Recently, Palo Alto Networks announced its intent to acquire Portkey — an AI Gateway processing trillions of tokens per month — to become the routing and visibility layer inside Prisma AIRS.
We think this is great news. Not just for Portkey. For the entire category.
Validation at the Highest Level
When a $100B+ security platform company makes a significant acquisition to address AI governance, it sends one unmistakable signal to every enterprise security team, every CISO, and every board that’s been asking “do we have controls around our AI?”:
This is real. This is urgent. You need to solve it.
That’s the market moment we’ve been building toward. The question of how to govern AI in the enterprise is no longer theoretical — the question is no longer whether to govern AI. It’s who moves first.
What Complete AI Governance Actually Looks Like
Routing and visibility is one layer of AI governance. It is not the whole picture.
The enterprises we talk to are grappling with a much broader set of questions — and the gap between what they need and what current tools provide is significant.
Click any domain to expand
Access: Who is allowed to use AI, and under what conditions?
Not API keys assigned to teams. Real enterprise identities — tied to IdP groups, device posture, and declared work context — with policy that says this developer can use this model for this class of task, and this service account is authorized to call these tools. When someone leaves the team or the project ends, the access ends. Automatically.
Cost: What did AI spend, and who is accountable for it?
Virtual keys tell you which team a request came from. That is not enough. Engineering leadership needs to know which developer, on which ticket, burned how much — and whether the model used was the right one for the task. Finance needs that data to allocate costs. Platform teams need it to enforce budgets before the overage happens, not after.
Security: What are AI agents allowed to do?
The agentic era changes the risk profile entirely. AI is no longer generating text for a human to review. It is reading files, querying databases, writing and executing code, calling external APIs — autonomously. Every one of those actions is a potential security event. Governing LLM traffic is necessary but not sufficient. You need enforcement at the tool invocation layer, with human approval workflows for high-risk actions, and an audit trail that captures what was authorized, by whom, and when.
Compliance: Can you prove you governed it?
This is the question that makes the others urgent. EU AI Act Article 9 requires documented risk management systems for high-risk AI. NIST AI RMF requires governance that is measurable and auditable. SOC 2 AI addenda are emerging across audit frameworks. The evidence these frameworks require is not a vendor dashboard. It is customer-owned, version-controlled, exportable artefacts — policy history in Git, decision logs in structured formats an auditor can work with directly.
Each of these is a solved problem in infrastructure governance. Kubernetes admission control, CI/CD policy gates, Terraform guardrails — enterprises have built and operated these for years. None of them are solved by a gateway. This is the opportunity the market is just beginning to recognize. We’ve written about why the governance gap exists and why it has no clear owner — both posts are worth reading alongside this one.
AIControls
This is the problem we built AIControls to solve.
AIControls is Nirmata’s AI Governance Platform, built on Kyverno CEL — the same policy engine that already governs Kubernetes infrastructure for thousands of enterprises worldwide. It covers all four governance domains — access, cost, security, and compliance — across three enforcement planes: Developer Governance, Agent Governance, and MCP Governance. It is live now at aicontrols.dev.
In the next post, we’ll walk through the architecture — how the three governance planes work, why we built them on CEL, and what discovery-time policy filtering means for the agent security model. For a deeper look at the developer and agent governance layers, see Your Developers Are Using AI. Your Governance Layer Isn’t. and What Good AI Agent Governance Looks Like.
The PAN/Portkey acquisition won’t be the last consolidation move in this space. The market is moving fast. The governance problem it leaves unsolved is the one we’re here to close.
