Best AI Control Layers in 2026: 8 Compared
The AI control layer is the runtime enforcement plane between applications and models: gateway, guardrails, containment and policy in the request path — not the full lifecycle. This guide compares eight, weighting gateway, guardrails, containment and security, from open-source data planes to security-vendor platforms. For the broader lifecycle view, see the AI management platforms guide.
An AI control layer is the enforcement plane — the chokepoint where AI traffic is brokered, inspected, blocked and, at its strictest, sandboxed at runtime. It is narrower than an AI management platform: where the management category spans inventory through governance and compliance, a control layer's job is what happens to the request as it passes. This guide weights the four runtime axes — gateway, guardrails, containment and security — and scores inventory, compliance and evals only as they bear on enforcement.
The eight products split into three lineages: gateway-native control planes (Portkey, Kong, LiteLLM, agentgateway, TrueFoundry), security-vendor enforcement layers (Cisco AI Defense, Prisma AIRS), and one platform where the control layer is a governed slice of a full AI-management suite (Kosmoy). Every competitor claim is cited to the vendor's own material, and one line frames the whole comparison in the analyst register: the specialist owns its spoke; the platform holds the frontier. Watch the containment bar in particular — monitoring an agent is not containing it, and few products on this list actually sandbox.
What counts as AI control layers in 2026
What counts as an AI control layer in 2026 is runtime enforcement on AI traffic, not lifecycle management: a unified, usually OpenAI-compatible API over providers with routing and failover; in-path guardrails that block, not just log; containment for agents that act — scoped credentials, tool ACLs, and, at the strict end, sandboxed execution with a kill switch; and policy/RBAC on who can call what. The 2026 additions are protocol breadth (governing MCP tool calls and agent-to-agent traffic, not only LLM completions) and enforcement that stops a request rather than reporting it afterwards.
Containment is where the category separates. Most so-called agent control is authorization and policy — scoped identity, tool allow-lists, budget caps — which is real but is not isolation. Kernel-enforced sandboxing is rarer: Kosmoy's Action Capsule, Cisco's OpenShell for the OpenClaw runtime, and (on the management side) AWS's per-session Firecracker microVMs are the exceptions, not the rule. We give policy-level control partial credit and reserve high containment marks for isolated execution with a live kill switch.
How we scored the field
Every product is scored 0–10 on the same ten capability axes. A 10 is reserved for categorical architectural facts; specialists are expected to outscore platforms on their own spoke, and the scores show it.
Gateway & Policy Control
The core brokerage job and the heaviest-weighted axis here: provider breadth, routing/failover, rate limiting, caching, and MCP plus A2A coverage alongside LLM calls.
Guardrails & Runtime Safety
In-path prompt and response checks — PII, prompt injection, content policy — and whether they block synchronously or only log. Heavily weighted for this category.
Agent Containment
Sandboxed execution, scoped credentials and kill switches. Tool ACLs and spend caps are partial credit; monitoring an agent is not containment. Heavily weighted here.
Security & Shadow AI
Credential handling (key vaulting, scoped tokens), RBAC/SSO/SCIM, in-path threat protection, and shadow-AI detection. Heavily weighted for this category.
Observability & FinOps
Request logging and tracing, cost attribution and budget alerts — scored for how it supports enforcement, not as a full FinOps or tracing suite.
AI Inventory & Discovery
Registries of models, MCP servers and agents that the layer can enforce against — scored as it bears on runtime control, not as org-wide discovery.
Compliance & Audit
Tooling for the customer's obligations — EU AI Act, ISO/IEC 42001, NIST AI RMF evidence — scored above the vendor's own certificates.
Testing, Evals & Red-teaming
Testing, evaluation and red-teaming. Native adversarial suites score high; playground comparisons and cookbook guides score low.
Agent Building
Whether teams can build agents on the layer itself — mostly not, in this category — versus only governing agents built elsewhere.
Deployment Sovereignty
Where the software runs and what the vendor sees. SaaS-only scores low; self-hosted and air-gap-capable score high; 10 is reserved for architectures with no vendor control plane at all.
