Four MCP gateways lead the enterprise field in 2026: Lunar MCPX, MintMCP, IBM ContextForge, and Kong AI Gateway, and only Lunar and MintMCP currently carry SOC 2 Type II attestation. An MCP gateway is the control plane that enforces authentication, authorization, audit, rate limiting, and credential governance between agents and MCP tool servers, which the protocol itself leaves unsolved. For regulated workloads, hold vendors to a two-part bar: SOC 2 Type II plus identity-scoped, tamper-evident audit (OpenTelemetry tracing in ContextForge, per-record signed append-only logs in MintMCP). Self-host the control plane when the tools reach sensitive data, and consider a unified LLM-plus-MCP plane like TrueFoundry when you want one audit trail across both.
The Model Context Protocol solved a wiring problem and created a governance one. MCP standardized how an AI agent discovers and calls external tools, which is why a single agent can now reach your CRM, your data warehouse, and a dozen SaaS APIs through one interface. What the protocol deliberately left out of scope is who is allowed to call what, with which credentials, and how you prove after the fact who did what. An MCP gateway is the control plane that fills that gap: it sits between your agents and your MCP tool servers and enforces authentication, authorization, audit, rate limiting, credential governance, and tool discovery.
That gap turned into a product category fast. Through 2026, MCP gateways emerged as a distinct class of infrastructure, separate from the LLM gateways that route model calls, and the field is already crowded. Obot counts (2026) 13 MCP gateways serious enough for enterprise teams to shortlist. Lunar states (2025) that Gartner named it a Representative Vendor in both AI Gateways (2024, 2025) and MCP Gateways (2025), which is a signal that analysts now track MCP gateways as their own market rather than a feature of something else. New entrants and open-source projects keep arriving, so the practical question for a platform team is no longer whether to put a gateway in front of agent tool access, but which one clears your compliance bar.
This comparison walks the four gateways most enterprise teams actually shortlist, Lunar MCPX, MintMCP, IBM ContextForge, and Kong AI Gateway, plus TrueFoundry's unified approach, against the controls that matter for production: SOC 2 attestation, identity-scoped RBAC, tamper-evident audit, credential brokering, and deployment model. It complements two adjacent guides: our MCP server security hardening checklist covers locking down a single server, and our AI gateway decision guide covers the LLM-routing plane. A gateway governs the tool surface across all of them.
01 · Why MCP left auth, authz, and audit unsolved
MCP left authentication, authorization, and audit unsolved by design: the protocol's job was to standardize the tool interface, not to opine on your identity model or compliance controls. The Model Context Protocol is a specification for how a client (the agent runtime) and a server (the tool provider) exchange tool definitions and invocations over a transport. It answers "how does an agent find and call a tool" cleanly. It intentionally does not answer "should this agent be allowed to call this tool right now," "whose credentials does the call run under," or "where is the immutable record of what happened." Those are operator concerns, and the spec was right to leave them out, but that means every team wiring MCP into production inherits them.
Left unsolved, they collapse into predictable anti-patterns. Agents authenticate to tool servers with long-lived shared API keys pasted into config, so every action looks the same regardless of which agent or user triggered it. Authorization is all-or-nothing because the tool server has no notion of the caller's role. And audit, if it exists at all, is scattered across per-server logs that nobody can correlate into "who did what, with which tool, on which data." That last phrase is exactly how Lunar frames the problem its gateway solves, and it is the right framing.
There is a security dimension too. A tool server the agent trusts can carry a poisoned tool definition or a prompt-injection payload in its results, and without a gateway inspecting and constraining traffic you have no chokepoint to catch it. We cover that attack class in depth in our writeup on MCP supply-chain attacks and tool poisoning. The identity problem has its own literature: shared API keys break the moment agents start acting autonomously, which is why OAuth-style identity for agents is becoming the default. A gateway is where both of those controls get enforced in one place.
02 · MCP gateway vs LLM gateway: two different control planes
An MCP gateway governs the tool plane and an LLM gateway governs the model plane; they are different control planes that solve different problems, and mature stacks often run both. An LLM gateway is a proxy that sits in front of language models and handles routing, caching, load-balancing, rate limiting, and cost tracking across providers. Its unit of traffic is a model call. An MCP gateway's unit of traffic is a tool call, and its core job is governance of that call: identity, authorization, credential brokering, and audit. You can run a world-class LLM gateway and still have zero control over which tools your agents touch, because that traffic never flows through the model proxy.
The two planes are starting to converge. TrueFoundry reports (2026) that it combines an AI gateway and an MCP gateway in one control plane, exposing 1,000-plus LLMs through a single OpenAI-compatible API while applying RBAC, budgets, and audit logging consistently across both LLM and MCP traffic instead of splitting them across two systems, with unified observability for token usage, latency percentiles, and cost by model, team, or tag. Lunar similarly frames a single immutable trail across MCP, LLM, and API as the goal.
