Claude Code Governance: Securing Agent Access with an AI Gateway

Claude Code authenticates with a raw provider API key, reads entire repositories, runs shell commands, and calls external MCP tools from a single terminal session. When every developer installs it with the same key, the same model access, and the same unrestricted tool surface, a leaked credential or an over-scoped session becomes a security incident, not a billing footnote. Claude Code governance is the practice of placing identity, access control, and audit between the agent and the provider so that every request is attributable, scoped, and recoverable. Bifrost, the open-source AI gateway built in Go by Maxim AI, secures Claude Code agent access at the gateway layer with virtual keys, credential isolation, MCP tool filtering, guardrails, and audit logs. This post covers what securing agent access requires and how to configure it without changing how developers use Claude Code.

What Claude Code Governance Means for Security

Securing Claude Code agent access means routing every request through a control point that authenticates the caller, isolates the real provider credentials, restricts which models and tools the agent can reach, and records each action in an immutable log. An AI gateway provides that control point without modifying the Claude Code client.

The security case is well documented. The OWASP Top 10 for LLM Applications lists excessive agency and sensitive information disclosure among the most critical risks for LLM-based systems, and an autonomous coding agent with file access, shell access, and tool access exercises exactly that agency on every session. Effective Claude Code governance covers five security controls:

• Identity and attribution: every request maps to a developer, team, or project rather than a shared key
• Credential isolation: real provider keys live in the gateway, never on developer machines
• Access scoping: per-key restrictions on which models, providers, and MCP tools the agent can call
• Containment: rate limits and guardrails that cap the blast radius of a runaway or compromised session
• Audit and evidence: request-level logs with session, model, token, and user detail for compliance review

These five controls belong at the level of gateway-level governance, where they apply uniformly to every Claude Code session regardless of which developer or provider is involved.

Where Claude Code's Native Access Controls Stop

Claude Code ships pointed at a single provider endpoint and authenticates with one provider key per developer. Anthropic's Team and Enterprise plans add admin controls and SSO, but they do not give platform teams fine-grained, cross-provider access control or request-level audit evidence. Direct-to-provider Claude Code leaves four security gaps:

• Broadly scoped credentials: a raw provider key on a developer laptop can be copied, committed, or reused outside the agent
• Uniform access: every developer reaches the same models, providers, and tools regardless of role or seniority
• No tool boundary: once an MCP server is connected, every session can call every tool it exposes
• No per-request identity or immutable audit: the provider console shows aggregate spend, not who ran what, when, and against which model

Anthropic's published cost guidance notes that 90 percent of users stay below $30 per active day, which still leaves a long tail of sessions that consume hundreds of dollars each. A security model that treats every session as identical cannot contain that tail. These gaps are addressed at the gateway layer, where virtual keys attach identity and policy to every request before it reaches a provider.

How an AI Gateway Secures Claude Code Agent Access

Bifrost secures Claude Code agent access by intercepting requests at the transport layer, before they reach any provider. Claude Code points at the gateway through a two-line environment change, and Bifrost authenticates each request with a virtual key, applies the key's policies, and forwards it to the provider using credentials the developer never sees.

# Point Claude Code at the Bifrost gateway
export ANTHROPIC_BASE_URL="<http://localhost:8080/anthropic>"

# Authenticate with a Bifrost virtual key (no Anthropic account login required)
export ANTHROPIC_AUTH_TOKEN="your-virtual-key"

# Launch Claude Code
claude

Bifrost presents the same Anthropic-compatible API surface the agent already uses, so streaming, tool calling, and extended thinking continue to work unchanged. The Claude Code integration guide covers settings.json configuration and cloud passthrough for Bedrock, Vertex, and Azure.

How does the gateway isolate provider credentials from developers?

With the recommended virtual key method, Claude Code sends only a Bifrost virtual key, and no Anthropic account login or provider credential is required on the developer's machine. The gateway stores the real provider keys centrally and injects them at request time, so revoking or rotating a key takes effect on the next request with no key rotation ceremony and no environment changes across developer laptops.

Does securing agent access change the developer workflow?

No. Only the base URL and the virtual key change. Developers run the same claude command, keep the same /model switching, and see no meaningful added latency. Bifrost adds 11 microseconds of overhead per request at 5,000 requests per second in sustained benchmarks.

Scoping Model and Tool Access with Virtual Keys

Virtual keys are the primary governance entity in the Bifrost AI gateway, and they are where most of the security boundary lives. Each key authenticates one consumer (a developer, a team, a CI pipeline, or an external customer) and carries an explicit policy: which providers it can reach, which models it can call, and which MCP tools it can see.

• Provider and model scoping: a key restricted to Sonnet and Haiku cannot call Opus or switch to an unapproved provider, and an out-of-scope /model command returns a clear error instead of silently running
• MCP tool filtering: tool filtering per virtual key controls which tools an agent can call, so a support-agent developer sees CRM and ticketing tools while an SRE sees Kubernetes and monitoring tools
• Tenant separation: keys scoped per team or per customer keep one group's access and budget isolated from another's

Tool filtering is the control that most directly addresses excessive agency. The full capability set stays in the gateway, while the surface visible to any one Claude Code session is scoped to what that role is approved to use. This is how a single connected GitHub or database MCP server stops being an all-or-nothing grant.

Containing Blast Radius with Rate Limits and Guardrails

Securing agent access also means limiting what one compromised or runaway session can do. Bifrost applies two containment controls at the gateway: rate limits and guardrails.

Rate limits at the virtual key level cap requests per minute per consumer, which contains subagent loops, automation gone wrong, or a leaked key being driven at machine speed. A reasonable Claude Code default is a moderate per-minute ceiling for interactive keys and a lower ceiling for CI automation keys, so a single misbehaving session cannot exhaust throughput for an entire team.

Guardrails inspect prompts and completions as they pass through the gateway. For agent access specifically, secrets detection catches API keys, credentials, and tokens that a developer or the agent might paste into a prompt or that a model might emit in a completion, and custom regex patterns let teams redact or reject organization-specific data. Content-safety guardrails are available through AWS Bedrock Guardrails, Azure Content Safety, and Patronus AI, applied uniformly to every Claude Code session rather than configured per developer.

Audit Trails and Compliance for Agent Access

Governance is only defensible if it produces evidence. Audit logs record an immutable, request-level trail for every Claude Code session, including model, token counts, tool calls, and the user or key behind the request, suitable as evidence for SOC 2, HIPAA, GDPR, and ISO 27001 reviews.

Beyond the audit trail, observability exposes Prometheus metrics and OpenTelemetry traces carrying virtual key, team, model, and tool labels, so security and platform teams can answer who used which model, how often, and through which tools. For regulated workloads, Bifrost runs in-VPC and air-gapped so no Claude Code traffic or credential leaves the organization's own infrastructure, and single sign-on through OIDC ties every virtual key to a directory identity in Okta or Microsoft Entra. The result is a control plane where access is scoped, contained, and provable in the same place.

Securing Claude Code Across Your Engineering Teams

Claude Code governance is a security problem before it is a cost problem. The provider console shows what was spent; it does not isolate credentials, scope tool access, contain a runaway session, or prove who did what. Routing Claude Code through Bifrost places virtual keys, tool filtering, guardrails, and audit logs behind the same Anthropic-compatible endpoint the agent already uses, so securing agent access requires no change to how developers work. The Bifrost governance resource details the full control set, and the LLM Gateway Buyer's Guide compares gateways on governance and security depth.

To see Claude Code governance applied to your engineering org's real usage, book a demo with the Bifrost team.