cd /news/ai-agents/how-are-people-securing-their-ai-acc… · home topics ai-agents article
[ARTICLE · art-57448] src=requestrocket.com ↗ pub= topic=ai-agents verified=true sentiment=· neutral

How are people securing their AI access to APIs?

A new guide from RequestRocket compares six categories of tools for securing AI agent access to APIs, covering authentication, authorization, and governance. The analysis finds that most incidents occur at the authorization and governance layers, where valid credentials are used for harmful calls or responses leak excessive data. The guide emphasizes that prompt instructions cannot close these gaps and that deterministic infrastructure controls are required.

read8 min views1 publishedJul 13, 2026

Disclosure: this guide is written by RequestRocket. We compare categories rather than ranking products, and we’re honest about where each layer – including ours – fits. Corrections welcome.

AI agents are in production, calling real APIs with real credentials. Six different tooling categories now claim to make that safe, and they are not interchangeable – most solve neighbouring problems. This guide maps the categories so you can assemble the right stack, not pick a false winner.

The three layers: Authentication, Authorization, Governance #

Agent access control is really three questions, and most incidents happen because a team answered only the first:

Authentication– who is this agent, and on whose behalf is it acting?** Authorization**– what may it do? Not just which systems and endpoints it can reach, but whetherthis specific call, withthese parameters, on behalf ofthis human, should execute right now. Reaching an API and being permitted this exact action against it are both authorization – and most stacks only implement the first half.Governance– what happens around and after the call? Of the data the API returns, what should actually reach the agent’s context? Least privilege doesn’t stop at the action; it applies to the response. A call can be legitimately authorised and still return columns, records, or PII the task never required – data that then sits in a context window, gets logged, gets forwarded, or becomes the carrier for injected instructions riding back in tool results. Governance also demands the audit record: an immutable trail linking human to agent to credential to decision.

Most incidents happen at layers 2 and 3: a valid credential, then either a harmful call nothing evaluated, or a permitted call whose response handed the agent far more than it needed. Prompt instructions can’t close either gap; they live in a context window that gets compressed, overridden, and injected. Authorization and governance must be deterministic, in infrastructure, outside the model’s reasoning. Keep this in mind as you read the table: each category maps to different layers.

The category comparison #

Criterion Integration platforms (Composio, Mulesoft, Merge, Nango) Agent runtimes (Arcade, LangGraph Platform, AWS AgentCore) Identity & NHI security (Okta, Auth0, WorkOS, Astrix (Cisco), Entro) LLM gateways (OpenRouter, LiteLLM, Portkey) Inbound API gateways (Kong, Apigee, AWS API GW) Runtime egress control (RequestRocket)
Primary question answered How do I connect to many tools fast? Where do my agents run, and how do they act in users’ accounts? Who is this agent, and what credentials exist? Which model handles this prompt? Who may call my APIs? What may this agent do to APIs, per call – and what comes back?
Layers covered Authentication, partial authorization Authentication, partial authorization Authentication + credential posture Model traffic only Authorization (inbound only) Authorization + governance (outbound)
Traffic direction governed Outbound, catalog-bounded Outbound, runtime- or cloud-bounded Identity plane, not request path Agent → LLM only Inbound to your APIs Outbound to any API, both directions
Governs APIs you don’t own ◐ Catalog + custom connectors ◐ Catalog + custom, within their runtime ○ Observes credentials, doesn’t enforce calls n/a ○ By definition ● Any HTTP API, no provider cooperation
Agent ever holds the real credential ◐ SDK-mediated ●/◐ Vaulted and delegated; cloud-managed ◐ Primitives and posture; you build enforcement n/a n/a ● Per-call injection; scope enforced via rules
Per-call request-shape policy (method, path, params) ◐–● Strongest in delegated-auth runtimes ◐ On inbound only ● Core function
Response-path governance (filtering, redaction, data minimisation) ◐ AgentCore interceptors + Guardrails, Arcade post-exec hooks; some pass data untouched ◐ Model I/O guardrails, not API responses ● Response-payload filtering (retain/destroy); ◐ request allow/deny
Enforcement point SDK in agent code Managed runtime / cloud stack Identity layer + agentless scanning Proxy (model calls) Gateway (inbound) Proxy (outbound), no code changes
Immutable per-call audit (human → agent → credential → decision) ●/◐ Strong in runtime; varies by stack ◐ Identity events + credential inventory ◐ Model calls ◐ Inbound ● Full delegation chain
Composes with the other columns ◐–● ● Foundational ● Designed to sit behind all of them
Time to first governed call ● Minutes ◐ Runtime build ○ You build enforcement ● Minutes ● Minutes via proxy config

