This page is written for the people who have to sign off on AI agents in production. No vendor talk. No acronyms. Just what an agent actually is, what it actually does, and where the control that matters has to live.
A chatbot answers. An agent acts. The difference is the gap between a system that responds to you and a system that takes actions in your enterprise on your behalf.
You tell it what to do. It does exactly that. A spreadsheet formula is a tool. An SQL query is a tool.
You ask. It replies. The output is text. Nothing in your environment changes because of it.
Given a goal, it chooses steps and executes them. It reads data, calls APIs, updates records, sends emails. Your environment changes because of it.
If the employee can send an email, the agent can send an email. If the employee can update the CRM, the agent can update the CRM. If the employee can delete a production record, the agent can delete a production record.
An employee earns the access they have over time. An agent is granted that access in an afternoon. The question is not whether the agent is capable. The question is whether the scope of what it can do matches the scope of what it should do.
Five agents, ten tools, fifty sets of keys across config files and secret managers. One leaked key exposes everything that agent could reach.
An agent deletes a record. An agent sends an email with confidential pricing. Without an audit trail, the first sign is a customer complaint.
A support agent discovers it can also reach billing and deployment. It is not malicious. It is using every tool available to answer the question.
An agent stuck in a retry loop burns through thousands of dollars in API calls overnight. You find out when the invoice arrives.
Not at the prompt. Not at the network boundary. Not after the fact in a log. At the exact moment the agent reaches for a downstream system, the call is checked against a per-user, per-tool permission map before the system ever sees it.
"When this agent takes an action against an enterprise system, what checks happen at the moment of that action -- and where in the stack do those checks live?"
If the answer is "the prompt tells it not to," the control is at the wrong layer. If the answer is "the framework has guardrails," the control is at the wrong layer. If the answer is "the log will show us afterwards," the control is at the wrong layer.
The only answer that holds up is "the call passes through an enforcement point between the agent and the system it is trying to reach, and the permission check happens there, in the logic layer, before the action completes."
That is what AI Agent Gateway is.
Bring your security team. Bring your platform lead. Thirty minutes with the engineer who built it.