The Week AI Agent Security Gateways Stopped Being Optional

Five days. Three events. One categorical shift for every team running AI agents in production.

On June 17, WitnessAI shipped Agentic Control GA, a single control plane that auto-discovers every AI agent running across IDEs, chat apps, and custom frameworks, enforces org-wide MCP allowlists, and inspects agentic conversations in-flight at runtime. Total funding: $85 million. Not a demo. Generally available.

On June 18, Microsoft Security Research disclosed AutoJack, a three-flaw exploit chain in AutoGen Studio that lets a single malicious web page deliver remote code execution on the host running your AI agent. Zero credentials required. The fix is in the upstream GitHub main branch; no patched stable PyPI release existed at disclosure.

The week before, Databricks announced Unity AI Gateway at Data + AI Summit 2026: MCP policy enforcement, runtime guardrails, and spend caps baked directly into the Lakehouse. A Tier-1 data platform vendor just entered the agent security gateway market.

Individually, each story is notable. Together, they mark the moment the AI agent security gateway shifted from early-adopter pilot to critical infrastructure.

AutoJack: The Mechanics Matter Beyond AutoGen

The AutoJack disclosure matters because it exposes a structural pattern, not an isolated product bug.

Microsoft's Defender Security Research team found three weaknesses chained in AutoGen Studio's MCP WebSocket handler:

1. Origin allowlist bypass: a web page from any domain can reach the local MCP WebSocket by exploiting trust rules designed for same-origin scenarios
2. Unauthenticated MCP endpoint: the WebSocket accepted commands without credential verification; the implicit assumption was that only local processes would ever reach it
3. Unsafe shell parameter injection: commands were executed directly from URL request parameters with no allowlisting of permitted operations

The result: any site your browsing agent visits can spawn arbitrary host-level processes. No credentials. No user interaction.

The fix (commit b047730, upstream main branch) removes URL-based parameter reading entirely. Two pre-release PyPI builds, 0.4.3.dev1 and 0.4.3.dev2, that shipped the vulnerable handler remained unyanked as of disclosure.

The deeper point: localhost stops being a trust boundary the moment your agent browses the open web. Any framework that couples browser access with privileged local services faces a version of this problem. The attack surface is the execution environment, not the model.

The Numbers Behind the Urgency

Before AutoJack, the governance gap was already alarming.

According to Gravitee's State of AI Agent Security 2026 report, 88% of organizations reported confirmed or suspected AI agent security incidents in the past year, rising to 92.7% in healthcare. More than half of all enterprise agents run without any security oversight or logging. The enterprise AI agent fleet roughly doubled between December 2025 and April 2026. Monitoring and accountability structures barely moved. Gartner's 2026 Hype Cycle for Agentic AI now explicitly lists governance, security, and cost control as defining signals alongside core agentic capabilities.

The Vendor Landscape Has Organized

The market has structured itself into five distinct layers (identity security, runtime security, AI gateways, MCP gateways, and red teaming) with no single vendor covering the full stack. Enterprises are layering deliberately:

WitnessAI (Agentic Control, GA June 17): operates at the network layer, no agent-side code changes required. Auto-discovers agents across enterprise environments; identifies the specific MCP servers, tools, and downstream systems each agent can reach; enforces a single org-wide approved-tool policy at runtime.

Databricks (Unity AI Gateway, DAIS 2026): Lakehouse-native governance. Contextual service policies allow, deny, or require human approval for specific agent actions (writing files, pushing code, querying sensitive tables) based on user identity, agent identity, model, MCP service, or the content of the request and response. Includes managed MCP services for Google Drive, Jira, Confluence, Slack, GitHub, and SharePoint out of the box.

Palo Alto Networks absorbed Portkey into its AI security portfolio; Cisco AI Defense expanded in early 2026 to add execution-layer runtime protections. Enterprise security teams on these platforms get agent gateway capabilities as part of their existing SASE and firewall stack.

