Anthropic made the architectural case for MCP gateways at an AI Engineer conference recently. The talk was titled “Why Gateways Are All You Need”. It laid out exactly why enterprise MCP deployments stall and what the path forward looks like. Three specific takeaways were shared: invest in common infrastructure, treat the gateway as your root of trust, and decouple the agent harness from the data layer.
We couldn’t agree more. This is the very architecture we shipped in the Cequence AI Gateway last year.
The Native Connector Trap
Every major SaaS app now ships its own native MCP connector. So does every agent platform. Click “connect Asana” inside one client. Click “connect GitHub” inside another. The integrations multiply on their own. For an individual user, this path is fast and frictionless. For enterprises, it produces ungoverned sprawl.
The math is the problem. Native point-to-point creates N×M connections, where every agent talks directly to every SaaS service through that vendor’s own connector. Each one authenticates separately and negotiates its own data access. Nothing in the middle has visibility into any of it.
That is exactly where the three gaps Anthropic identified surface, only now compounded across every connector an employee enables.
Observability. Each native connector logs to its own surface, if it logs at all. Across hundreds of agents and dozens of SaaS connectors, no one in the security organization can answer a basic question: which agents touched which data this week.
Access control. Each connector inherits whatever scopes the user grants at OAuth time. There is no central place to enforce role-based limits, no consistent way to scope tools by team, and revoking access requires touching every endpoint individually.
Security. Every native connector is a separate trust boundary with a separate auth flow and separate exfiltration paths. The attack surface grows linearly with every new SaaS integration the org adopts, and the blast radius of any one compromise is unbounded.
As a result, security teams default to the only lever they have: blocking. The approved connectors list stays short. Shadow enablement happens anyway. We have laid out the platform-by-platform implications separately.
The Gateway Pattern: One Platform, Decentralized Teams
Anthropic’s central insight is worth stating plainly. A gateway lets the security team bless one platform instead of reviewing every connector. In practice, every team can then build and consume the MCP connections they need without becoming a bottleneck.
A gateway sits between MCP clients and MCP servers. It handles authentication, role-based access control, secured connections, sub-registry routing, and the developer tooling that makes new integrations cheap. Teams write business logic. The gateway handles everything else.
That changes the math. Native point-to-point produces N×M connections. A gateway collapses it to N+M. Every new agent plugs in once. Every new SaaS connector plugs in once. Identity, access, and observability are inherited automatically. The Cequence AI Gateway is built for exactly this model.
Why the Follow-On Benefits Compound
Anthropic called these the “free lunches.” Critically, they only show up once the gateway is in place.
New client surfaces become invariant. Your harness might be Claude Desktop, Claude Code, an internal agent runtime, or whatever ships next quarter. The servers behind the gateway stay the same regardless.
Iteration also speeds up. Teams that previously waited weeks for security review can now ship updates in hours. The gateway already enforces the policies that matter.
Credentials remain durable. User auth, service accounts, and delegated identity for agents can swap in and out without rewriting servers. As a result, identity decisions are no longer baked into individual tools.
Standard primitives emerge across the stack. The gateway is where an enterprise encodes how it wants agents to behave. That makes it the right place to enforce operating procedures across every tool.
Security Is the Load-Bearing Argument
This is where the Cequence perspective extends the frame. Observability and access control are necessary. Neither is sufficient on its own.
The harder question is what happens at runtime. An agent passes authentication. It carries the right role. Then its tool calls drift outside the scope of its assigned job. Authorization said yes. Behavioral analysis said no. Static controls cannot see the difference. Native point-to-point connectors make this strictly worse, because no single layer is positioned to correlate behavior across them.
The deeper reason this matters: prompt injection is not a model-capability problem. Instead, it is a pipeline-stage problem. No amount of model improvement will eliminate it. If you cannot prevent an agent from being coerced, you must constrain what a coerced agent can do. That is a behavioral problem, and behavior lives outside the connector layer.
Every enterprise user will soon manage dozens of AI agents, each with its own scoped responsibilities. Defining the right level of access is half the work. Verifying that the agent stays within that role at runtime is the other half. Manage your agents the way you manage your people. You will find the same dual requirement: clear job descriptions, plus ongoing oversight.
A gateway is the only architectural layer that can do both. It sits in the path of every call. It sees every tool invocation across every connector. It resolves identity for the human and the agent on the other end.
What Native Connectors Cannot See
Consider what this looks like in practice. A Fortune 50 enterprise ran an autonomous AI coding agent for 47 continuous hours. It made 2,575 tool calls. The native AI platform showed a clean session: 2,575 authenticated requests, zero anomalies.
What actually happened was different. The agent got stuck and got creative. It guessed file names that did not exist. Commit hashes mutated in 71-second loops. The same wrong paths got re-probed across sessions because the agent has no memory between them. None of this was malicious. The agent was determined, and determination without behavioral guardrails is the failure mode the gateway pattern exists to address.
A native connector cannot detect any of this. Authentication succeeded. Permissions held. The failure mode was behavioral, and no connector is positioned to see it.
From Gateway to Agent Governance
Anthropic closed by arguing that the agent harness should be separable from the data layer. That separation is what makes the gateway investment durable. Agents will change. Models will change. Client surfaces will change. The control point in between has to remain.
The Cequence AI Gateway’s Agent Personas, Trusted MCP Registry, and Data Protection are designed for that world. Cequence is not a replacement for native connectors. It is the security and governance layer that supports all of them. Agents come and go. Governance persists.
What to Do Now
If your AI program is stuck on a short list of approved connectors while users quietly enable native ones anyway, the fix is not more reviews. Rather, it is working with a single platform that lets every team build and consume safely. Talk to us about what that gateway looks like in production.
