# Governance across the AI Data Path: Enforce Zero-Trust API Security with Kong

Zero-trust is the essential security model** **for the AI era. As organizations transition to agentic architectures, AI agents autonomously invoke tools and trigger service-to-service workflows, creating complex data paths that can bypass traditional oversight. Zero-trust offers the right framework: every caller proves who it is, policy is enforced at every hop, and nothing is implicitly trusted.

In this session, we demonstrate how to develop and enforce consistent security policies across the entire AI lifecycle. We'll walk through a real request as it traverses the full AI data path — and show identity-based policy enforcement at every hop. You’ll experience a unified identity chain in action: from OIDC user authentication and AI Gateway routing (with token limits and prompt guards) to MCP-based tool invocation and secure east-west mesh communication via mTLS and OPA—all in a single trace.

If you're responsible for API security, platform engineering, or architecture — and you need a repeatable model for enforcing API security across gateways, AI workloads, and service meshes — this session is built to be immediately actionable.

**Key Takeaways:**

1. - **Unified Governance Across the Stack:** Move beyond edge security to a "continuous enforcement" model. Use Kong to apply identity-based access (OIDC/mTLS) at the API Gateway, AI Gateway, Event Gateway, and Service Mesh layers.
2. - **Policy Enforcement, Not Friction:** Design granular and automated policies for routes, tools, and services that can be seamlessly implemented as APIs, agents, and teams scale.
3. - **End-to-End Visibility & Control:** Apply practical, repeatable patterns to enforce security from north-south ingress through east-west service communication — covering LLM access, tool invocation, and service-to-service calls in a single policy model.