The microservices revolution promised agility and scalability. Teams could deploy faster, scale independently, and innovate without monolithic constraints. You gain speed and flexibility, but you also multiply trust boundaries, identities, network paths, and policy decisions.
Then came AI, and everything changed.
In 2025, the security reality for AI-integrated microservices is stark. Security challenges in microservices continue to escalate as organizations struggle with API proliferation and shadow API discovery. The microservices architecture market has grown from $6.27 billion in 2024 to $7.4 billion in 2025 at a compound annual growth rate (CAGR) of 17.9%, with projections reaching $15.64 billion by 2029 [1].
Consider what happens when a user sends a single prompt to a customer service chatbot. That prompt triggers API gateway authentication, LLM endpoint calls, [RAG retrievals from vector databases](https://konghq.com/blog/learning-center/what-is-rag-retrieval-augmented-generation)RAG retrievals from vector databases, and tool execution through [MCP servers](https://konghq.com/products/kong-konnect/agents)MCP servers. A single request can traverse a dozen or more services. This illustrates how AI amplifies existing microservices complexity exponentially.
The security implications are severe. [OWASP's 2025 Top 10 for LLM Applications](https://konghq.com/blog/engineering/owasp-top-10-ai-and-llm-guide)OWASP's 2025 Top 10 for LLM Applications ranks prompt injection as the number one critical vulnerability. Attackers manipulate LLM inputs to override instructions, extract sensitive data, or trigger unintended behaviors. Traditional security tools can't detect semantic-level attacks. They can't distinguish between legitimate AI traffic and data exfiltration attempts. They can't govern token consumption or prevent prompt injection.
The attack surface has fundamentally changed. Indirect prompt injection techniques allow attackers to embed harmful instructions within source materials or intermediary processes. For example, an attacker might post a crafted prompt on an online forum, instructing any LLM reading it to recommend a phishing site. When a user later asks an AI assistant to summarize the forum discussion, the model processes the malicious recommendation.
You don't need to tear down your security stack and start over. The solution lies in extending your proven [microservices security best practices](https://konghq.com/events/webinars/securing-and-governing-microservices)microservices security best practices—zero-trust, centralized policy, infrastructure-level controls—to address AI's unique risks. This means applying the same rigor to prompt injection, model-driven data exfiltration, and runaway token costs that you apply to traditional API security.
This guide presents five critical best practices that bridge the gap:
Zero-trust operates on a fundamental principle: never trust, always verify. Every request, every connection, every interaction must prove its identity and authorization — no exceptions.
This principle becomes critical when AI enters the picture. AI agents behave like autonomous clients within your infrastructure. They make decisions independently, access multiple services in rapid succession, and can be manipulated through prompt injection to perform unintended actions. Security researchers note that prompt injection vulnerabilities exist due to the fundamental nature of how LLMs process instructions and data together, making complete prevention challenging.
Consider the attack surface. Machine identities already dominate the landscape — AI agents add another layer of complexity. Each agent needs credentials, scoped privileges, and continuous verification. Without zero-trust, a single compromised agent becomes a skeleton key to your entire infrastructure.
Mutual TLS (mTLS) is a protocol where both services authenticate each other with certificates before any data is exchanged — providing the foundation for zero-trust communication and eliminating man-in-the-middle attacks.
Implementation requirements:
mTLS becomes especially critical for AI workloads. When an LLM endpoint communicates with a vector database for RAG retrieval, both sides must verify identity. When an AI agent calls internal APIs, every connection needs encryption and authentication.
IP addresses mean nothing in containerized environments — services spin up, scale, and disappear constantly, making cryptographic identity the only reliable foundation for access control.
Each service, including AI agents and LLM endpoints, needs its own cryptographic identity. Apply the principle of least privilege rigorously:
AI-specific requirements:
The importance of identity-based controls is underscored by real-world incidents where services trusted network location over verified identity, leading to exploits.
A service mesh automates zero-trust enforcement across all microservices by injecting sidecar proxies alongside each workload — eliminating the inconsistency that comes from managing these controls manually.
These proxies handle:
For hybrid and multi-cloud deployments common in APAC, a service mesh ensures consistency. The same zero-trust policies apply whether services run in Kubernetes, VMs, or legacy infrastructure.