The argument for merging is real: one audit trail, one RBAC model, one place to reason about cost and access. The argument against is that best-of-breed LLM routing and best-of-breed tool governance are genuinely different engineering problems, and a unified plane can end up weaker at both. Our recommendation is unglamorous: if you already run an LLM gateway you are happy with, do not rip it out to chase consolidation. Add an MCP gateway alongside it, and only merge if one vendor convincingly covers both planes.
03 · MCP gateways compared: Lunar MCPX, MintMCP, IBM ContextForge, and Kong
The enterprise shortlist in 2026 comes down to four gateways plus one unified option: Lunar MCPX and MintMCP (both SOC 2 Type II), IBM ContextForge (open source, Apache 2.0), Kong AI Gateway, and TrueFoundry for a single LLM-plus-MCP plane. They differ most on compliance posture, audit model, and who owns the deployment.
Lunar MCPX ships in two editions. The open-source edition is aimed at personal use and runs locally via Docker, with Tool Groups, tool customization, local and remote MCP auth, and broad agent support. The Enterprise edition adds centralized management, role-based access control, auditing and advanced observability, SSO/IAM integration with providers like Okta or Azure AD, and the ability to run MCPX inside your own cloud or on-premises environment. Its security page lists SOC 2, self-hosted, VPC, and air-gapped, and Lunar states the platform is SOC 2 Type II certified. This is the option with the widest analyst recognition and the clearest self-hosting story.
MintMCP is the regulated-industry specialist. It documents that it is SOC 2 Type II audited with continuous compliance monitoring via Drata, HIPAA-compliant with HIPAA documentation and BAAs available, and it explicitly targets healthcare, financial services, and other regulated organizations. On identity it supports OAuth 2.0, SAML, SSO, and SCIM-driven RBAC with enterprise identity providers. Its standout is the tamper-evident audit model, covered in the next section.
IBM ContextForge (the mcp-context-forge project) is the open-source default. IBM describes it as an open-source registry and proxy that federates MCP, A2A, and REST/gRPC APIs with centralized governance, discovery, and observability, under an Apache 2.0 license. It is an actively developed open-source project on a stable 1.x line. It scales to multi-cluster Kubernetes with Redis-backed federation and caching, auto-discovers peers via DNS-SD, translates REST and gRPC endpoints into MCP tool definitions, and emits OpenTelemetry traces to Phoenix, Jaeger, Zipkin, and other OTLP backends. If you want to own the control plane end to end with no license cost, this is where to start. Our MCP developer guide covers the protocol fundamentals ContextForge builds on.
Kong AI Gateway includes MCP gateway capabilities: its product describes an MCP traffic gateway that gives you control and visibility over AI agent infrastructure through AI Gateway-driven MCP features. If your platform team already runs Kong for API management, folding MCP traffic into the same gateway is the path of least resistance. Treat the specifics of its MCP governance model as something to validate directly with Kong, since its MCP surface is newer than its API-gateway core.
| Gateway | Type / license | SOC 2 | Identity and RBAC | Audit model | Deployment |
|---|---|---|---|---|---|
| Lunar MCPX | Open-source + Enterprise | SOC 2 Type II | SSO/IAM (Okta, Azure AD), RBAC | Identity-aligned attribution, immutable trail | Self-hosted, VPC, air-gapped |
| MintMCP | Commercial (SaaS) | SOC 2 Type II (Drata) | OAuth 2.0, SAML, SSO, SCIM RBAC | Per-record signed, append-only | Managed; HIPAA docs and BAAs |
| IBM ContextForge | Open source (Apache 2.0) | Self-run, no vendor attestation | Federated centralized governance | OpenTelemetry / OTLP (Jaeger, Zipkin, Phoenix) | Self-hosted, multi-cluster K8s |
| Kong AI Gateway | Commercial | Not published on primary page | Via Kong AI Gateway | AI Gateway control and visibility | Self-hosted / hybrid |
| TrueFoundry | Commercial | Not published on primary page | Unified RBAC (LLM + MCP) | Unified LLM and MCP audit | Single control plane |
04 · The enterprise bar: SOC 2 Type II plus tamper-evident, per-user audit
For regulated workloads, the practical procurement bar is two-part: SOC 2 Type II attestation plus identity-scoped, tamper-evident audit that can answer who did what, with which tool, on which data. SOC 2 Type II is an attestation that a vendor's security controls not only exist on paper but operated effectively over a review period (typically 6 to 12 months), which is why auditors weight it far more heavily than a point-in-time Type I. Among the gateways here, MintMCP documents (2026) SOC 2 Type II with continuous monitoring via Drata, and Lunar states its MCPX platform is SOC 2 Type II certified. IBM ContextForge, as a self-run open-source project, carries no vendor attestation, so that compliance burden shifts entirely to you.