The field, scored
| Capability (0–10) | Kosmoy | Portkey | Kong AI Gateway | LiteLLM | agentgateway (Solo.io) | TrueFoundry | Cisco AI Defense | Palo Alto Prisma AIRS |
|---|---|---|---|---|---|---|---|---|
| AI Inventory & Discovery | 9 | 5 | 5 | 4 | 3 | 6 | 8 | 8 |
| Security & Shadow AI | 8 | 4 | 6 | 3 | 5 | 5 | 9 | 9 |
| Observability & FinOps | 7 | 9 | 7 | 8 | 6 | 8 | 4 | 6 |
| Gateway & Policy Control | 8 | 9 | 9 | 9 | 9 | 9 | 7 | 7 |
| Guardrails & Runtime Safety | 8 | 8 | 8 | 6 | 7 | 7 | 8 | 8 |
| Agent Containment | 9 | 4 | 4 | 3 | 4 | 6 | 7 | 5 |
| Compliance & Audit | 9 | 5 | 3 | 4 | 2 | 5 | 5 | 5 |
| Testing, Evals & Red-teaming | 4 | 3 | 0 | 1 | 0 | 4 | 8 | 8 |
| Agent Building | 6 | 2 | 2 | 4 | 3 | 4 | 1 | 1 |
| Deployment Sovereignty | 10 | 9 | 9 | 9 | 9 | 9 | 4 | 4 |
Bold marks the highest score on each row. 10 is reserved for categorical architectural facts; specialists are expected to outscore platforms on their own spoke.
Capability shape, vendor by vendor
Each panel shows one vendor across the same ten axes. Read it as area: a specialist climbs on its own spoke and falls away on the rest; a platform holds the frontier. The dashed outline is Kosmoy for reference.
The vendors, by buyer type
No single 1-to-N ranking survives contact with a real shortlist — the right pick depends on who is buying. Each vendor below is labeled with the buyer it fits best.
Kosmoy
AI management platformTeams that need runtime enforcement and the governance to prove it, self-hosted
A self-hosted control plane for enterprise AI: one inventory, one policy gateway, one audit trail and a containment sandbox for every model, agent and MCP server a company runs.
As a control layer, Kosmoy is one OpenAI-compatible policy point fronting LLM, MCP and A2A traffic: a Key Vault keeps provider credentials out of applications, RBAC and JIT run-scoped credentials govern access, agentic and algorithmic routing handle failover, and in-path guardrails — PII, toxicity, prompt-injection and EU AI Act risk checks — run fast-path sub-10ms and block synchronously (AI Gateway).
Its differentiator is containment. The Action Capsule wraps each agent, model or MCP server in a container plus a kernel-enforced sandbox (namespaces, cgroups v2, Seccomp, Landlock, AppArmor/SELinux) with default-deny egress, the paired gateway as the only door, and a live kill switch operated from Mission Control. Few products on this list actually isolate agent execution; this one does.
Honest limits: as a pure control layer Kosmoy is not the fastest or lightest — the open-source data planes below beat it on raw latency and edge simplicity — and it ships no eval or red-teaming suite and no free tier. Its edge is that enforcement is wired to inventory and compliance evidence, which standalone gateways lack; that fuller story is a management-platform decision, not a control-layer one.
Strengths
- Four registries — AI systems, models, MCP servers and a master agent registry that pulls agents from Azure AI Foundry, Bedrock, Vertex, Salesforce and ServiceNow into one list.
- One OpenAI-compatible gateway enforcing guardrails, RBAC, budgets and logging on every LLM, MCP and A2A call.
- Action Capsule: kernel-enforced sandboxing for agents, MCP servers and private models, with per-task credentials and a kill switch.
Limits
- No dedicated evaluation or red-teaming suite — teams pair Kosmoy with a specialist evals tool.
- The agent builder covers governed internal use cases; dedicated agent-development platforms go deeper.
- No free or self-service tier — procurement runs through an enterprise sales process.
Portkey
AI gateway & LLM-ops control planeThe deepest pure gateway control plane — now inside Palo Alto Networks
Portkey is an AI gateway and control plane for production AI — one API to 1,600+ models across 45+ providers, with observability, guardrails, prompt management and MCP/agent access control — acquired by Palo Alto Networks in May 2026.
