The MCP proliferation problem arrived before anyone planned for it.
Model Context Protocol, the interface standard that lets AI agents call external tools, APIs, and data sources, shipped as an open specification and spread fast. Enterprises adopted it quickly because it solved a real integration problem: it let agents connect to existing systems without custom glue code for every combination. Within months, organizations running agentic workflows accumulated dozens of MCP servers, each with its own permissions model, its own logging behavior, and its own implicit trust assumptions. Nobody planned the governance layer. Nobody owned it. That’s the gap Snowflake just bought.
The Problem Natoma Was Built to Solve
Natoma’s architecture centers on what it describes in its technical documentation as a centralized MCP gateway: a policy enforcement point that sits between an AI agent and every tool call that agent makes. The gateway is designed to enforce three things simultaneously, identity (which agent is making the request, acting on whose behalf), policy (is this agent authorized to call this tool with these parameters right now), and audit (a tamper-evident record of every tool invocation for compliance review).
That’s not a novel architectural concept. Tool-call authorization through a centralized gateway mirrors patterns well-established in API security and zero-trust network design. What’s novel is applying that pattern to AI agent tool calls specifically, where the requesting entity is a non-deterministic system making runtime decisions about which tools to invoke. The governance implications differ from traditional API management: an AI agent can decide to call a tool its operator didn’t anticipate, combining data from sources in ways that create new compliance exposure. Static allow-lists don’t fully address that. A runtime policy engine does – at least in principle.
Natoma’s specific implementation remains a vendor claim. Snowflake’s intent to integrate Natoma’s capabilities into the Cortex platform is confirmed at the deal announcement level; the implementation timeline and technical architecture of that integration were not disclosed as of May 27.
The $6 Billion Signal
The AWS commitment is the more analytically interesting piece. Infrastructure commitments of this scale, confirmed through independent reporting at Pulse2.com, don’t get structured around current usage. They’re structured around forecast usage. Snowflake committing $6 billion over five years to AWS infrastructure is an implicit forecast that Cortex-powered agentic AI workloads will scale substantially within that window.
That forecast has a specific implication for enterprise teams: if Snowflake is right, the governance tooling question isn’t hypothetical future planning. It’s a 2026-2027 operational decision. Organizations deploying Cortex-based agents now are the ones who’ll need governance infrastructure before the scale arrives, not after.
According to Snowflake, more than 7,000 corporate accounts currently use Cortex Code, the addressable base for Natoma’s governance capabilities once integration ships. That figure is vendor-stated and not independently confirmed, but even a fraction of that base represents substantial enterprise exposure across industries with significant compliance requirements: financial services, healthcare, regulated manufacturing.
Warning
Each acquisition ties a governance layer to a specific platform vendor. An enterprise that adopts all three inherits three separate vendor relationships and three separate compliance audit trails that don't natively integrate. That's not an architecture yet, it's a collection of platform bets.
Who This Affects
Three Layers, Three Acquisitions
Snowflake/Natoma didn’t happen in isolation.
Anthropic’s acquisition of Stainless covered the SDK layer, the developer-facing tooling through which agents are built and integrated into existing software systems. Celonis acquiring Ikigai Labs covered the operational context layer, the process intelligence that gives agents structured understanding of business workflows they’re operating within. Snowflake acquiring Natoma covers the permission and audit layer, runtime policy enforcement at the moment of tool invocation.
These aren’t coordinated. They’re parallel responses to the same set of enterprise deployment problems. But the effect is convergent: the enterprise AI governance stack is being assembled through targeted M&A by vendors who already have deep enterprise relationships, rather than built from scratch by new entrants or by enterprises themselves.
That pattern has a strategic implication. Each acquisition ties a governance layer to a specific platform vendor. The SDK layer runs through Anthropic’s developer ecosystem. The operational context layer runs through Celonis’s process mining platform. The permission layer, if Snowflake’s integration lands as announced, runs through Cortex. An enterprise that adopts all three inherits three separate vendor relationships, three separate data governance policies, and three separate compliance audit trails that don’t natively integrate with each other.
Whether that’s an architecture or a fragmentation problem depends on which vendors end up winning the integration contracts. It’s too early to call.
What Enterprise Architecture and Compliance Teams Should Do Now
The practical question for teams evaluating governance tooling isn’t whether to adopt an MCP gateway, it’s when and from whom.
The “when” answer is now, or close to it. The risk of waiting is accumulating tool-call surface area without any central enforcement point. Every agentic workflow that ships without governance tooling is a liability that gets harder to retrofit as agent capabilities expand.
The “from whom” answer requires more care. Three considerations apply:
What to Watch
Verification
Partial Pulse2.com (confirmed), natoma.ai vendor documentation, Snowflake newsroom (broken URL) $6B AWS commitment confirmed via multiple independent T3 sources. All Natoma capability descriptions are vendor claims. Cortex integration timeline undisclosed. 96% enterprise scaling statistic excluded, unverifiable.First, vendor neutrality. A governance layer tied to a single platform vendor, Cortex, in Snowflake’s case, creates tight coupling between your governance infrastructure and your data platform contract. That’s acceptable if your stack is already Snowflake-centric. It’s a risk if it isn’t.
Second, integration timeline. Snowflake’s Natoma integration timeline wasn’t disclosed. Teams shouldn’t count on production-ready Cortex-native governance tooling being available on a specific schedule. Budget for the gap between announcement and delivery.
Third, independent evaluation. Natoma’s MCP gateway architecture is currently described in vendor documentation only. Before deploying any governance tooling in a regulated environment, teams should require independent security evaluation, penetration testing, architecture review, and confirmation that the audit trail meets the evidentiary standards of their specific regulatory context.
The Bet Behind the Deal
Snowflake’s paired announcement, governance acquisition plus infrastructure commitment, is a coherent strategic position. They’re betting that enterprise agentic AI reaches production scale on their platform, that governance becomes a first-party platform responsibility rather than a third-party add-on, and that the $6 billion AWS infrastructure commitment is the right size for the workload.
The catch is execution. Acquiring a governance layer is not the same as shipping one. The Natoma integration has to land in Cortex, get validated by enterprise security teams, and prove out at scale before this becomes a competitive moat rather than a press release. Watch Snowflake’s Q2 and Q3 earnings calls for the first hard data on Cortex attach rates and any disclosed integration milestones. Those numbers will tell you whether the $6 billion bet is tracking to plan.