Anatomy of an AI Agent Security Gateway

For teams evaluating the category, here is what a gateway does, distinct from prompt filters and output classifiers which operate on model I/O:

Agent discovery and inventory: builds a real-time map of running agents, the tools and MCP servers they can reach, and the identities they run under. Most organizations have no such inventory today.

Tool and MCP access policy: allows or denies tool calls before they execute, based on agent identity, user context, request content, and org policy. This is the enforcement point that prevents an agent from reaching a database it should not touch, or interacting with an unvetted MCP server.

MCP endpoint authentication: AutoJack worked because the MCP WebSocket had no auth. Gateways impose credential verification at the MCP layer, eliminating the unauthenticated endpoint pattern that made AutoJack possible.

Audit trails: every tool call, MCP interaction, and agent action logged with agent identity, user identity, and full request context. The foundation for incident response, forensics, and compliance.

Spend control: AI agent costs are not bounded by human friction. An agent in a runaway loop can generate material spend in minutes. Gateway-level caps and routing intelligence address this as a budget and availability control alongside security.

The Updated Threat Model Every Engineering Team Needs

The execution layer is the primary attack surface. Security teams have spent two years hardening the model layer (prompt injection detection, content policies, guardrails). Those controls matter. But in 2026, attacks are materializing at the execution layer: the tools, shell access, file systems, and MCP endpoints agents can reach. AutoJack is the public proof-of-concept. Runtime enforcement at the execution boundary is no longer optional.

Localhost is not a trust boundary. Any agent that can browse the open web and communicate with local services can be weaponized by any web page it visits. Audit every local MCP server your agents can reach. Require authentication. Scope permissions to minimum necessary.

Agent identity is the prerequisite for everything else. Only 21.9% of enterprise teams treat AI agents as independent, identity-bearing entities. Without dedicated agent identities (scoped credentials, separate audit trails, individual revocation), least-privilege enforcement and incident response are not achievable in practice.

Spend visibility is a security signal. Unexplained cost spikes are an incident indicator. Runaway agent behavior and adversarial over-consumption both manifest first as anomalous spend patterns.

What This Means for Teams Evaluating Agent Infrastructure

If you are not on a Lakehouse: The network-layer discovery approach (MCP-native authentication, org-wide policy that spans heterogeneous environments) is the right frame. The ability to govern agents you did not build, that arrived via IDE plugins or third-party frameworks, is as important as governing your own.

If you are on Databricks: Unity AI Gateway gives you governance native to the Lakehouse, deeply integrated with Unity Catalog's identity and lineage model. Plan explicitly for agents running outside the Lakehouse perimeter (CI pipelines, customer-facing products, developer machines).

In either case: Start with agent discovery. You cannot secure what you cannot see. Building a real-time inventory of running agents, their tool access, and the identities they run under is the prerequisite for everything else in the stack.

The Deeper Shift: From Guardrails to Gateways

For two years, "AI security" in the enterprise meant guardrails: output filters, content classifiers, prompt injection detectors. Those controls operate on model I/O. They do nothing when an agent calls an API it should not reach, or when a local MCP endpoint is exposed without authentication to a web-browsing agent.

A gateway operates differently. It sits between the agent and everything the agent can touch: APIs, databases, file systems, MCP servers, other agents. It enforces policy before an action executes, not after text is generated. It provides the same audit, revocation, and least-privilege model that network security teams have applied to human users for decades.

The category's emergence was predictable. The pace was not. AutoJack compressed the timeline. WitnessAI's GA and Databricks' market entry confirmed the direction. The question for engineering and security leadership is no longer whether an agent security gateway belongs in the stack. It is which one, and how fast.

At Datapace, agent security gateways and MCP governance are central to what we build. If you are working through this evaluation (mapping the vendor landscape, stress-testing your threat model, or understanding where a gateway fits in your existing stack), we would like to talk. If you are giving agents access to production data, book a call and we will walk through it on your stack.