Portkey is the most feature-complete gateway here: 1,600+ models across 45+ providers with retries, fallbacks, load-balancing and caching; 20+ guardrail checks that block synchronously (HTTP 446) or log asynchronously, plus a broad partner ecosystem; MCP and Agent gateways; and a sovereignty ladder from MIT open source to fully air-gapped (Portkey docs).
On containment it stays at policy level — scoped tool access, credential injection, budget and rate caps, with no sandbox or kill switch documented. And it now sits inside Prisma AIRS: Palo Alto Networks closed the acquisition on May 29, 2026, so the same gateway appears on this list twice — once as Portkey, once folded into the security platform below. The public docs changelog stops at April 2026.
Strengths
- Category-leading gateway breadth: one OpenAI-compatible API to 250+ LLMs and 1,600+ models across 45+ providers, with retries, fallbacks, load balancing and caching (gateway repo, MIT, ~12.4k stars).
- Deep LLM observability and FinOps: full request logging, 21+ metrics, per-key budgets and rate limits, OpenTelemetry and data-lake export (observability docs).
- A sovereignty ladder rare among gateways: open-source self-host, hybrid VPC data plane, and a documented fully air-gapped enterprise deployment (self-hosting docs).
Limits
- Does not document EU AI Act, ISO/IEC 42001 or NIST AI RMF evidence generation or AI risk classification as of July 15, 2026 (checked the enterprise-offering and feature-comparison docs).
- Inventory and governance cover only assets routed through the gateway — no discovery of AI systems or agents outside it.
- No first-class evals or red-teaming product, and no agent sandboxing or kill switch documented.
Kong AI Gateway
AI gateway on the Kong API platformAPI-platform teams extending proven gateway ops to AI and agent traffic
Kong AI Gateway is the AI extension of Kong's API gateway: a plugin-based data path that proxies, secures, rate-limits, caches and observes LLM, MCP and agent-to-agent traffic — self-managed or via the Konnect SaaS control plane.
Kong's control layer is continuity: the plugins, consumer ACLs and analytics the API team already operates, extended to AI. AI Gateway 3.14 (April 2026) covers LLM, MCP and A2A traffic in one runtime (release blog), with MCP Tool ACLs, OAuth2 scope-based tool filtering, token-aware rate limiting, semantic caching and inline prompt guards plus a PII sanitizer on a battle-tested Apache-2.0 core.
Enforcement is strong; containment is scope-based tool filtering, not sandboxing. Most AI security and analytics plugins require Enterprise or Konnect tiers, the MCP Registry is a tech preview, and there is no agent isolation, eval tooling or org-wide AI inventory.
Strengths
- Coverage of all three AI traffic patterns in one runtime — LLM, MCP and agent-to-agent (A2A) — since Agent Gateway went GA in AI Gateway 3.14 (April 2026); Kong calls it 'the most comprehensive AI gateway for the agentic era'.
- A mature, battle-tested open-source core: Kong/kong is Apache-2.0 with ~43.8k GitHub stars, active development, and DB-less, Kubernetes and hybrid deployment modes hardened on general API traffic.
- A deep MCP governance stack: per-tool ACLs via the ai-mcp-oauth2 plugin (3.13, January 2026), OAuth2 scope-based tool filtering, RFC 8693 token exchange, and an MCP Registry in tech preview (February 2026).
Limits
- Most AI security and analytics capabilities — semantic prompt guard, PII sanitizer, content-safety integrations, advanced token rate limiting, LLM usage analytics — require Enterprise or Konnect tiers; the free OSS tier covers mainly ai-proxy basics.
- Does not document EU AI Act, ISO/IEC 42001 or NIST AI RMF evidence generation, risk classification or governance workflows as of July 15, 2026 — its EU AI Act content is positioning, backed by audit logs.
- No pre-deployment evaluation, red-teaming or model-validation tooling documented.
