← Blog

DeepInspect vs Gloo AI Gateway: The Product Is Now agentgateway, and Here Is What Changed

Solo.io announced Gloo AI Gateway in July 2024. It no longer exists under that name. Solo.io donated Gloo Gateway to the CNCF as kgateway, launched agentgateway in April 2025, contributed agentgateway to the Linux Foundation in August 2025, and removed Gloo from its product line entirely. The Gloo AI Gateway page now redirects to agentgateway. This piece covers what the product actually is today, what it enforces, and where a regulated workload still needs a second layer.

ByParminder Singh· Founder & CEO, DeepInspect Inc.
Comparisons & Alternativesai-gatewaycomparisonagentic-aikubernetesarchitectureaudit
DeepInspect vs Gloo AI Gateway: The Product Is Now agentgateway, and Here Is What Changed

If you are evaluating Gloo AI Gateway, the first thing to know is that Solo.io stopped shipping it under that name. The solo.io/products/gloo-ai-gateway URL now redirects to agentgateway, and Solo.io's product menu lists no Gloo product at all. The Solo Enterprise for kgateway 2.1 release notes state it directly: starting in 2.1, Gloo Gateway is renamed to Solo Enterprise for kgateway, and the update removes Gloo from all resources including Kubernetes CRDs and Helm charts.

That is a lot of churn to track, so here is the sequence, because getting it wrong produces an inaccurate comparison.

What actually happened to Gloo AI Gateway

  • July 2024. Solo.io announces Gloo AI Gateway, built on Gloo Gateway, which is Envoy-based and Kubernetes Gateway API-native. Features: credential management, fine-grained authorization across LLMs, model exfiltration protection, prompt guarding, RAG integration.
  • November 2024, KubeCon NA. Solo.io donates Gloo Gateway open source to the CNCF. The project is renamed kgateway. Version 2.0.0 lands April 1, 2025.
  • April 2025. Solo.io launches agentgateway, written in Rust, Apache 2.0.
  • August 25, 2025. Solo.io contributes agentgateway to the Linux Foundation, not the CNCF. Contributors and backers now include AWS, Cisco, Huawei, Microsoft, Red Hat, Akamai, T-Mobile, Dell, and CoreWeave.
  • Today. The open-source project is agentgateway. The commercial product is Solo Enterprise for agentgateway, at 2.2.x. Gloo is gone from the branding.

The one distinction worth holding onto: kgateway went to the CNCF, agentgateway went to the Linux Foundation. Solo.io's own product page shows both badges in a rotating carousel, which does not help.

TL;DR

The product formerly called Gloo AI Gateway is now agentgateway: a Rust data plane purpose-built for agent traffic, with native MCP OAuth 2.1, tool-level RBAC, secure token exchange, A2A federation, denial-of-wallet budget controls, and inline guardrails. Its identity model is oriented to agents and tools. DeepInspect binds the natural person behind the agent, classifies prompt content against regulated data taxonomies, and commits a signed per-decision audit record. In a regulated agent deployment both run.

agentgateway: what it is and where it sits

It is the most agent-native gateway in the category, and that framing is deliberate on Solo.io's part. What it does:

  • LLM gateway. One OpenAI-compatible endpoint across OpenAI, Anthropic, Azure, Gemini, and self-hosted models, so a model swap requires no code change.
  • Centralized provider-key storage with enterprise IAM integration and fine-grained access control, which addresses the API-key-sprawl problem directly.
  • Request and token-based rate limits, budget and spend caps with denial-of-wallet protection, per-model cost attribution.
  • MCP gateway. Native MCP OAuth 2.1, tool-level RBAC, secure token exchange, global rate limits across every MCP server, shadow-MCP sandboxing that validates and observes backend URLs an MCP server dynamically requests, and OpenAPI-spec-to-MCP-tools bridging.
  • A2A federation for cross-boundary agent discovery and collaboration under Google's Agent2Agent protocol.
  • Inline guardrails on prompts and responses, with custom semantic rules to block prompt attacks and data leaks.
  • Model failover optimizing for price, performance, or availability.
  • Inference gateway features: llm-d integration, Gateway API Inference Extension, prefill and decode disaggregation, priority scheduling, context-aware routing to fine-tuned variants.
  • Observability through OpenTelemetry with OpenInference, full agent-to-tool-to-LLM call-chain traces, and Langfuse integration.

