- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2 hours ago
What is AI Gateway?
AI Gateway is ServiceNow's centralized control point for governing, securing, and observing cross-platform AI agent operations. It sits between your agent builder applications and the external resources they connect to, intercepting all Model Context Protocol (MCP) traffic to enforce policies, authenticate requests, and capture usage data — without requiring any code changes or developer training.
As organizations build AI agents across platforms like ServiceNow AI Agent Studio, Microsoft Copilot Studio, and others, managing those connections securely and consistently becomes a significant challenge. AI Gateway addresses that challenge by providing a single governance layer that spans every MCP connection, regardless of which agent builder created it.
The AI Gateway Implementation Guide walks you through everything you need to configure and operate AI Gateway — from prerequisites and initial setup, to approval workflows, security controls, and ongoing observability. This article introduces each section of the guide so you know exactly what to expect and where to go for the answers you need.
In this article:
✓ Setup overview, release compatibility, and prerequisites
✓ Step 1: MCP Server intake — four methods (1A–1D)
✓ Step 2: Client registration and OAuth 2.1 authentication
✓ Step 3: AI Steward approval workflow and lifecycle states
✓ Step 4: Gateway URL assignment and how proxying works
✓ Security controls — Pause and PII Vault Service integration
✓ Observability — usage, latency, and connection health metrics
✓ Using approved MCP Servers in agent development
📖 Key Terms
MCP Server: An external resource (such as Slack, GitHub, or PayPal) that exposes tools and capabilities to AI agents via the Model Context Protocol.
AI Gateway: The ServiceNow-hosted proxy layer that intercepts all MCP traffic between agents and external servers, enabling centralized governance, security, and observability.
Gateway URL: The ServiceNow-hosted endpoint that agents connect to instead of connecting directly to an MCP Server — all traffic flows through this URL.
AI Steward: The role responsible for reviewing, approving, and governing MCP Servers through Asset Approval Playbooks.
CIMD: Client Identity Metadata Document — a standardized OAuth client descriptor used by Q1 2026 automated client registration to configure 10+ agent platforms automatically.
⚙️ Setup Overview, Release Compatibility & Prerequisites
The guide opens with a concise orientation to AI Gateway's purpose and architecture, then moves directly into what you need before you start. You will find release compatibility tables, required plugin versions, and the role assignments needed to proceed.
Plugin quick reference
AI Gateway is automatically installed with the AI Control Tower Core plugin (sn_awh_config). You will also need sn_ai_governance v5.0.6+ and sn_telemetry_data v1.1.10+.
Release compatibility at a glance
Q4 2025 MVP requires Zurich Patch 4 or later. The Q1 2026 release (March 2026) targets the Xanadu release family and adds PII Vault Service integration, Anthropic catalog browsing, and automated client registration.
🔄 The Setup Process — Steps 1 Through 4
The core of the implementation guide walks you through four sequential steps. The sections below preview what each step covers so you know where to go when you're in it.
The guide covers four methods for registering an MCP Server with AI Gateway. The right method depends on where the server was created and your platform version.
Method 1A — Automatic Discovery from AI Agent Studio (Q4 2025)
MCP Servers created in AI Agent Studio are automatically synced to AI Control Tower via an hourly batch job. No manual registration required — the server appears with a state of In Review.
Method 1B — Manual Registration of External MCP Servers (Q4 2025)
For MCP Servers not built in AI Agent Studio — including third-party services and external platforms. The guide walks through the full manual flow: server name, authentication type, and MCP Server URL entry, then proceeds to Step 2.
Method 1C — Anthropic MCP Catalog Integration Q1 2026
Browse and import vetted MCP Servers from Anthropic's community registry. The guide covers searching the integrated catalog, clicking Import to auto-populate server details, and submitting for AI Steward approval.
Method 1D — Direct Intake on AICT Q1 2026
An independent intake workflow through AI Control Tower — no longer dependent on AI Agent Studio. Supports scenarios where external agents (Microsoft Copilot Studio, Google Gemini) need to connect to ServiceNow-hosted MCP Servers.
Once an MCP Server is registered, clients (agent builder applications) must be configured to authenticate through AI Gateway. The guide covers the full guided OAuth 2.1 setup — Application Registry configuration, token lifespan settings (30-minute access token, 100-day refresh token), and attaching the client to the MCP Server record.
Automated Client Registration — Q1 2026
The guide also covers the Q1 2026 automated registration flow for 10+ platforms (Microsoft Copilot Studio, Claude for Desktop, AWS Bedrock, Google Vertex AI, and more). A single CIMD client URL triggers automatic configuration. One CIMD client can be reused across all MCP Servers on the same host, reducing credential sprawl.
AI Stewards use Asset Approval Playbooks to review and approve MCP Servers before they become available for agent use. The guide details each playbook stage — Review asset, Evaluate asset, Approve/Reject — and what information the AI Steward should check at each point.
MCP Server lifecycle states
In Review → Assess → Approved → Deployed → Deprecated (plus Disabled or Rejected where applicable). Each state transition and its effect on agent access is documented in this section.
Q1 2026: Enforcement in AI Agent Studio
Starting Q1 2026, Product Owners can only use approved servers within AI Agent Studio. Unapproved servers are hidden from dropdown menus. If an AI Steward pauses a server, it becomes immediately unavailable to all agents — no code changes required.
Once approved, AI Gateway assigns a Gateway URL to the MCP Server. The guide explains the proxy model clearly: agents connect to the Gateway URL; AI Gateway forwards all traffic to the actual MCP Server endpoint. Agents never connect directly to external servers.
Where to find the Gateway URL
Navigate to the approved MCP Server record in AI Control Tower → AI Gateway setup tab → AI Gateway MCP Server URL. The authentication and token endpoint URLs are also listed here for sharing with Product Owners.
🛡️ Security Controls
AI Stewards can instantly deactivate MCP Servers — individually or globally — to respond to suspicious activity, security incidents, or compliance violations. The guide covers the exact steps to Pause a server from AI Control Tower, confirms that enforcement is real-time (no code changes or deployments required), and describes the error clients receive when attempting to connect to a paused server.
Q1 2026 introduces automated sensitive data detection at the AI Gateway level, powered by ServiceNow's PII Vault Service. The guide explains how to activate per-MCP Server PII checking via the AI Gateway setup tab, and describes how the PII Vault Service intercepts traffic to detect and handle sensitive data before it passes to agents or external servers.
No code changes required
Activation is a single toggle on the MCP Server record. The guide covers configuration in AI Agent Hub, per-server activation, and compliance applicability (GDPR, HIPAA, CCPA).
📊 Observability & Monitoring
The Observability section explains where to find and how to interpret all three metric categories in AI Gateway. Each is covered with navigation steps, what the numbers mean, and how to act on them.
Usage metrics
Total calls per MCP Server, calls per tool, success rate, error rate, and time-series trend data — accessed from the KPIs & metrics tab on any MCP Server record.
Latency insights
P50, P90, and P95 response times, average latency per tool, and latency trends. The guide includes interpretation benchmarks for healthy versus degraded performance and guidance on when to investigate.
Connection health — Q1 2026
Client-level tracking of successful and failed connections, grouped by time period. Includes a step-by-step troubleshooting workflow: identify the client with a low success rate, review error codes, verify credentials, and re-test.
💡 Key takeaway: AI Gateway is a zero-code governance layer — every step in this guide, from intake to observability, is completed through AI Control Tower.
Ready to get started? Access the full implementation guide and additional resources below.
AI Gateway Product Documentation → | Community FAQ Article →