LiteLLM
Open-source LLM proxy & AI gatewayOSS-first platform teams that want a self-hosted enforcement point
LiteLLM is BerriAI's open-source proxy and Python SDK that puts 100+ LLM providers behind one OpenAI-compatible API — with spend tracking, guardrails, MCP and A2A gateways, and an enterprise license that adds SSO, RBAC and audit logs on the same self-hosted deployment.
LiteLLM is the open-source default control layer: MIT core, roughly 53,600 GitHub stars, 100+ providers behind one API, budgets at every level from organization to key, built-in and policy-template guardrails, and the most mature MCP-gateway story in open source — server registry, access groups, OAuth 2.0 including On-Behalf-Of. The enterprise tier is a license key on your own deployment, air-gap included, and a Rust migration announced in June 2026 targets sub-1ms overhead by December (announcement).
As an enforcement plane it is a proxy, not a containment product — scoped virtual keys and revocation, no sandbox or kill switch — and its guardrails orchestrate third-party engines rather than shipping detection models. You run the infrastructure yourself, and there is no shadow-AI discovery beyond the proxy.
Strengths
- The de-facto standard open-source LLM gateway: ~53.6k GitHub stars, ~9.8k forks and weekly stable releases, fronting 100+ providers behind one OpenAI-compatible API (BerriAI/litellm).
- Deep FinOps for LLM traffic: budgets and spend attribution per organization, team, project, key and tag, soft-budget alerts, Prometheus and OpenTelemetry metrics, and tool-call tracing since Logs v2 (January 2026) (enterprise docs).
- The most mature MCP-gateway story among OSS gateways: an MCP server registry with per-server access groups, OAuth 2.0 including On-Behalf-Of, and controls over which MCP servers are exposed to the public internet (MCP deployment docs).
Limits
- Does not document EU AI Act, ISO/IEC 42001 or NIST AI RMF mapping, risk classification or compliance-evidence packs as of July 15, 2026; audit capability is gateway admin-action logs plus log export.
- No pre-deployment testing, evaluation or red-teaming offering for customer models and applications.
- No shadow-AI discovery: it cannot see or inventory AI usage that does not flow through the proxy.
agentgateway (Solo.io)
Cloud-native AI/agent gateway (Envoy + Rust data planes)Cloud-native and Envoy shops enforcing policy on agent traffic
agentgateway — the current name for what Solo.io formerly marketed as Gloo AI Gateway — is a Linux Foundation-governed, Rust-based open-source data plane for LLM, MCP and agent-to-agent traffic, sold commercially as Gloo Gateway 2.0 and Solo Enterprise for agentgateway.
agentgateway (formerly Gloo AI Gateway) is the infrastructure purist's control layer: a Rust data plane purpose-built for agent traffic — native MCP and A2A, tool federation, CEL-based RBAC, prompt guards and moderation integrations — donated to the Linux Foundation in August 2025 with contributions from AWS, Microsoft, Red Hat, IBM and Cisco (Linux Foundation).
It is a data plane, so it is a policy chokepoint rather than a sandbox — no agent isolation or kill switch, and air-gap support is not explicitly documented. The naming is in flux (Gloo AI Gateway to agentgateway to Solo Enterprise), and there is no compliance, eval or inventory layer around it.
Strengths
- Neutral open governance: agentgateway was donated to the Linux Foundation in August 2025, with contributions from AWS, Microsoft, Red Hat, IBM and Cisco (Linux Foundation press release).
- A purpose-built Rust data plane with native MCP and A2A protocol support — tool federation, OpenAPI-to-MCP conversion, OAuth for tools — deeper agent-protocol coverage than generic API gateways (agentgateway repo).
- Mature Envoy / Kubernetes Gateway API pedigree via kgateway (CNCF), with prompt guards, semantic caching, token-based rate limiting and model failover from the Gloo AI Gateway line.
Limits
- An infrastructure-layer product: no org-wide AI inventory, EU AI Act / ISO 42001 compliance tooling, evals or FinOps chargeback documented as of July 15, 2026.
- Product naming is in flux — Gloo AI Gateway is being folded into agentgateway / Gloo Gateway 2.0 / Solo Enterprise for agentgateway — which complicates evaluation and procurement.