The MCP and A2A work is the strongest part. Shadow-MCP sandboxing in particular is a control I have not seen elsewhere, and tool-level RBAC with secure token exchange is the right shape for the confused-deputy problem I covered in MCP confused deputy attack.

What DeepInspect is and where it sits

DeepInspect is a stateless proxy at the AI request boundary between authenticated users or agents and any HTTP LLM endpoint or remote MCP server. It evaluates identity-bound policy per request, classifies prompt content against the regulated data types the organization recognizes, and commits a per-decision audit record with cryptographic integrity. Deterministic, fail-closed, model-agnostic.

Where the two separate

Whose identity. agentgateway does OAuth 2.1, JWT, and secure token exchange, and Solo.io markets agent identity as a first-class citizen, which is accurate. The identity model is oriented to agents and tools. What it lacks is a documented primitive binding a verified natural person to a specific model call, which is the same gap A2A leaves by design: the A2A specification states that JSON-RPC payloads carry no user or client identity, and authentication is delegated to the HTTP layer. An agent's token proves the agent. It does not carry the human whose authority the agent is exercising six hops back.

Data classification. agentgateway has guardrails with custom semantic rules that can block prompt attacks and data leaks. It documents no PII, PHI, or MNPI classification taxonomy. A semantic rule you write is a rule you wrote. A regulated classification taxonomy is a body of detection logic for categories a compliance regime defines.

The audit record, and here I want to be careful. Solo.io's agentgateway product page claims "cryptographic audit trails" under Security and Identity. I could not find a specification of that mechanism anywhere in the technical documentation, and the claim appears in marketing copy rather than in the docs. So I will state it as it stands: Solo.io markets cryptographic audit trails, and the technical documentation does not specify how they work. Anyone evaluating agentgateway for a regulated workload should ask Solo.io directly what is signed, with what key, and whether the record can be produced by the enterprise independently of the gateway that wrote it. That is a fair question and they may well have a good answer.

Feature comparison

| Capability | agentgateway (formerly Gloo AI Gateway) | DeepInspect | |---|---|---| | Multi-provider LLM routing | Yes | Forwards to a configured upstream | | Model failover on price, latency, availability | Yes | Out of scope | | Provider key centralization | Yes, with enterprise IAM | Holds no long-lived provider keys | | Denial-of-wallet budget controls | Yes | Out of scope | | MCP OAuth 2.1 | Yes, native | Policy on MCP calls | | Tool-level RBAC | Yes | Yes, identity-bound | | Shadow-MCP sandboxing | Yes | Out of scope | | A2A federation | Yes | Policy on A2A HTTP traffic | | Inline guardrails | Yes, custom semantic rules | Yes, policy-driven | | Identity on the model call | Agent and tool identity | Natural person from the identity provider | | PII, PHI, MNPI classification | No documented taxonomy | Yes | | Per-decision signed audit record | Marketed as cryptographic; mechanism unspecified in docs | Yes, specified and signed | | Write-path independence from the application | Not documented | Yes, by design | | License | Apache 2.0 (Linux Foundation); Solo Enterprise commercial | Commercial |

Pick agentgateway if

Pick agentgateway if the deployment is agent-heavy and MCP-heavy, because it is purpose-built for that traffic and nothing else in the open-source field matches its MCP feature depth. Pick it if you need A2A federation across organizational boundaries. Pick it if denial-of-wallet is a live concern, since budget caps with per-model cost attribution is a control most gateways skip. Pick it if you want an Apache 2.0 Linux Foundation project with AWS, Cisco, Microsoft, and Red Hat contributing. And pick it if provider-key sprawl across teams is the problem you are actually solving.

Pick DeepInspect if

Pick DeepInspect if the audit record has to name the human whose authority the agent is exercising, rather than the agent's own token. Pick it if the classification requirement is a defined regulatory taxonomy across PHI or MNPI rather than semantic rules you author yourself. Pick it if a reviewer needs a specified, documented signing mechanism and a write path the application cannot suppress. And pick it if the EU AI Act, HIPAA, or DORA applies and the evidence has to survive an examiner's questions about its integrity.

