Enterprise IT bought prompt-injection filters in 2025. They're buying AI gateways in 2026. Kong, Databricks, Cloudflare are all building toward the same product shape: a control plane that watches inter-agent traffic inside the corporate perimeter and decides which packets get to exist.
The thing they're scanning for isn't what most builders expect. It's not model outputs. It's not jailbreaks. It's agents talking to other agents without supervision.
Most local-first agent frameworks shipped in 2025 optimized for one thing: keep the data on the device, keep the coordination off the cloud. The framing was productivity and privacy. Engineers loved it.
The framing enterprise security will apply is different. Two agents running on the same subnet, exchanging JSON over a local port, with no audit log accessible to the SOC, is not a productivity multiplier. It is lateral movement between two unmanaged processes. It is Slack before IT approved Slack. It is Dropbox in 2012. It is every pattern that built real adoption by going around procurement and then ran straight into a Monday-morning block list.
The mental model to hold: A2A traffic is the next shadow IT category. Not because the agents are hostile, but because the protocol is invisible to the tools the security team is already buying. Anything the gateway can't see, the gateway blocks.
The builders who will survive this aren't the ones shouting about decentralization. They're the ones shipping a policy export hook on day one. An observability port that speaks the language AI gateways already speak. A signed identity per agent that rolls up into existing IAM. A structured audit stream the SOC can forward to their SIEM without writing a plugin.
If your agent can't emit what it did, to whom, under whose authority, and with what data, an enterprise security team will not read your architecture blog post. They will add your binary's network signature to a deny list and move on to the next ticket.
The opportunity isn't local-first vs. cloud. That's the wrong axis. The opportunity is local-first with a first-class observability interface: the same contract cloud agents already accept, delivered by agents that still run on the edge. That combination is the only local-first architecture that clears procurement in a Fortune 500.
The ones that don't clear procurement aren't wrong about privacy. They're just early to the block list.