Tetrate and Ory have partnered to secure AI agents in production. The joint offering is available now.
The arrangement combines Ory's identity and authorisation software with Tetrate Agent Router Enterprise, which sits at the gateway layer where AI agents call models, tools and internal services. It is designed to apply policy checks not only to whether an agent can access a tool, but also to the specific parameters used in each request.
The companies say this addresses a gap in many Model Context Protocol, or MCP, runtimes, which often focus on tool visibility or basic access rights. Under the joint setup, policy is enforced on live requests at runtime as an agent attempts to carry out an action.
If a request passes a defined risk threshold, the system can pause the action and hand it to Ory for authentication and approval. The process can then grant short-lived elevated access and create an audit trail showing how approval was given.
Ory's role centres on identity and authorisation. It treats AI agents as identities in their own right, while Ory Hydra manages OAuth2 and OpenID Connect token flows and Ory Keto applies least-privilege access rules.
Tetrate enforces those decisions when the agent interacts with models, MCP tools and enterprise services. This includes parameter-level controls, allowing policies to account for the content and risk of individual requests rather than relying on broad allow lists.
The partnership grew out of an existing customer relationship. Ory had used Tetrate Enterprise Gateway for Envoy to support the infrastructure behind its identity and customer identity platform, and says the move reduced resource use by 40 per cent while improving operations and observability.
Runtime controls
The companies are positioning the joint setup as a response to the changing risk profile of enterprise AI deployments. As businesses move AI agents beyond pilot projects into operational roles, they face questions around agent identity, broad permissions, unsafe access to tools, data exposure and the strength of runtime controls.
The design separates security into two layers. Ory makes the access decision at the resource level, while Tetrate enforces it on the traffic path where the request is made.
That split is intended to support cases where the sensitivity of an action depends on the details of a request. Examples include customer refunds above a set amount, higher-value financial transfers, access to sensitive health records, government disbursements, production IT changes and requests involving personnel data.
In each case, a routine action could proceed within policy, while a higher-risk action could trigger step-up authorisation. The decision would be based not just on the tool being used, but on request details such as amount, destination, data sensitivity or the likely impact of a change.
David Wang, Head of Product Management at Tetrate, said the focus is on how agents use tools rather than simple access rights. "The challenge with AI agents isn't just controlling which tools they can access-it's controlling how they use those tools," Wang said.
"Tetrate Agent Router Enterprise enforces fine-grained authorization on MCP tool invocations down to the parameter level, based on policies defined in Ory, and does so through a globally distributed Envoy-based gateway layer. That gives enterprises the precision, scale and control that production deployments demand," he said.
Envoy base
The technology is built on Envoy AI Gateway, the open source traffic management project that underpins Tetrate's software. Tetrate says the same Envoy-based foundation Ory already uses in its own infrastructure now supports its move into AI agent security.
The setup is aimed at organisations that need central policy enforcement across multiple providers, regions and environments. It also includes visibility and auditability, with monitoring of agent behaviour, privilege changes and policy enforcement activity.
Jeff Kukowski, Chief Executive Officer at Ory, said the partnership reflects the need to treat AI agents as governed actors inside enterprise systems. "AI agents must be treated as first-class identities with explicit authentication, authorization and governance," Kukowski said.
"Together with Tetrate, Ory is helping enterprises secure AI agent deployments end to end, from identity and access decisions to runtime enforcement and policy control," he said.
Ory says it manages more than 2.5 billion identities across open source and commercial deployments, while Tetrate has focused on traffic management and governance using Envoy. The partnership brings those areas together as enterprises test how far AI agents can be trusted with operational tasks.