BLOG | OFFICE OF THE CTO

Context Is the New Perimeter: Governing AI Agents with Programmable Application Delivery

Lori MacVittie Thumbnail
Lori MacVittie
Published July 22, 2025

There’s a persistent, dangerous myth in AIOps: “MCP is just another API.”

Sure. And SOAP was just XML with delusions of grandeur.

Agent-based architectures, especially those built on Model Context Protocol (MCP), rely on explicit context blocks carried across every request. This isn’t about neural hunches or “LLM memory.” It’s serialized, structured, operational context—think JSON, not vibes—passed along with every call to help agents keep track of goals, roles, policies, and workflow state.

But here’s the reality: context drifts. And when it does, your agents don’t just get confused. They get confidently wrong, operationally unpredictable, or flat-out dangerous.

The problem is that folks who are already toying with—and deploying—AI agents, are ahead of the curve. And they are. Our latest research tells us 9% have already put AI agents in production, 29% have a formally defined approach to move forward, and another 50% are in “early stages” figuring it out. That’s a mere 11% who aren’t even thinking about AI agents.

They’re moving fast. Faster than the industry.

There are no real compliance tools, no security, no best practices. There are virtually no existing options for addressing the security risks that emerge right alongside any new technology.

Except programmability. Yeah, this is where your application delivery and security platform comes in. Not as a dumb pipe, but as a programmable gatekeeper of cognitive hygiene and context discipline.

How context actually travels

Context isn’t an abstraction. It’s right there in the payload. A real-world MCP request looks like this:

POST /agent/v1/invoke HTTP/1.1

Host: agentmesh.internal

Authorization: Bearer xyz123

Content-Type: application/json

X-MCP-Version: 1.0

{

"context": {

    "user": { ... },

    "goal": "...",

    "prior_messages": [ ... ],

    "task_state": { ... },

    "security": { ... }

  },

"input": { "prompt": "Now visualize it with a quick chart." }

 }

This context block isn’t optional. It’s the agent’s working memory. It contains everything the agent “knows” and every assumption it’ll act on. Every hop carries it forward: uncompressed, sometimes unchecked, and almost always growing staler with each turn.

How context drifts (and why it matters)

It’s this baggage that ultimately introduces context drift. Drift happens when:

  • Old goals and task state linger after the user has moved on.
  • Prior messages pile up, bloating requests and misleading agents.
  • Security tags stick around where they don’t belong.
  • Multiple agents update the same thread without clearing out the cruft.

By the time agent #4 gets the baton, it’s making decisions based on outdated instructions, ancient access controls, and “goals” no one cares about anymore. Agents don’t complain. They just hallucinate with confidence and pass the mess downstream.

Programmability: The context janitor you actually need

If you still think of your application delivery platform as just a load balancer, congratulations. You’re playing checkers while the rest of the world is playing chess.

In agentic architectures, programmable application delivery is the only layer that has:

  • Full visibility into every request
  • The authority to inspect, transform, block, or sanitize context
  • No attachment to any one agent’s opinion or memory

Context truncation at the edge

Don’t let agents drag around the entire history of humanity with every request.

  • Strip prior_messages down to the last N exchanges.
  • Auto-expire goals based on time or state change.
  • Drop task_state when intent switches from continuation to new-task.

Now you’re enforcing memory budgets and cognitive hygiene before the agent even processes the input.

Classification and policy enforcement

If your context block says security.classification = confidential but you’re about to hit a public summarization API, you need a programmable policy cop at the edge to block, redact, or mask sensitive fields, and validate access scope on every request. Large language models (LLMs) won’t second-guess your policies; they’ll just leak.

Intent drift detection

Did a user pivot from “summarize quarterly metrics” to “generate a slide deck”? The context needs to reset, not just accumulate. If the request intent changes but context still includes stale goals and task state, kill the context and start fresh. That’s how you avoid agents solving yesterday’s problem with today’s data.

Telemetry and drift monitoring

Your application delivery layer should be tracking:

  • Token sizes of context blocks over time
  • Growth rates of prior_messages
  • Patterns of goal/task mismatch per agent

That’s how you spot context bloat and drift before it explodes. Monitoring gives you real answers when leadership asks why your “autonomous agents” act like overconfident interns.

You need a context janitor, not just a firewall

LLMs will happily consume all the context you throw at them and make a mess if you’re not careful. Agents won’t warn you when context drifts, goals get stale, or task history grows toxic. Your programmable delivery layer not only will but must.

It’s the only neutral, all-seeing, policy-enforcing layer left.

In the age of agentic AI, your application delivery platform isn’t just routing traffic. It’s your semantic firewall, your compliance cop, and your last best hope for keeping agents from becoming overconfident liars with root access.

Because if you let drift and bloat win, you lose. Not just control, but trust in your entire AI stack.