# AI Governance Platforms Need a Runtime Enforcement Layer

> Source: <https://konghq.com/blog/enterprise/ai-governance-platform-where-ai-gateway-fits>
> Published: 2026-07-09 16:37:00+00:00

Turning back to the AIGP Magic Quadrant, Kong wasn't evaluated. That's not an oversight; it's a new category boundary.

Gartner's inclusion criteria require vendors to offer a stand-alone AI governance platform with capabilities that sit firmly in the oversight and compliance layer: enterprise AI inventory with regulatory metadata, compliance framework mapping (EU AI Act, NIST AI RMF, ISO/IEC 42001), evidence collection for auditors, workflow approvals for governance bodies, and dynamic risk scoring tied to responsible AI principles like bias, fairness, and explainability. These are capabilities built for AI governance leaders, compliance officers, and risk teams.

Kong's primary buyers are platform engineers, developers, and infrastructure teams. Kong AI Gateway handles runtime connectivity — traffic routing, rate limiting, access controls, prompt inspection, PII sanitization, protocol support. These are different problems, served by different tools, to different people. Gartner draws the line at the governance and compliance layer. Kong operates at the infrastructure and connectivity layer beneath it.

The AI stack has distinct layers by design. Foundation models sit at the bottom. Infrastructure and connectivity — where Kong lives — handle how traffic flows to and from those models. The governance and security layer above it defines organizational policy and manages compliance. These layers depend on each other; they don't collapse into each other.

In practice, this looks like this: a governance platform can define policies about which models are approved, which data can cross which boundaries, or which agent actions require human review. But that policy has no operational effect until it's implemented at the infrastructure layer. The AIGP is the authority. The API gateway is where the enforcement actually happens.

Gartner calling this a distinct, mandatory market category only sharpens that picture. If governance platforms are now required infrastructure for responsible AI at enterprise scale, so is the connectivity layer that makes their policies executable.
