); tiered storage
License-risk score as legal opinionEvaluator flags a suggestion as high-risk; developer pastes anywayWire the score into the policy plane: high-risk triggers a hold pending legal review
Kill switch tied to one personOn-call governance officer is at a conference; incident waits eight hoursSigned-by-role kill switch with a two-approver quorum; pre-authorize incident-response role
Policy lifecycle in the UIA change in March is reviewed in April; nobody remembers what evidence supported itPolicy as code: every change is a PR with evidence, every merge is logged with the eval delta

How Future AGI closes the governance loop on Claude Code

The other four gateways treat the gateway as the enforcement point and the dashboard as the artifact. Policy is configured by humans; the audit log records human-driven changes. The audit artifact is “here are the policy changes the platform team made over the last twelve months.”

Future AGI treats the captured trace as the input to a closed loop where policy is both the eval-time gate and the artifact the loop improves.

  1. Trace. Every turn produces a span tree via traceAI (Apache 2.0). Spans capture SSO claim, repo, department, prompt, completion, tool calls, model, latency, cost, policy version, and license-risk score. Tiered (hot 30 days, warm 1 year, cold 7 years).

  2. Evaluate. fi.evals scores against task-completion, faithfulness, code-correctness, policy-compliance, and license-risk rubrics. The policy-compliance rubric is itself a policy resource, the committee writes what compliance means.

  3. Cluster. Low-scoring and policy-hit sessions cluster: “Opus called on standard-class repos eight hundred times last week without an approval token” or “finance-org system-prompt injection failed on twelve sessions with stale SSO claims.”

  4. Propose. fi.opt.optimizers (six optimizers (RandomSearchOptimizer, BayesianSearchOptimizer with Optuna teacher-inferred few-shot and resumable runs, MetaPromptOptimizer, ProTeGi, GEPAOptimizer, PromptWizardOptimizer), all sharing EarlyStoppingConfig) propose a next-version policy resource as a pull request with the evidence bundle attached.

  5. Review. The committee reviews like any code review. Approvers sign with their SSO claim; signatures land alongside the proposal.

  6. Re-deploy. Merged resource is loaded at the next request; sub-minute propagation under BYOC. Keyed to a versioned diff and the change ticket.

  7. Measure. 24-hour post-deploy eval delta is captured. Regression below threshold triggers automatic rollback.

Net effect: when audit asks “every policy change in the last twelve months, who approved each, what evidence supported each, and what eval impact followed,” the answer is one query. Every dimension is captured by construction. Protect ships ~65 ms text median time-to-label latency per arXiv 2510.13351; inline enforcement doesn’t break the interactive experience.

Apache 2.0 building blocks: traceAI, ai-evaluation, agent-opt (github.com/future-agi). Hosted Agent Command Center adds the failure-cluster view, Protect guardrails, four-level RBAC with delegated administration, signed-by-role kill switch, SOC 2 Type II + HIPAA + GDPR + CCPA all certified with BAA available, AWS Marketplace, and BYOC deployment.

What we did not include

Helicone. Acquired by Mintlify in March 2026; Mintlify acquired by Stripe in late 2025. Documentation-first roadmap shift isn’t the right shape for a multi-year governance commitment.

LiteLLM. The March 24, 2026 PyPI supply-chain compromise (versions 1.82.7 and 1.82.8, exfiltrating SSH keys and cloud credentials per Datadog Security Labs) raises the operational bar beyond what most governance committees will accept without a published post-incident audit.

Cloudflare AI Gateway. Strong edge primitives and deep MSA depth at most large enterprises, but a Cloudflare-hosted data plane with Worker-based policy in TypeScript is the wrong shape for a governance lifecycle that wants policy-as-code in Git, eval-tied audit, and a signed kill switch.

OpenRouter. Excellent for routing experimentation; the governance shape (policy-as-code, approval workflows, departmental injection, license attribution) is consumer-facing.

Sources

  • Anthropic Claude Code documentation, claude.ai/docs/claude-code
  • Future AGI Agent Command Center, futureagi.com/platform/monitor/command-center
  • Future AGI Protect latency benchmarks, arxiv.org/abs/2510.13351 (65 ms text / 107 ms image median time-to-label)
  • Portkey AI gateway, portkey.ai
  • Palo Alto Networks press release on Portkey acquisition (April 30, 2026), paloaltonetworks.com/company/press/2026
  • Kong AI Gateway and AI Proxy plugin, konghq.com/products/kong-ai-gateway
  • TrueFoundry AI Gateway, truefoundry.com/ai-gateway
  • agentgateway.dev, agentgateway.dev
  • Datadog Security Labs LiteLLM PyPI supply-chain writeup (March 24, 2026), securitylabs.datadoghq.com

Frequently asked questions

Which gateway gives the committee a single audit query?
Future AGI. The policy-version-keyed trace store is queryable in one expression: change, approver, evidence, eval delta. Portkey and TrueFoundry produce audit logs with up to seven-year retention but the eval-and-evidence tie is custom integration. Kong and agentgateway.dev push request logs into the customer's SIEM; depth depends on what is wired on top.
What is the right way to gate Opus on a SOX-scope repo?
A policy resource declaring `claude-opus-4-7` as non-default on `repo.class = SOX`, with an approval workflow that issues a signed, scoped, short-lived token. Future AGI ships this natively. Portkey ships virtual-key approval but policy lives in the UI. Kong, TrueFoundry, and agentgateway.dev require platform-team work.
How do we stop a developer from bypassing the gateway?
Egress policy at the network: permit `api.anthropic.com` only from the gateway plane. Without that control, the gateway is a soft gate. Pair the gateway with a firewall or service-mesh egress policy.
What is the right kill-switch posture?
Signed by a role with a two-approver quorum, scoped (model, repo, department, global), propagating in under thirty seconds. Future AGI ships the scoped sub-30-second pattern natively. Portkey ships workspace-and-virtual-key-revoke with sub-60-second propagation. Kong and agentgateway.dev ship plugin / route / GitOps disable. TrueFoundry is platform-wide and scope-configurable.
How does Future AGI's loop differ from Portkey's dashboard?
Portkey's dashboard tells the governance officer what is happening. Future AGI's loop tells the gateway what the next policy version should be, and binds the proposal to the evidence the audit committee asks for. Portkey delivers a dashboard the officer reads aloud; Future AGI delivers a queryable record the committee can ask follow-ups against.
How do we handle license and IP attribution at scale?
Wire a similarity-against-corpus evaluator into the policy plane, treat the score as a triage signal, and hold any suggestion above the policy threshold for legal review before it lands. Future AGI's evaluator runs at trace time and lands in the same audit trail. The score is not a legal opinion; the policy plane decides what it triggers.
Related Articles
View all
Top 5 Tools for Claude Code Cost Management in 2026
Guides
Top 5 Tools for Claude Code Cost Management in 2026

Five tools for Claude Code cost management in 2026 — four gateways plus the native Anthropic dashboard and a FinOps platform — scored on attribution, chargeback, caps, routing, cache observability, FinOps integration, and audit trail.

NVJK Kartik
NVJK Kartik ·
18 min