- No public pricing; the enterprise editions require a sales engagement.
TrueFoundry
Enterprise AI gateway & Kubernetes-native ML platformKubernetes estates wanting enforcement plus model serving in one control plane
TrueFoundry is a Kubernetes-native enterprise AI platform that combines LLM, MCP and Agent gateways with model serving, fine-tuning and GPU orchestration — deployable as SaaS, hybrid, self-hosted or fully air-gapped.
TrueFoundry's control layer spans LLM, MCP and Agent gateways with declarative rate limiting, weight/latency/priority routing, built-in and roughly ten third-party guardrail integrations (validate or mutate modes), and per-agent identity with cost-velocity circuit breakers and instant tool-access revocation. It was named a Representative Vendor in Gartner's Market Guide for AI Gateways in February 2026 (press release), with an explicit air-gap install guide.
Containment is per-agent identity and circuit breakers, not a documented sandbox for agent code. It also bundles a full Kubernetes ML platform — serving, fine-tuning, fractional GPUs — which is more than a control layer needs: an advantage if you want both, overhead if you only want enforcement.
Strengths
- Full-stack gateway coverage — LLM, MCP and Agent gateways under one control plane — recognized as a Representative Vendor in the Gartner Market Guide for AI Gateways (February 2026).
- A documented air-gapped Kubernetes deployment: all images and Helm charts mirrored to a customer-controlled OCI registry, no outbound network dependencies, local IdP and SIEM (air-gap docs).
- Deep MCP governance: a central registry of approved MCP servers, Virtual MCP Servers that expose only curated tool subsets, per-user identity passthrough and OAuth token management (MCP access control).
Limits
- Does not document EU AI Act, ISO/IEC 42001 or NIST AI RMF mapping, evidence packs or AI-governance reporting as of July 15, 2026 — its compliance posture is SOC 2 Type 2, HIPAA and GDPR.
- No dedicated evaluation, LLM-testing or red-teaming suite — prompt versioning and A/B experimentation only.
- No native agent builder: the platform deploys and governs agents built elsewhere (LangGraph, CrewAI, AutoGen, custom).
Cisco AI Defense
Enterprise AI security suite embedded in a network-security portfolioNetwork-security teams enforcing AI and MCP policy in the fabric they own
Cisco AI Defense (built on the Robust Intelligence acquisition) combines employee AI-access control, AI asset discovery across clouds, algorithmic model validation and network-enforced runtime guardrails, expanded through 2026 to agentic/MCP governance and open-source agent sandboxing (DefenseClaw).
Cisco AI Defense (built on Robust Intelligence) is the control layer seen from network security: in-path runtime protection against prompt injection, denial of service and data leakage enforced in the network — Secure Access SSE, Hypershield eBPF, Multicloud Defense — without app code changes, plus real-time agentic guardrails and in-path MCP policy control added in February 2026. Its model and application validation and algorithmic red teaming are a genuine strength.
Uniquely on this list it ships documented open-source agent sandboxing: DefenseClaw's OpenShell isolates network, filesystem and syscalls with admission control (Cisco), though it is currently scoped to the OpenClaw runtime rather than arbitrary agent frameworks. It is not an LLM routing gateway or a FinOps tool, the control plane is Cisco's SaaS (no air-gap documented), and the strongest value assumes the broader Cisco stack.
Strengths
- Top-tier model validation and algorithmic red-teaming pedigree via the Robust Intelligence acquisition, continuously updated by Cisco-scale threat research (model validation).
- Enforcement fused into network infrastructure the enterprise already owns — Secure Access SSE, Hypershield eBPF enforcement points, switches — so guardrails apply without app code changes (Hypershield overview).
- Moved fastest among large vendors on agentic/MCP governance: AI BOM, MCP Catalog and in-path MCP policy control (February 2026), plus agent zero-trust IAM via Duo and Identity Intelligence (March 2026) (expansion announcement).
Limits
- Strongest value requires the broader Cisco stack (Secure Access, Hypershield, Duo, Identity Intelligence) — the standalone footprint is narrower.
