Gartner just released a new Magic Quadrant, and it's forcing the industry to answer a tough question:
What does AI governance actually mean?
In the new MQ, Gartner formalized AI governance as a distinct enterprise buying category, and they project the market will be worth $1.4 trillion by 2030.
But we have to be precise about what this category does and does NOT include.
As outlined by Gartner, AI governance platforms are built for CISOs, compliance officers, legal teams, and risk functions. Their job is to manage things like dynamic risk scoring and compliance framework mapping (EU AI Act, NIST AI RMF, ISO 42001).
This is the "what" part of AI governance. But it doesn't cover the "how".
Gartner is explicit about this point: governance platforms do NOT enforce policy in isolation. They depend on something beneath them to make those decisions operational at runtime.
That's the "how" layer, where
@Kong lives. Applying AI governance at the traffic layer.
Rate limiting, access controls, prompt inspection, PII sanitization, content filtering, etc. This is the enforcement infra that makes governance decisions scalable.
It's like traffic law vs traffic lights.
You can set broad policies, but you need the traffic layer enforcement to make it actually work. A policy that says "no PII crosses this boundary" does nothing until something in the request path actually checks and enforces it.
So what is AI governance? It depends on who you are.
CISOs can focus on the "what" layer, while builders need to obsess over the "how". Orgs have to treat governance and AI connectivity as complementary infrastructure decisions. One layer defines the rules. The other makes them real.
Traffic law AND traffic lights.