The Agent Gateway is the brokered control point an AI agent passes through to act in real systems — and the place where its value and its risk both concentrate. It has three components: Scoped Identity (the agent gets its own non-human identity with least privilege and short-lived, brokered credentials, not a borrowed human token), Action-Level Authorization (permission is granted per action in the user’s context, with human-in-the-loop for high-impact and audience-bound tokens that are never passed through — the confused-deputy defence), and Audit & Reversibility (every action is logged in a readable form and can be reversed or stopped). The standards already prescribe these controls — OWASP’s least-privilege and human-oversight doctrine, the MCP spec’s OAuth 2.1, audience binding and scope minimisation — the gap is that organisations have not yet built the place they are enforced.
It runs on a single principle: Least Agency — give an agent the minimum it needs to act, brokered, logged and reversible, and design the boundaries and the recovery before you widen the access. It is the deliberate inverse of OWASP’s "excessive agency", and the runtime sibling of Decision Architecture: Decision Architecture determines who is allowed to decide; the Agent Gateway determines what those decisions are allowed to do. The position behind it is that the binding enterprise constraint was never model capability — intelligence without access is a demo; access without control is a breach. The depth treatment is The Hard Part Is Access, Not Intelligence.