Kong Mesh provides turnkey zero-trust capabilities:
type: Mesh
name: ai-production
mtls:
enabledBackend: built-in
backends:
- name: built-in
type: builtin
conf:
rotation:
expiration: 24h
Apply once. Every new microservice and AI pod inherits zero-trust automatically.
Key Insight: "If zero-trust secures the connection, centralized policy secures the behavior."
When different traffic types are managed by different tools, the result is inconsistent enforcement, multiple dashboards with no shared visibility, and exploitable gaps between them.
Organizations typically manage traffic in silos. User-facing APIs go through an API gateway. LLM endpoints hide behind custom authentication. Internal gRPC calls bypass both. Add AI endpoints to this, and the complexity becomes exponential.
Different teams implement different controls:
This fragmentation creates exploitable weaknesses. Attackers find the least protected endpoint and pivot from there.
No — AI traffic is API communication that requires the same rigorous controls. Whether the caller is a human, microservice, or AI agent, consistent policies must apply.
Essential controls for all traffic:
Authentication & Authorization
Rate Limiting & Governance
Audit & Compliance
A unified control plane is a single enforcement layer that applies the same policies, logging, and rules engine across all traffic types — eliminating the inconsistency of tool-per-team approaches.
Managing policies across diverse services and protocols demands centralization. A unified control plane provides:
Organizations investing in unified security platforms prevent vulnerabilities more effectively than those using fragmented tools.
[Kong AI Gateway](https://konghq.com/products/kong-ai-gateway)Kong AI Gateway extends existing API gateway capabilities to AI traffic seamlessly. Your existing security policies automatically apply to AI endpoints, and AI-specific controls like prompt guards and token management layer on top — without creating new silos.
Unlike traditional API attacks, AI-specific threats operate at the semantic level — manipulating the meaning of inputs rather than exploiting authentication or protocol weaknesses, which makes them invisible to standard security tooling.
Traditional API security validates authentication, checks authorization, and logs requests — but it cannot inspect the semantic content of prompts. As of mid-2025, OWASP's Top 10 for LLM Applications ranks prompt injection as LLM01, identifying it as a critical vulnerability capable of causing sensitive data disclosure, unauthorized function access, and arbitrary command execution. Because prompt injection exploits the stochastic nature of how models process input, fool-proof prevention remains an open problem.
Modern attacks include:
Infrastructure-level prompt security acts as a first line of defense by inspecting and sanitizing prompts before they reach the LLM — stopping attacks at the boundary rather than relying on the model to reject them.
Pattern Detection
Semantic Analysis
Context Isolation
Security research has identified over 30 distinct prompt injection techniques across ecosystems. Infrastructure-level guards must evolve continuously to counter these threats.
Automatic data protection applies PII detection and redaction at both the input and output layer — preventing sensitive information from reaching the model and blocking it from appearing in generated responses.
Without these controls, sensitive information leaks through model outputs, often without any visible signal that a violation has occurred.
Pre-processing Protection
Post-processing Validation
For APAC organizations, automatic PII protection is also a compliance requirement. Regulations such as Australia's Privacy Act 1988 and Japan's APPI mandate appropriate technical and organizational safeguards for personal information — with specific controls determined by each organization's risk assessment.Centralize These Controls
Standard monitoring tools track latency, errors, and throughput — but AI workloads produce a different class of signal that these tools are not designed to capture.
Critical AI-specific signals that standard APM misses include:
Security professionals increasingly recognize that agentic AI and autonomous systems present significant attack vectors. You can't defend against what you can't see.
AI observability requires a distinct set of metrics covering both security signals and operational health — standard infrastructure metrics alone are insufficient.
Enhanced AI visibility simultaneously detects security threats and prevents runaway costs — the same signals that indicate an attack often indicate a budget problem.
Security Detection
Cost Control
According to IBM's 2025 Cost of a Data Breach Report, the global average cost of a data breach fell 9% to $4.44 million — but US-specific costs rose 9% to a record $10.22 million, driven by increased regulatory fines. Faster identification and containment, enabled by better observability, directly impacts where your organization lands in that range.
Without end-to-end tracing, a single AI request that spans multiple services becomes impossible to debug — and during a breach, impossible to investigate before damage is done.
A typical AI request flow touches multiple layers:
Without correlation IDs linking each step, tracing a single session across dozens of services becomes extremely difficult — potentially allowing attackers to complete data exfiltration before patterns emerge.