- Sandboxing and containment (DefenseClaw/OpenShell) are currently scoped to the OpenClaw agent runtime, not arbitrary enterprise agent frameworks.
- No EU AI Act, ISO/IEC 42001 or NIST AI RMF compliance-evidence automation documented as of July 15, 2026.
Palo Alto Prisma AIRS
Enterprise AI security platform (model scanning, posture, red teaming, runtime and agent security) from a top-tier network-security vendorCISO teams putting AI security enforcement across the whole estate
Prisma AIRS is Palo Alto Networks' AI security platform spanning AI Model Security, AI Posture Management, AI Red Teaming, AI Runtime Security and AI Agent Security, assembled by folding in the Protect AI, Koi and Portkey acquisitions.
Palo Alto Prisma AIRS is the security-vendor control layer, assembled from acquisitions. AI Runtime Security blocks 30+ prompt-injection and jailbreak techniques, scans 1,000+ sensitive-data patterns and filters toxic content via in-code (API Intercept) or inline (Network Intercept) enforcement; AI Red Teaming and Protect AI model scanning add pre-deployment testing; and Prisma AIRS 3.0 (March 2026) adds agent discovery, governed agent identity and an AI Agent Gateway in limited preview (Prisma AIRS 3.0).
Its gateway story is the Portkey acquisition, closed May 29, 2026 — so Portkey appears on this list both standalone and as the runtime control plane inside Prisma AIRS. Containment is scoped identity and gateway policy, not sandboxed execution; deployment is SaaS-centric with no documented air-gapped control plane (Portkey's air-gap heritage is not yet offered here); and there is no EU AI Act or ISO 42001 evidence automation. Palo Alto reports it was named a Gartner 'Company to Beat' in AI security.
Strengths
- Widest AI-security surface among large vendors — model scanning, posture management, red teaming, runtime protection and agent security — assembled by folding in Protect AI, Koi and Portkey (Prisma AIRS 3.0).
- Prisma AIRS 3.0 (March 2026) moves from observing AI to authorizing autonomous execution: agent discovery across cloud, SaaS and endpoints, agent artifact scanning, governed agent identity with scoped permissions and audit trail, and an AI Agent Gateway control plane (3.0 launch).
- The Portkey acquisition (closed May 29, 2026) folds in a production AI gateway that had been routing to 250+ LLMs, giving Prisma AIRS runtime traffic control plus observability that pure detection tools lack (Portkey acquisition).
Limits
- Primarily SaaS (Strata Cloud Manager control plane); Palo Alto does not document a self-hosted or air-gapped Prisma AIRS control plane as of July 15, 2026, and Portkey's air-gapped heritage is not yet offered as a Prisma AIRS option.
- Key agentic pieces are newly acquired or in limited preview — the AI Agent Gateway is described as limited preview and the Portkey acquisition only closed in May 2026 — so end-to-end integration maturity is still unproven.
- Containment is scoped agent identity plus gateway policy enforcement, not sandboxed or isolated execution; no runtime agent-isolation environment is documented as of July 15, 2026.
Questions buyers ask
What is an AI control layer?
The runtime enforcement plane between applications and models: a gateway that brokers AI traffic, guardrails that inspect and block prompts and responses in-path, containment for agents that take actions, and policy or RBAC on who can call what. It is narrower than an AI management platform — it governs the request as it passes, rather than the whole lifecycle from inventory to compliance evidence.
Is an AI control layer the same as an AI gateway?
The gateway is the core of a control layer, but not the whole of it. A gateway brokers traffic — one API over many providers, with routing and budgets. A control layer adds the enforcement around that path: in-path guardrails that block, containment for agents, and policy on tool and model access. Every product in this guide is a gateway or more; what separates them is how far past routing their enforcement reaches.
Which AI control layer actually sandboxes agents?
Few. On this list, Kosmoy's Action Capsule is a kernel-enforced sandbox (namespaces, cgroups v2, Seccomp, Landlock, AppArmor/SELinux) with default-deny egress and a live kill switch, and Cisco's DefenseClaw ships an OpenShell sandbox scoped to the OpenClaw runtime. Most others — Portkey, Kong, LiteLLM, agentgateway, TrueFoundry, Prisma AIRS — provide policy-level control (scoped identity, tool ACLs, budget caps, revocation) rather than isolated execution. That distinction is why containment is scored strictly here.
