What’s Happening
NetFoundry has announced the expansion of its AI Enclave solution with the addition of enterprise-grade MCP (Model Context Protocol) and LLM gateways, bringing its Identity-First Reachability model directly to AI infrastructure. The new gateways assign cryptographic identities to every AI agent, MCP server, and LLM endpoint, eliminating exposed inbound ports and distributable API keys entirely. The company claims organizations can reduce AI token costs by up to 50% through intelligent semantic routing, while simultaneously tightening security posture across self-hosted, cloud, and hybrid AI deployments. NetFoundry is also opening an Accelerator Program offering early access to a forthcoming Agent2Agent (A2A) zero-trust fabric for governed inter-agent communication.
The Bigger Picture
Agentic AI Has Outpaced Enterprise Security Architecture
Enterprises today are deploying agentic AI at a pace that existing network security architectures were not designed to handle. Traditional perimeter-based controls assume a relatively stable, bounded set of services and identities. Agentic AI breaks both assumptions. Agents discover and interact with tools dynamically, MCP servers are broadly reachable by design, and API keys proliferate across teams and workflows in ways that resist centralized governance.
According to ECI Research’s 2025 AI Builder Summit survey, two-thirds of enterprise AI leaders have already implemented multi-agent collaboration — enabling agents to coordinate and delegate tasks — in live or pilot workflows. That is a substantial installed base of production agentic systems, most of which were built before purpose-built zero-trust AI infrastructure existed. The security implications are not hypothetical, as industry research notes that existing SASE architectures struggle with AI applicability because AI applications frequently use direct API calls that bypass traditional control points.
NetFoundry’s answer to this is architectural, not additive. Rather than layering security policies on top of reachable infrastructure, the company’s identity-first model removes reachability from the equation entirely. Inbound ports stay closed. Unauthorized agents cannot reach MCP servers or LLM endpoints because those endpoints do not appear on the network until identity and policy authorize the interaction. Denied tools are removed from the registry, not checked at runtime. That distinction matters operationally: runtime checks can be bypassed, misconfigured, or lag behind policy updates; absent registry entries cannot.
What This Means for IT Decision-Makers
For ITDMs, the conversation here operates on two budgetary axes simultaneously: security spend and AI inference spend.
On security, the attack surface created by distributed AI infrastructure is real and growing. Every API key in a developer’s environment, every MCP server reachable on a corporate network, and every LLM endpoint with an open port is a potential entry vector. NetFoundry’s claim that vulnerability exploitation is the top breach vector today aligns with a broader pattern ECI Research has documented: ECI Research found that organizations faced an average of 1,876 weekly cyberattack incidents per organization in Q3 2024, representing a 75% year-over-year increase. The implication is that AI deployments are expanding the attack surface at exactly the moment that attack frequency is accelerating.
On cost, the LLM Gateway’s three-layer semantic routing cascade (heuristics, embeddings, and an optional LLM classifier) routes requests to the right model based on cost, latency, or data sensitivity. The claimed 50% token cost reduction would be meaningful at enterprise scale, where inference costs across dozens of teams and thousands of daily requests can become a significant and largely ungoverned line item. Per-identity cost tracking and budget enforcement give finance and platform teams visibility into AI spend by team and project, which aims to bridge a governance gap that most organizations have not yet closed.
The combined value proposition, reduced attack surface plus reduced inference spend, positions the product in a category that does not yet have an obvious incumbent. Security vendors have not traditionally owned AI routing logic, and AI infrastructure vendors have not traditionally owned zero-trust network architecture. NetFoundry’s move to merge both is strategically differentiated, at least for now.
What This Means for Developers
For developers and platform engineers, the practical friction reduction matters as much as the security architecture. One of the most consistent complaints from engineering teams deploying AI agents is the operational overhead of managing API keys, firewall rules, VPN configurations, and network routing policies across environments. NetFoundry’s model may eliminate the need to manage inbound port rules or distribute API keys to agents entirely.
The MCP Gateway’s support for multi-backend aggregation, tool namespacing, and per-client session isolation could address real operational complexity in multi-agent deployments. Platform teams define which tools are available to which agents at the identity and policy layer, and those restrictions propagate through the system without runtime enforcement overhead. The unified audit trail, from agent request through LLM call to tool invocation, may give platform engineers the observability they need to debug agentic workflows without stitching together logs from multiple disconnected systems.
The Accelerator Program’s focus on Agent2Agent communication is worth tracking. As multi-agent orchestration matures, the question of how agents communicate with each other securely and in a governed way becomes non-trivial. A zero-trust fabric for inter-agent communication, if it delivers on the architectural promise of the MCP and LLM gateways, would extend NetFoundry’s security model to the entire agent collaboration layer.
What’s Next
The AI Security Category Will Consolidate Quickly
The MCP and LLM gateway space is in its earliest commercial phase, but it will not stay nascent for long. ECI Research’s 2025 AI Builder Summit data shows that 44% of enterprise AI leaders have only moderate confidence that AI agents can act autonomously without human intervention. That confidence gap creates a clear opening for vendors who can offer not just capability but verifiable governance and auditability. The goal of NetFoundry’s audit trail from agent to LLM call to tool invocation is to address the governance layer that CISOs and compliance teams are demanding before they approve production agentic deployments.
Governed AI Infrastructure as Procurement Criterion
Looking ahead to 2026–2027, we expect zero-trust AI infrastructure to transition from a differentiator to a procurement requirement in regulated industries. NetFoundry already counts healthcare and financial services organizations among its customers, and both sectors face regulatory pressure that makes ungoverned AI agent access to sensitive data a compliance liability, not just a risk management concern. Organizations that establish governed AI infrastructure now will have a structural advantage when regulatory frameworks around agentic AI access controls become mandatory. Those that do not will face retrofitting costs that are substantially higher than greenfield deployment. Platform teams that are currently selecting AI infrastructure should treat identity-native, zero-trust connectivity as a baseline requirement rather than an optional capability.
Stay Ahead of Application Development Trends
Get weekly analyst insights, research notes, event coverage, and AppDevANGLE updates delivered directly to your inbox.
Subscribe for Weekly Insights
Join technology leaders, practitioners, and GTM teams following the trends shaping modern software delivery.
Looking for deeper research access?
Explore ECI Research reports, survey insights, and market analysis through the ECI Research Portal.
