Contents

• Using the IGT-AI framework to evaluate MCP gateways

• Interesting content for the week

• Feedback & share

• Upcoming conferences

• My services: API governance consulting

Using the IGT-AI framework to evaluate MCP gateways

MCP gateways are a specialised proxy layer that acts as a central control plane between AI agents and an ecosystem of MCP servers and their tools. MCP gateways provide a single, unified, and secure point of access to MCP servers, providing authentication, monitoring, audit trails, and access control.

I originally created my IGT-AI framework for evaluating AI gateways, but I have now extended it to cover MCP gateways as well. The IGT-AI MCP gateway risk model identifies key risks that MCP gateways mitigate. I use my model to evaluate gateways from a governance/risk perspective. Below is an illustration of my initial version of the risk model.

A description of the key categories in the current version of the risk model is described below.

Categories of the IGT-AI Risk Model

Security and access risks

Prompt injection: Attackers can use malicious inputs (directly or via external data) to trick an agent into executing harmful, unintended actions through an MCP server, such as calling a dangerous tool or overriding safety policies.

Token theft: A compromised MCP server can lead to the theft of high-value secrets like OAuth tokens and API keys, granting attackers persistent access to connected services.

Privilege abuse: A malicious request from a user can trick an MCP server into accessing resources that the user should not have access to, violating security boundaries.

Supply chain and trust risks

Tool poisoning and rug pull attacks: In tool poisoning attacks, an attacker compromises the metadata and descriptions of an MCP tool, embedding hidden malicious instructions. Because the AI agent reads and trusts the information, it can be tricked into executing these hidden instructions, performing unintended actions. In a rug pull attack, an initially trusted MCP server is later updated with a malicious version, without the host being aware. The malicious version can use the trust established earlier to perform harmful actions.

Tool shadowing: Attackers create rogue MCP servers or tools that mimic legitimate ones. The rogue server registers itself with name, metadata, and functionality that mimics a legitimate server. AI agents or users may unknowingly interact with the malicious shadow server, leading to data interception, credential harvesting, or execution of harmful payloads.

Operational risks

Poor observability: No visibility into how MCP servers are being used, making it difficult to detect misuse, performance issues, or security incidents.

Tool Sprawl Risks

MCP Server Sprawl: A proliferation of MCP servers across an organization can lead to management challenges, inconsistent security policies, and increased attack surface.

Examples of MCP gateways

Using the IGT-AI MCP risk model, I'll be evaluating several MCP gateways for my clients. Here are some gateways in my initial list:

1. Lunar MCP Gateway: Lunar offers centralised access control to MCP servers, built-in metrics, and tool hardening, among other features.

2. Docker MCP Gateway: One interesting feature of the Docker MCP Gateway is that it provides isolation: it runs and manages the lifecycle of MCP servers in isolated Docker containers, controlling privileges, network access, and resource usage.

3. Agentgateway: An open-source, cloud-native MCP and A2A gateway. Among other MCP gateway features, it provides a way to expose API endpoints as MCP server tools.

4. IBM MCP Context Forge: An open-source MCP gateway and registry. Along with typical MCP control plane features, it also offers the ability to expose REST endpoints and gRPC as MCP tools. It comes with OTel observability built in and can be run in an air-gapped environment.

5. LiteLLM MCP Gateway: LiteLLM MCP gateway supports OAuth 2.0 client credentials for MCP servers, SSO integration, and REST API to MCP tool conversion.

6. MintMCP Gateway: A SaaS MCP gateway (self-hosted on the roadmap) with fully managed OAuth, that runs MCP servers in the cloud.

7. Traefik MCP Gateway: Implements the OAuth 2.1 and 2.0 resource server specification for MCP servers. It offers Task-Based Access Control (TBAC) which is fine-grained authorisation of agents based the tasks they perform, tools they access and parameter-level transaction constraints.

👉 Interested in my evaluation report? Get in touch!

Interesting content for the week

Runtime AI Governance

MCP Apps: Extending servers with interactive user interfaces: A proposal for the MCP Apps Extension (SEP-1865). This extension will standardises support for interactive user interfaces within the Model Context Protocol (MCP), addressing fragmentation risk created by previous custom implementations.

The MCP Registry Opportunity: Bruno Pedro shares how MCP is becoming the standard way to find and use third-party tools.

Was MCP a mistake? The internet weighs in: “MCP tools eat up a lot of context…” - Bill Prin analysis the problems highlighted by Anthropic and how it is being solved.

The Maturing of MCP: In this analysis, Cody Nolden reflects on the evolution of the Model Context Protocol in 2025, arguing that while the protocol has delivered significant productivity gains for individual users, enterprise adoption has taken a more "measured pace" than initially promised.

Introducing Galileo Tracing for Zuplo AI Gateway: Martyn Davies, introduces the new Galileo Tracing policy for the Zuplo AI Gateway, describing the move as essential for running LLMs in production without "flying blind."

MCP OAuth update adds security for personalized AI: Beth Pariseau addresses the forthcoming modification to the Model Context Protocol, it signifies a crucial advance in the direction of safeguarded, customised Artificial Intelligence. Nevertheless, it concurrently illustrates that a considerable quantum of endeavour is still requisite to adequately fortify autonomous AI

MCP governance in the enterprise: Alistair Russell argues that while the Model Context Protocol (MCP) offers a consistent interface that speeds up the development of AI agents and copilots, a significant governance gap is holding it back from safe enterprise adoption.

MCP server logs: overview, benefits, and tips for using them: Jon Gitlin explains why Model Context Protocol (MCP) server logs are essential for monitoring AI agents and addressing potential issues as these agents are brought to market.

The role of APIs and MCP in orchestration and Agentic AI: Ramirez states that APIs remain the fundamental mechanism for composability, defining what enterprise systems can do. MCP, however, is the new intelligence layer that gives that API data flow direction and meaning, standardising how AI can communicate with and act upon these assets.

Comparing MCP (Model Context Protocol) Gateways: Sakib argues that while MCP standardises communication between agents and external APIs, its rapid adoption is leading to fragmentation, making central control over discovery, security, and governance essential much like how API gateways brought discipline to microservices. He compares several top MCP Gateway solutions in 2025.

Code execution with MCP: Building more efficient agents: Adam Jones and Conor Kelly explores how leveraging code execution environments with the Model Context Protocol (MCP) can significantly improve the efficiency and cost-effectiveness of AI agents.

Microsoft, NVIDIA and Anthropic announce strategic partnerships: Microsoft, NVIDIA, and Anthropic announce a major strategic partnership focused on scaling and accelerating Anthropic’s Claude AI model across the enterprise.

The Model Context Protocol (MCP): Emergence, Technical Architecture, and the Future of Agentic AI Infrastructure: Jon Ander Oribe sets out the rationale, technical architecture, and strategic significance of the Model Context Protocol (MCP), positioning it as the indispensable infrastructure layer that solves the core limitations of Large Language Models (LLMs) and enables scalable Agentic AI.

API Production Governance

Should Workflows Have Their Own APIs?: Erik Wilde discusses exposure of workflows like "create account" or "process order" with an API interface to make them discoverable, governable, and reusable at scale, much like standard APIs.

Feedback & share

Upcoming conferences

Apidays Paris: Apidays Paris sparks essential conversations on data security, digital sovereignty, and sustainable innovation in the age of intelligent systems. Date: 9 - 11 December 2025 Location: CNIT Forest, Paris.

My Services: API Governance Consulting