Portkey and Prisma AIRS both appear here — are they the same product?
They overlap by acquisition. Palo Alto Networks acquired Portkey and closed the deal on May 29, 2026, folding it into Prisma AIRS as the runtime gateway control plane. We list both because the buying paths still differ: you can self-host Portkey's MIT-licensed open-source gateway directly, or procure it as part of the Prisma AIRS security platform with Palo Alto's runtime protection, red teaming and agent security around it. Note that Portkey's air-gapped deployment heritage is not yet documented as a Prisma AIRS option.
Which AI control layer is best for regulated or air-gapped environments?
The self-hostable options are Kosmoy (single-tenant Kubernetes, air-gap capable, kill-switch containment), LiteLLM (MIT core, explicit air-gap), and TrueFoundry and Portkey (both with documented air-gapped tiers); Kong markets air-gap for Enterprise. Cisco AI Defense and Prisma AIRS run SaaS control planes with no documented air-gapped control plane, and agentgateway does not explicitly document air-gap. For regulated buyers who also need compliance evidence from the enforcement path, Kosmoy ties the two together.
Can I run a control layer and a management platform together?
Yes — everything here speaks OpenAI-compatible APIs, so a control layer chains or serves a population while a broader platform holds inventory, compliance evidence and containment. A common pattern pairs a developer-facing gateway (LiteLLM, Kong, Portkey) with a governed path to production that adds the org-wide inventory and audit evidence a pure control layer lacks. Migration in either direction is configuration, not a rewrite.
Methodology
Each vendor was scored 0-10 on the ten axes above from a dossier of its own documentation, changelogs, repositories and press, verified as of July 15, 2026. This category weights the four runtime axes — gateway, guardrails, containment and security — most heavily, and scores inventory, compliance and evals only as they bear on enforcement. Competitor performance and scale numbers are reported as the vendor's claims with citations, never as our measurements. A 10 is reserved for categorical architectural facts, any score of 7 or higher must be defensible from cited evidence, and gaps are phrased 'does not document X as of July 15, 2026.'
Two roster notes. First, containment is scored strictly: monitoring or authorizing an agent is not containing it, so scoped identity, tool ACLs and budget caps earn partial credit while only isolated execution with a kill switch earns high marks. Second, Portkey appears twice by design — as a standalone gateway and as the runtime control plane inside Prisma AIRS after the May 29, 2026 acquisition — because a buyer can adopt the open-source gateway directly or procure it through Palo Alto Networks, and the two paths differ. Pure observability tools that watch without brokering are out of scope.
Disclosure: Kosmoy publishes this guide. The mitigations are structural — every competitor claim is cited to that competitor's material, every entry carries its limits (including ours), and the verdict names a competitor for four of the five buyer situations. For the broader lifecycle decision behind a control layer, the AI management platforms guide applies the same evidence standard.
Sources
Every factual claim about another vendor on this page traces to that vendor's own published material or a named third-party source below.
