Portkey started as a cost management tool. Developers used it to track token spend across model providers, route traffic when one provider went down, and keep engineers from accidentally burning through budgets. That is metering. Metering is an engineering problem. Then autonomous agents arrived, and the thing sitting between an enterprise's systems and every large language model on the internet stopped being a convenience layer. It became the only point where anyone could see what the agent was doing, enforce what it was allowed to do, and stop it if something went wrong. Palo Alto Networks is acquiring Portkey because metering infrastructure is now security infrastructure, and security teams do not yet own it.

The perimeter assumption is what breaks here. Traditional enterprise security drew a line around the network and defended it. Agents do not respect that line. They call external model providers, reach into internal systems through Model Context Protocol servers, and execute actions across both without a human in the loop. The threat surface is not at the edge anymore. It is inside every token an agent sends. The gateway, which developers built to watch costs, turns out to be the only place where you can watch everything else too.

The Functions Are the Same. The Stakes Changed.

Cost quotas are access controls. Audit logs are forensic records. Failover routing determines which model provider gets your enterprise data when the primary is unavailable. Semantic caching means the gateway knows what your agents have been asking about. Every function Portkey built for developer productivity has a direct security interpretation. Palo Alto Networks did not need to rebuild the product. It needed to rebrand the customer and reframe the urgency.

Portkey was processing over two trillion tokens a day across roughly 24,000 organizations before this deal. That scale exists because developers chose it to save money and reduce friction. None of those 24,000 organizations thought they were buying a security product. They were. They just did not have a security team enforcing it.

Two Deals. One Argument About Where the Perimeter Went.

Two weeks before the Portkey announcement, Palo Alto Networks closed the Koi acquisition. Koi watches the endpoint: what AI tools are installed, what non-binary software an agent is running, policy enforcement on things conventional endpoint detection was never designed to see. Portkey watches the token layer: every call an agent makes outbound to a model, every response that comes back. The Koi deal closed April 14. The Portkey announcement came April 30.

Lee Klarich, Palo Alto Networks' chief product and technology officer, called agents an unmanaged attack surface. The word unmanaged is doing the work. Security teams have no inventory of what their agents are calling, what data is in those calls, or what the agents did with the response. The perimeter model assumed threats came from outside. Agents are inside, with credentials, executing at machine speed, calling outward to infrastructure the enterprise does not control. The gateway travels with the agent. The perimeter does not.

The Gateway Market Was Built for Cost, Not Control

Open-source options like LiteLLM and managed services from Cloudflare and Kong gave developers what they needed: unified model access, basic routing, and cost visibility. Those are solved problems for the teams using them. They were not designed to answer the question security teams now need answered: what did that agent send, to whom, and did anyone authorize it.

Palo Alto Networks is not competing on features. It is arguing the gateway belongs to a different buyer. That argument has a complication worth noting: Portkey's core gateway is open source. An enterprise can self-host it today without a Palo Alto Networks contract. The enforcement leverage depends entirely on whether Prisma AIRS integration is valuable enough on its own terms to pull security teams in. That is a product and sales execution question, not a technology one.

The Fight Is Over Who Owns the Gateway, Not Whether It Exists

Every enterprise running agents at scale will have a gateway. The question is whether engineering owns it or security owns it. Palo Alto Networks is betting on security. Its platformization argument, that customers consolidate point security products onto fewer platforms, only works here if security teams successfully claim the gateway as their infrastructure rather than a developer utility.

Portkey's existing customers chose it as a developer tool. Some will accept the repositioning. Some will self-host the open-source version and stay outside the Prisma AIRS umbrella. Palo Alto Networks committed to keeping Portkey running as a standalone product while the Prisma AIRS integration matures, the same approach it used with Koi. CrowdStrike, Microsoft, and SentinelOne will each make their own claim on agentic governance before the year is out.

MCP Is Where the Perimeter Argument Gets Concrete

Model Context Protocol is the mechanism by which agents reach inside enterprise systems: databases, calendars, code repositories, customer records. It is also where the perimeter assumption fully collapses. An agent with MCP access is not calling an external model. It is operating inside the enterprise, with credentials, at machine speed, through a protocol most security teams have never audited.

Portkey's MCP gateway handles authentication, access control, and a full log of every tool call an agent makes through any MCP server. Cloudflare is building MCP governance at the network edge. These are different control points. Cloudflare controls the pipe. Portkey controls what the agent is permitted to do inside the systems the pipe connects to. Inside Prisma AIRS, that governance becomes something a security team can mandate rather than something a developer team opts into. The category is not settled. This deal is Palo Alto Networks' attempt to settle it.