[Kong's AI-specific analytics via Konnect](https://konghq.com/products/kong-konnect/features/api-observability)Kong's AI-specific analytics via Konnect provide token usage dashboards, LLM performance metrics, anomaly detection alerts, cost allocation reports, and security incident correlation — all in a single control plane.
RAG pipelines and MCP servers dramatically increase internal service communication — each introducing new endpoints, retrieval paths, and autonomous agent actions that fall outside traditional API security coverage.
RAG (Retrieval-Augmented Generation)
MCP (Model Context Protocol)
Security research highlights the risk of malicious actors impersonating trusted tools or injecting poisoned prompt templates that silently alter agent behavior — a supply chain vulnerability that remains a significant challenge for many organizations.
Every RAG endpoint requires the same authentication and authorization controls applied to external APIs — unauthenticated retrieval paths are an exploitable boundary between user input and sensitive document stores.
Authentication Requirements
Authorization Controls
Data Protection
MCP tools are API endpoints — they expose internal capabilities to autonomous agents and must be governed with the same authentication, rate limiting, and audit controls applied to any external-facing API.
yaml
mcpPolicy:
name: agent-tool-access
tools:
- name: check-inventory
auth: jwt
rate_limit: 100/minute
allowed_agents: [customer-service]
- name: process-refund
auth: mtls
rate_limit: 10/minute
allowed_agents: [customer-service]
audit: enhanced
- name: send-notification
auth: oauth2
rate_limit: 1000/hour
allowed_agents: [all]
"The more powerful your AI agent, the more disciplined your control plane needs to be."
Kong AI Gateway secures both RAG pipelines and MCP servers through a single control plane — converting existing APIs into governed MCP tools and applying retrieval policies once across all AI applications.
Auto-generate secure MCP servers
Central RAG pipeline governance
yaml
ragPolicy:
name: finance-kb-access
vectorDb: kong-vectordb-sg
allowedCollections:
- quarterly-reports
- product-disclosures
maxTokens: 4096
piiRedaction: enabled
Apply once. Reuse across all AI applications.
The AI revolution doesn't require abandoning proven security principles. It demands extending them to address new challenges.
As of mid-2025, these five practices represent the current best-practice consensus for AI-era microservices security. The threats are real and growing, with security research continuing to identify new prompt injection patterns and attack techniques that bypass existing defenses.
But so are the defenses. By implementing zero-trust architecture, centralizing policy enforcement, protecting against prompt injection, extending observability, and securing advanced AI patterns, organizations build resilient systems that capture AI's benefits while managing its risks.
Remember: AI spotlights where existing security is incomplete, not invalid. Organizations that recognize this distinction and act on it will thrive in the AI era.
Ready to secure your AI-augmented microservices at scale? Kong's unified API platform provides the comprehensive foundation you need.
[Request a Demo](https://konghq.com/contact-sales)Request a Demo to see Kong in action.
Explore our solutions:
What is zero-trust architecture and why does it matter for AI microservices? Zero-trust is a security model that requires every request, connection, and interaction to verify its identity and authorization — no implicit trust is granted based on network location. For AI microservices, this is critical because AI agents act as autonomous clients that make independent decisions, access multiple services rapidly, and are vulnerable to prompt injection. Without zero-trust, a single compromised agent can move laterally across your entire infrastructure.
What is prompt injection and why can't traditional security tools stop it? Prompt injection is an attack where malicious input manipulates an LLM into overriding its instructions, disclosing sensitive data, or executing unintended actions. OWASP ranks it as the top critical vulnerability for LLM applications in 2025. Traditional security tools operate at the protocol layer — they validate authentication and log requests, but cannot inspect the semantic content of a prompt, making these attacks invisible to standard tooling.
How is AI traffic different from regular API traffic? Functionally, it isn't — and that's the point. AI traffic is API communication and should be governed with the same controls: authentication, rate limiting, audit logging, and access control. The difference is that AI traffic introduces additional signals to monitor, such as token consumption, prompt patterns, and model routing behavior, and additional attack vectors like context poisoning and semantic manipulation.
What is mTLS and when should it be used in AI infrastructure? Mutual TLS (mTLS) is a protocol where both the client and server authenticate each other with certificates before exchanging data. Unlike standard TLS, which only authenticates the server, mTLS provides bidirectional identity verification. It should be used for all east-west (service-to-service) traffic in AI infrastructure — particularly between LLM endpoints, vector databases, and internal APIs.
