Unity Catalog adds Unity AI Gateway and runtime policies to govern AI agents

Unity Catalog has been extended to govern the full set of assets AI systems touch: Large language models (LLMs), agent toolchains, skills, and external MCP servers, by introducing an enforcement fabric called Unity AI Gateway. Every model call, tool invocation and agent interaction is routed through the gateway so requests can be evaluated and logged against policies before they run-an arrangement meant to enforce controls at runtime rather than only at design time.

The extension builds on the catalog’s existing data governance foundation, which has provided a single permissions model, unified lineage and a consistent audit trail since 2021. The announcement says that same infrastructure will now cover agentic assets, bringing runtime visibility and controls to components that previously escaped traditional governance tooling. Identity and accountability are handled end-to-end: agents inherit the invoking user’s permissions in real time via on-behalf-of token passing, and actions are recorded against both the real user and the agent that acted on their behalf. That dual logging is intended to preserve traceability for audits and incident response while allowing agents to act under delegated authority.

To govern external integrations, teams register MCP servers — examples named in the announcement include GitHub, Jira and Slack — in the catalog and treat them as securable resources. Registered MCPs gain catalog — managed permissions, credential management and audit logging so external tool access is visible and controllable from the same governance plane as internal data. The update also introduces Service Policies: catalog — managed functions attached to registered MCPs that control which specific tool calls may succeed and that evaluate tool calls before execution. Service Policies can be authored to block dangerous operations (for example, preventing deletions or merges) or to enforce other runtime constraints on tool behavior.

The change addresses a fundamental governance trade — off for enterprises: ungoverned agent proliferation increases data-exposure risk, while blanket lockdowns slow development and push talent away. The announcement argues that traditional governance tools lack the visibility needed to follow autonomous, multi — step agent behavior and therefore cannot reliably enforce who accessed what at runtime.

For builders, the practical steps are clear: route agent traffic through Unity AI Gateway, register external MCP servers in the catalog, and author Service Policies to limit operations and evaluate tool calls at runtime. Combined runtime evaluation and unified logging capture which tables and rows were accessed, which operations ran and when-information intended to support audits, containment of blast radii and safer, scalable agent deployment.