● strong / core to category · ◐ partial · ○ not the category’s job

Reading the map #

Integration platforms get you connected fastest – Composio’s 1,000+ catalog is among the largest for prototyping, and most platforms also allow custom connectors – but convenience is the product; authorization depth is bounded by the catalog and the SDK, and the return path is untouched.

Agent runtimes are where your agents live and act. Arcade has solved delegated user-OAuth better than anyone – if your product is an agent acting in your users’ own accounts, start there – while AWS AgentCore is the coherent choice for teams standardised on that cloud, fading outside it. Common trait: their guarantees hold within the runtime you build inside. AgentCore can interpose request and response interceptors (plus Bedrock Guardrails) and Arcade’s post-execution hooks can redact tool output – but several deliberately never touch the data flowing through tool calls, which simplifies their compliance story while leaving governance to you.

Identity & NHI security is the authentication foundation plus the credential audit. Okta, Auth0 and WorkOS answer who – for humans and increasingly for agents – while the NHI side (Astrix – now part of Cisco – Entro, Token Security) discovers every machine credential in the estate and flags the risky and stale ones. Both are necessary; neither sits in the request path. They tell you who the agent is and that 400 ungoverned API keys exist – they don’t enforce the shape of any single request. Several (Astrix, CrowdStrike/SGNL, Aembit) are now adding identity-layer runtime authorization, but that governs access at the identity plane, not the parameters of each call – so they still expect you to build the request-path layer.

LLM gateways govern a different pipe entirely – agent-to-model traffic (routing, cost, model credentials, model I/O guardrails). Necessary, and often confused with action governance. OpenRouter controls which model your agent talks to, not what your agent does to Xero – or what Xero sends back.

Inbound API gateways answer the opposite question: who may call your APIs. Twenty years of tooling exists for the producer side. None of it governs what your agents do to APIs you consume – which is why “we already have Kong/Apigee” doesn’t close this gap.

Runtime egress control – the newest category, and the one recent incidents point at – sits in the outbound request path and covers authorization and governance in both directions: per-call scope-bound credentials injected at runtime, request-shape policy on the way out, response filtering on the way back so the agent receives only the data the task requires, and an immutable audit of the full delegation chain. RequestRocket’s specific position within the category: any HTTP API including legacy and on-prem, no SDK in the agent’s code path, response-payload filtering (retain or destroy fields) alongside request allow/deny policy, composing with – not replacing – your IdP and secrets manager. Our honest gap: no open-source footprint yet. Alter approaches the same layer via an SDK that wraps each tool call with parameter-level guardrails; Aport (open-source) via framework pre-action hooks and a portable agent passport – different enforcement points from RequestRocket’s transparent proxy. The category having multiple entrants is the point: authorization and governance at the egress seam are real, and unowned by the incumbent columns.

How to assemble your stack #

Most production architectures need one item from several columns, not a winner from one: identity for authentication (with NHI discovery as the audit), possibly an integration platform or agent runtime for connecting and running, an LLM gateway for model traffic, and runtime egress control for authorization and governance of every call. The one combination that fails audits is the common one: identity plus integrations plus nothing enforcing what calls may do or what responses may contain.

Whatever you assemble, insist on this: deterministic, per-call, infrastructure-level enforcement of outbound actions and inbound responses, with an audit record linking human to agent to credential to decision. Every major agent incident of the past year traces to one of two root causes – a credential that could do more than the task required, or a response that carried more than the task needed.

See what per-call governance looks like against your own APIs – run your first governed request free in about five minutes: start for free.

── more in #ai-agents 4 stories · sorted by recency
── more on @requestrocket 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/how-are-people-secur…] indexed:0 read:8min 2026-07-13 ·