EU AI Act · Product Comparison
March 13, 2026 · Alejandro

Your AI Gateway
Isn't Your Compliance Layer

And why that distinction matters considerably before August 2026.

Portkey raised $15M, made its enterprise gateway free, and is signalling governance features for later in 2026. Excellent infrastructure. But gateway governance and EU AI Act compliance are not the same discipline — and the enforcement deadline won't wait for roadmap items.

Portkey just raised $15M, made its enterprise AI gateway free, and is now processing 500 billion tokens a day across 24,000 organizations. This week they signalled that governance features — permissions, identity, access boundaries, budget controls — are coming later in 2026.

If you're building AI agents, this is genuinely useful infrastructure. A unified gateway for routing, caching, rate limiting, and observability across model providers is a real problem Portkey solves well.

There is a conflation happening in the market worth naming directly: gateway governance and EU AI Act compliance are not the same thing.

The distinction will matter considerably when enforcement begins in August 2026.

What an AI Gateway Does

An AI gateway sits between your application and your model providers. Portkey, and tools like it, give you:

Routing and load balancing

Spread requests across providers, fall back on failures

Cost controls

Set token budgets, track spend by team or project

Observability

Log prompts and completions, trace latency, monitor error rates

Rate limiting and access control

Define which teams can call which models

Caching

Reduce redundant calls, lower cost

These are infrastructure-level capabilities. They operate at the API call layer: request goes in, response comes out, the gateway logs and routes it.

This is useful. And it is not what the EU AI Act requires.

What the EU AI Act Actually Requires

The EU AI Act's compliance obligations for high-risk AI systems are not about infrastructure management. They are about legal accountability and demonstrable human control.

Article 9

Risk Management System

Before deploying a high-risk AI system, you must establish, implement, document, and maintain a risk management system throughout the entire lifecycle. This is not a runtime control — it is a pre-deployment process requirement.

A gateway logs what happens. Article 9 requires documented evidence that you identified and evaluated risks before it happened. These are different disciplines: observability vs. governance documentation.

Article 14

Human Oversight

Article 14 requires that high-risk AI systems be designed to enable human oversight — specifically, the ability for natural persons to understand the system's capabilities, detect anomalous behavior, and intervene or override before the system's output influences real-world outcomes.

A gateway's access controls can restrict which agents call which tools. That is not the same as ensuring a human can intercept and review an action before it completes. Article 14 demands the latter — a human-in-the-loop decision point at the action level.

Article 13

Traceability

Article 13 requires that high-risk AI systems maintain logs sufficient to ensure traceability of results. In an agent-to-agent transaction chain, this means every step in the delegation hierarchy must be auditable.

Gateway observability logs prompt/completion pairs and latency. Article 13 compliance requires you to log the agent's reasoning context, the specific tool calls it attempted, the policy state at the time of each decision, and a chain-of-custody sufficient to answer a regulatory inquiry.

The Feature-by-Feature Comparison

CapabilityPortkeySupra-wall
Route requests across model providers
Track cost and token usage
Log prompts and completionsPartial
Define which agents access which tools
Require human approval before high-stakes actions
Block specific action categories by policy
Produce EU AI Act Article 13 audit evidence
Map to specific EU AI Act articles
Generate compliance report for auditors
Article 9 risk documentation support

The table above is not a criticism of Portkey. It is excellent gateway infrastructure doing exactly what a gateway should do. The point is that the compliance obligations your AI agents face in 2026 require a different layer entirely.

Where They Complement Each Other

The good news: these are not competing products. They are different layers in the same stack, and the strongest agent deployments will use both.

ARCHITECTURE
EU AI Act Compliant
[Your AI Agent]
       ↓
[Supra-wall — Policy enforcement, human-in-the-loop, compliance audit trail]
  → Article 14: blocks tool calls, routes to human approval
  → Article 13: tamper-evident audit trail
  → Article 9:  policy enforcement & loop detection
       ↓
[Portkey — Model routing, observability, cost control, caching]
  → Latency optimization
  → Token budget tracking
  → Provider failover
       ↓
[Model Providers — OpenAI, Anthropic, Mistral, etc.]

Supra-wall operates at the action layer — intercepting tool calls before they execute and enforcing policy rules. Portkey operates at the inference layer — managing how model API calls are made and observed. Neither replaces the other.

The Timing Argument

Portkey's governance features are on the roadmap for later in 2026. EU AI Act enforcement begins August 2, 2026. That gap matters.

If you wait for your gateway to add compliance features, you are betting that:

1The governance features ship on time
2They cover EU AI Act requirements specifically (not just internal access control)
3You have enough runway to implement and document them before enforcement begins

That is a significant risk concentration. And it ignores the fact that Article 9 requires your risk documentation to exist before deployment — not before enforcement.

The compliance layer is not something you add when the regulator asks for it. It is something you build into your agent architecture from the start.

Conclusion

Portkey is excellent infrastructure for building production AI agents at scale. Making the enterprise gateway free is a genuinely positive development — lower barriers to observability and cost management benefit everyone building on LLMs.

But observability is not compliance. Access controls are not human oversight. Token budgets are not risk documentation.

The EU AI Act asks a different set of questions than your gateway answers. Before August 2026, you need both layers covered.

Related reading: Agent-to-Agent Commerce Meets the EU AI Act: What Palo Alto's Threat Report Missed

Related Article

Agent-to-Agent Commerce & the EU AI Act

What Palo Alto's threat report missed about legal accountability.

Comparison

Supra-wall vs NeMo Guardrails

Runtime enforcement vs model-level filters.

Add the compliance layer.

Your gateway handles routing. Supra-wall handles Article 14, 13, and 9. Under 5 minutes to install.

Get Started Free