Composition in production

[@portabletext/react] Unknown block type "code", specify a component for it in the `components.types` prop

DeepInspect resolves the originating natural person, classifies the payload, applies the per-route policy, and commits the signed record. agentgateway then does MCP OAuth 2.1, applies tool-level RBAC, enforces the budget cap, and routes. Every agentgateway control keeps working. What gets added in front is the human principal, carried across the delegation chain that neither MCP nor A2A carries for you, and an evidence record independent of the data plane that produced the traffic.

Pricing approach

agentgateway open source is Apache 2.0 and free, installable as a single binary or on Kubernetes. Solo Enterprise for agentgateway is commercial, self-hosted through Helm with a license key, and Solo.io does not publish pricing; solo.io/pricing routes to contact sales. DeepInspect is likewise priced through sales conversation. Both are enterprise procurement motions.

DeepInspect

This is the gap DeepInspect closes. agentgateway governs the agent's traffic. DeepInspect governs the human authority the agent is acting under, and produces the record that proves it.

Every request carries the natural-person identity the application supplies, the delegation depth, the data classification of the payload, and the policy version active at that instant. The per-decision audit record is signed, bound to the originating principal rather than to the agent's service credential, and committed before the response returns, on a write path the application never touches. When an agent chain runs six deep and something goes wrong, the record answers who authorized this, under which policy, at what moment, with what outcome, at every hop. That is the action lineage requirement, and it is what an EU AI Act Article 12 reviewer is asking for when they ask which natural person was involved.

If you are running agentgateway against regulated data with the August 2, 2026 deadline ahead, let's talk today.

Frequently asked questions

Does Gloo AI Gateway still exist?

Not under that name. Solo.io announced Gloo AI Gateway in July 2024, donated Gloo Gateway to the CNCF as kgateway in November 2024, launched agentgateway in April 2025, and contributed agentgateway to the Linux Foundation in August 2025. The Solo Enterprise for kgateway 2.1 release notes state that Gloo is being removed from all resources including CRDs and Helm charts, and the solo.io/products/gloo-ai-gateway URL now redirects to the agentgateway product page. If a vendor comparison you are reading still treats Gloo AI Gateway as a current product, it predates the rename.

What is agentgateway?

A Rust data plane, Apache 2.0, hosted by the Linux Foundation, purpose-built for agent traffic. It gives one OpenAI-compatible endpoint across providers, centralizes provider keys with enterprise IAM integration, enforces token and budget limits with denial-of-wallet protection, and ships a deep MCP feature set: native MCP OAuth 2.1, tool-level RBAC, secure token exchange, global rate limits across servers, and shadow-MCP sandboxing. It also supports A2A federation. Backers include AWS, Cisco, Microsoft, Red Hat, and Huawei.

Did agentgateway go to the CNCF or the Linux Foundation?

The Linux Foundation, in August 2025. The confusion is understandable because Solo.io also donated a different project, Gloo Gateway, to the CNCF in November 2024, where it became kgateway. Solo.io's own agentgateway product page shows both a Linux Foundation and a CNCF badge in a rotating carousel, which compounds the problem. The authoritative sources put agentgateway at the Linux Foundation and kgateway at the CNCF.

Does agentgateway produce signed audit records?

Solo.io's product page claims cryptographic audit trails under its Security and Identity heading. The technical documentation does not specify the mechanism, and the claim appears in marketing copy rather than in the docs. I am not going to assert either that it does or that it does not. If this matters to your deployment, ask Solo.io three questions directly: what exactly is signed, with what key and under whose custody, and can the enterprise verify the record independently of the gateway that wrote it. The answers determine whether the record is evidence or telemetry.

How is DeepInspect different from agentgateway?

agentgateway is agent traffic infrastructure: provider routing, key custody, budget caps, MCP OAuth, tool RBAC, A2A federation. Its identity model treats agents and tools as first-class. DeepInspect is a policy decision point whose identity model treats the natural person as first-class: it evaluates whether the human whose authority an agent is exercising is permitted to make this call with this data, and commits a signed record of that decision on a write path the application cannot reach. The overlap is that both sit inline. The difference is whose identity is in the record.

Can I run both?

Yes, and for a regulated agent deployment it is the sensible topology. The agent calls DeepInspect, which binds the originating human principal, classifies the payload, applies policy, and commits the signed record. DeepInspect forwards the cleared request to agentgateway, which handles MCP OAuth, tool-level RBAC, budget enforcement, and provider routing. Nothing in agentgateway is displaced. What is added is the human principal at the front of the delegation chain and the evidence record outside the data plane.