Attestation alone is not enough. The second half of the bar is audit you can trust, and two concrete implementations set the standard. IBM ContextForge emits OpenTelemetry traces to OTLP backends like Jaeger, Zipkin, and Phoenix, giving you per-request, per-identity traceability inside tooling your observability team already runs. MintMCP goes further on tamper-evidence: it signs each access-grant record at write time with a per-record digital signature and stores records append-only, so any later change to a record breaks signature verification. It logs authentication events, tool invocations (with user, session, and parameters), and the full credential lifecycle. That is the difference between logs you hope nobody edited and logs you can prove nobody edited.
The synthesis we apply across the agent platforms we audit at Particula Tech is blunt: if a gateway cannot produce an identity-scoped, tamper-evident record of every tool call, it is not enterprise-ready no matter how good its routing is. OpenTelemetry tracing and signed, append-only logs are the two proven ways to clear that bar today, and a shortlist that skips both is a shortlist that will fail an audit later.
05 · Credential brokering, private registries, and tool discovery
Beyond auth and audit, an enterprise MCP gateway does three infrastructure jobs: it brokers credentials so secrets never live in agent code, it hosts a private registry of approved tools, and it handles discovery so agents see only the tools they are cleared for. Each is a distinct control, and the strong gateways implement all three.
Credential brokering means the gateway, not the agent, holds the secret for each downstream tool and injects it at call time, so a compromised agent or a leaked prompt never exposes a raw API key. Lunar MCPX Enterprise provides managed secret management for this; MintMCP logs the full credential lifecycle so issuance, use, and revocation are all on the record. This is the single highest-value control after identity, because it removes long-lived secrets from the most exposed part of the system.
A private MCP registry is a curated catalog of the tool servers your organization has approved, hosted by the gateway, so agents cannot reach arbitrary or unvetted servers on the open internet. Lunar MCPX Enterprise ships one; IBM ContextForge is built as a registry and proxy from the ground up. A registry is what turns "agents can call any MCP server they find" into "agents can call the servers security signed off on," and it is the natural enforcement point for the tool-poisoning defenses covered in our supply-chain writeup.
Tool discovery is how agents learn what tools exist without you hand-wiring each one. ContextForge auto-discovers federated peers via DNS-SD and translates REST and gRPC endpoints into MCP tool definitions, so existing internal APIs become agent-callable without rewrites. Lunar organizes exposure through Tool Groups. The governance win is that discovery runs through the gateway, so an agent's visible tool surface is exactly the subset its identity is authorized for, not everything on the network.
06 · Self-host vs SaaS: who owns the control plane
Self-host the gateway when its tools touch sensitive or regulated data, and use SaaS when speed and managed compliance matter more than owning the audit trail. The deployment choice determines who physically holds your credentials and audit logs, which is a governance decision, not just an ops one.
Self-hosting keeps the control plane inside your trust boundary. Lunar MCPX Enterprise runs in your own cloud, VPC, or a fully air-gapped environment; IBM ContextForge runs wherever your Kubernetes runs and scales across multiple clusters with Redis-backed federation and caching. SaaS shifts operational load and continuous compliance monitoring to the vendor: MintMCP runs as a managed service with the HIPAA documentation and BAAs regulated buyers need, which for many healthcare and finance teams is worth ceding some direct control.
The decision rule is about data sensitivity. If the tools behind the gateway can read PHI, financial records, or production secrets, self-host so the audit trail and credential broker never leave your boundary. If the tools are lower-risk internal utilities, SaaS gets you to production faster with less to operate. A common middle path in the regulated deployments we review is to self-host an open-source gateway such as ContextForge for the sensitive tool surface and accept a SaaS gateway for everything else. Whoever owns the control plane owns the evidence, so decide it deliberately rather than by default.
07 · Bottom line: a procurement checklist for governing agent tool access
If you are buying an MCP gateway in 2026, here is the opinionated shortlist. For regulated industries, start with MintMCP: SOC 2 Type II, HIPAA with BAAs, and per-record signed, append-only audit logs clear the bar that healthcare and finance procurement will actually check. For the widest breadth and analyst-recognized standing with a strong self-hosting story, evaluate Lunar MCPX Enterprise. For an open-source control plane you own end to end at no license cost, deploy IBM ContextForge and budget for running its OpenTelemetry-based audit yourself. If you already run Kong for API management, evaluate Kong AI Gateway's MCP capabilities before adding a new vendor. And if your real pain is one audit trail across both model and tool traffic, look hard at TrueFoundry's unified plane.
What to skip: do not run agents against production tools with no gateway and shared API keys, and do not treat an LLM gateway as if it governs tool access, because it does not. Those two mistakes account for most of the ungoverned agent tool access we find in the wild.
Use this checklist when you evaluate a gateway:
Governing agent tool access is now its own discipline, sitting alongside single-server hardening and LLM-plane routing in the broader AI security picture. If you are wiring agents into production tools and are not sure your gateway clears this bar, Particula Tech's AI security audits map your MCP tool surface, exercise the auth and audit controls end to end, and tell you which gateway fits your compliance posture before agents reach real data.
08 · FAQ
Quick answers to the questions this post tends to raise.