- Kosmoy AI Gateway — one policy point for LLM, MCP and A2A — accessed July 15, 2026
- Kosmoy Action Capsule — kernel-enforced agent sandbox and kill switch — accessed July 15, 2026
- Kong AI Gateway 3.14 release (LLM, MCP and A2A in one runtime, April 2026) — accessed July 15, 2026
- Linux Foundation welcomes the agentgateway project (August 2025) — accessed July 15, 2026
- LiteLLM Rust migration announcement (GitHub issue #31263, June 2026) — accessed July 15, 2026
- TrueFoundry recognized as a Representative Vendor in the Gartner Market Guide for AI Gateways (Feb 2026) — accessed July 15, 2026
- Cisco redefines security for the agentic era — AI Defense expansion (Feb 2026) — accessed July 15, 2026
- Cisco DefenseClaw is live — OpenShell agent sandbox (March 2026) — accessed July 15, 2026
- Palo Alto Networks secures agentic AI with Prisma AIRS 3.0 (March 2026) — accessed July 15, 2026
- Palo Alto Networks completes acquisition of Portkey (May 29, 2026) — accessed July 15, 2026
- Kosmoy Platform — accessed July 15, 2026
- Kosmoy AI Compliance — accessed July 15, 2026
- Portkey open-source gateway repository — accessed July 15, 2026
- Portkey docs — what is Portkey — accessed July 15, 2026
- Portkey docs — plan & feature comparison (SaaS / hybrid / air-gapped) — accessed July 15, 2026
- Portkey docs — observability — accessed July 15, 2026
- Portkey docs — guardrails — accessed July 15, 2026
- Portkey docs — MCP gateway — accessed July 15, 2026
- Portkey pricing — accessed July 15, 2026
- Kong AI Gateway product page — accessed July 15, 2026
- A2A support press release (PR Newswire, April 2026) — accessed July 15, 2026
- MCP Tool ACLs announcement (AI Gateway 3.13, January 2026) — accessed July 15, 2026
- Kong MCP Registry press release (February 2026) — accessed July 15, 2026
- Konnect LLM usage reporting docs — accessed July 15, 2026
- Kong EU AI Act positioning blog — accessed July 15, 2026
- Kong/kong GitHub repository — accessed July 15, 2026
- Kong pricing — accessed July 15, 2026
- LiteLLM GitHub repository (stars, license, activity) — accessed July 15, 2026
- LiteLLM README (100+ providers, MCP/A2A, performance claims) — accessed July 15, 2026
- LiteLLM enterprise docs (features, SLAs, air-gap, pricing by quote) — accessed July 15, 2026
- LiteLLM release notes index (2026 releases) — accessed July 15, 2026
- Guardrail policy templates (incl. offline/air-gapped mode) — accessed July 15, 2026
- MCP deployment docs (registry, exposure controls, air-gap guidance) — accessed July 15, 2026
- litellm-agent-runtime (per-session VM coding-agent runtime) — accessed July 15, 2026
- agentgateway GitHub repository — accessed July 15, 2026
- kgateway GitHub repository (CNCF) — accessed July 15, 2026
- Solo.io — Introducing Gloo Gateway 2.0 — accessed July 15, 2026
- Gloo AI Gateway docs overview — accessed July 15, 2026
- TechCrunch — Solo.io $135M at $1B valuation (2021) — accessed July 15, 2026
- TrueFoundry air-gapped deployment docs — accessed July 15, 2026
- TrueFoundry AI Gateway product page — accessed July 15, 2026
- TrueFoundry guardrails overview — accessed July 15, 2026
- Agent Gateway launch press release (Businesswire, June 2, 2026) — accessed July 15, 2026
- TrueFailover launch (VentureBeat, January 2026) — accessed July 15, 2026
- Seldon AI acquisition (SiliconANGLE, June 25, 2026) — accessed July 15, 2026
- aitori repository (v0.1.0, June 25, 2026, Apache-2.0) — accessed July 15, 2026
- Enterprise MCP access control blog — accessed July 15, 2026
- Cisco AI Defense product page — accessed July 15, 2026
- Cisco AI Defense data sheet — accessed July 15, 2026
- Cisco RSA 2026 agentic workforce announcement (Mar 2026) — accessed July 15, 2026
- DefenseClaw GitHub repository — accessed July 15, 2026
- Prisma AIRS product page — accessed July 15, 2026
- Protect AI acquisition completed (Jul 22, 2025) — accessed July 15, 2026
- Koi acquisition completed — Agentic Endpoint Security (Apr 14, 2026) — accessed July 15, 2026
- AI Runtime Security API Intercept overview (deployment/SDK) — accessed July 15, 2026
- Prisma AIRS API on AWS Marketplace (SaaS/pricing) — accessed July 15, 2026
- Prisma AIRS runtime-security review (deployment, guardrail scope) — accessed July 15, 2026
Shortlisting for a regulated environment?
Kosmoy puts an inventory, a policy gateway and a containment sandbox around every AI your teams run — in your own Kubernetes.
Or email sales@kosmoy.com.