What is a RAG pipeline and what are its security risks? Retrieval-Augmented Generation (RAG) is a pattern where an LLM queries external knowledge sources — typically vector databases — to supplement its responses with relevant context. Each retrieval introduces an unauthenticated boundary between user input and sensitive documents. Security risks include context poisoning (injecting false data into retrievals), unauthorized document access through insufficient authorization controls, and PII exposure through unredacted embeddings.
What is MCP and why does it need API-level governance? Model Context Protocol (MCP) is a standard that allows AI agents to autonomously discover and invoke internal tools. Each tool is an API endpoint exposed to an agent that can chain multiple tools together and execute actions without human oversight. Without governance, MCP tools become uncontrolled access points into internal systems — requiring the same authentication, rate limiting, and audit controls as any external-facing API.
Why is traditional APM insufficient for AI workloads? Standard application performance monitoring tracks latency, errors, and throughput. AI workloads generate a different class of signal: token consumption anomalies, abnormal prompt sequences, agent concurrency patterns, and model routing behavior. These signals indicate both security threats and runaway costs, but are invisible to tools not designed to capture them.
How should organizations handle PII in AI pipelines? PII protection must be applied at both the input and output layer. Pre-processing should detect and mask sensitive data — credit card numbers, SSNs, emails — before prompts reach the model. Post-processing should scan generated responses for leaked PII and block any output containing sensitive patterns. For organizations in APAC, this is also a regulatory requirement under frameworks such as Australia's Privacy Act 1988 and Japan's APPI.
What credentials should AI agents use, and how long should they be valid? Each AI agent should have a unique service account with a cryptographic identity and scoped permissions limited to its actual operational requirements. Credentials should be short-lived — 15 to 30 minutes maximum — and automatically rotate. This limits the blast radius of a compromised agent identity.
What does a unified control plane provide that separate security tools don't? A unified control plane enforces the same policies, logging, and rules engine across all traffic types from a single location. Separate tools create inconsistent enforcement, multiple dashboards with no shared visibility, and exploitable gaps between teams. A unified approach means the same authentication, rate limiting, and audit controls apply whether traffic is coming from a human, a microservice, or an AI agent.
The Anatomy of Architectural Complexity Modern architectures now juggle three distinct traffic patterns. Each brings unique demands. Traditional approaches treat them separately. This separation creates unnecessary complexity. North-South API Traf
[](https://konghq.com/blog/enterprise/microservices-to-ai-traffic-kong-as-the-unified-control-plane)
Claude Code is Anthropic's agentic coding and agent harness tool. Unlike traditional code-completion assistants that suggest the next line in an editor, Claude Code operates as an autonomous agent that reads entire codebases, edits files across mult
[](https://konghq.com/blog/engineering/claude-code-governance-with-an-ai-gateway)
Why Risk Management Will Separate Agentic AI Winners from Agentic AI Casualties Let's be honest about what's happening inside most enterprises right now. Development teams are under intense pressure to ship AI features. The mandate from leadership
[](https://konghq.com/blog/enterprise/agentic-ai-governance-managing-shadow-ai-risk)
MCP servers expose all tools by default. There are two problems with this: security (agents get capabilities they shouldn't have) and performance (too many tools degrade LLM tool selection). The solution? Put a gateway between agents and MCP server
[](https://konghq.com/blog/engineering/mcp-tool-governance-security-meets-context-efficiency)
Executive Summary AI adoption has moved past the "honeymoon phase" and into the "operational chaos" phase. As enterprises juggle multiple LLM providers, skyrocketing token costs, and "Shadow AI" usage, the need for a centralized control plane has be
[](https://konghq.com/blog/enterprise/ai-gateways-for-scalable-ai-connectivity)
Introduction to OWASP Top 10 for LLM Applications 2025 The OWASP Top 10 for LLM Applications 2025 represents a significant evolution in AI security guidance, reflecting the rapid maturation of enterprise AI deployments over the past year. The key up
[](https://konghq.com/blog/engineering/owasp-top-10-ai-and-llm-guide)
Imagine you have a single Service, order-api . You want to apply a strict rate limit to most traffic, but you want to bypass that limit—or apply a different one—if the request contains a specific X-App-Priority: High header. Previously, you had t
[](https://konghq.com/blog/engineering/conditional-policy-execution)