What's the difference between Agent Registry, Agent Gateway, Agent Identity, and Agent Sandbox?

Four governance components in Google's Gemini Enterprise Agent Platform (GA April 22, 2026). Agent Registry is the catalog — what's approved to exist and be callable. Agent Gateway is the runtime policy enforcement layer — every tool call passes through it, with Model Armor protections. Agent Identity is the per-agent cryptographic ID — every action is attributable. Agent Sandbox is the hardened isolated execution environment for model-generated code and computer-use tasks. Registry says what; Identity says who; Gateway says when/whether; Sandbox says where. They are designed to work as one stack.

Why does Google ship four separate components instead of one?

Because each component addresses a different governance failure mode. Registry without Gateway means policies exist but aren't enforced at runtime. Gateway without Identity means audits can't attribute actions to specific agents. Identity without Sandbox means a compromised agent can still own the host system. Sandbox without Registry means rogue agents can spin up unapproved. Splitting concerns lets each layer scale and version independently, and gives platform teams a clean security model — defense in depth where each layer assumes the others may fail.

How does this compare to Microsoft Agent 365 governance?

Different shape. Microsoft Agent 365 centralizes around three concerns: observability (dashboard + telemetry), governance (admin approval flow), and security (Entra controls plus Shadow AI detection on Windows endpoints via Defender and Intune). Gemini's four-component split is more architectural; Agent 365's is more operational. Microsoft is uniquely strong at endpoint-level Shadow AI detection — Google's stack assumes agents live on Google Cloud or registered Workspace tenants, not on user laptops.

Can you use these components without the rest of Google Cloud?

Not really, as of May 2026. The four components are tightly coupled to the Vertex AI / Gemini Enterprise Agent Platform runtime. Registry is GCP-managed. Gateway runs in Google's network. Identity issues cryptographic IDs through Google's PKI. Sandbox is a Google-operated isolated runtime. Open standards like Agent2Agent (A2A) provide some interop with non-Google agents, but the governance plane itself is Google-managed. If you need cloud-portable agent governance, the patterns are reusable but the implementations are not.

Quick Answer

Agent Registry vs Gateway vs Identity vs Sandbox (May 2026)

Published: May 12, 2026

Agent Registry vs Gateway vs Identity vs Sandbox (May 2026)

Google’s Gemini Enterprise Agent Platform (GA April 22, 2026) ships four governance components — Agent Registry, Agent Gateway, Agent Identity, and Agent Sandbox. They sound similar. They do very different things. This is how they actually work together.

Last verified: May 12, 2026

TL;DR

Component	One-line job
Agent Registry	The catalog of what’s approved to exist and be callable
Agent Gateway	The runtime checkpoint every tool call must pass through
Agent Identity	The per-agent cryptographic ID that makes actions attributable
Agent Sandbox	The hardened isolated environment where model-generated code runs

Together they implement defense in depth: Registry decides what’s allowed to exist, Identity says who is acting, Gateway enforces what they can do, Sandbox contains the blast radius if something goes wrong.

Agent Registry — the catalog

What it is: A central, governed list of approved agents, tools, and skills inside an organization. Only items in the Registry can be discovered or invoked.

Why it exists: “Agent sprawl” is the new shadow IT. Without a catalog, every team builds its own agents, every agent calls every tool, and security has no map. Registry imposes a single source of truth.

What’s inside a Registry entry:

Agent or tool name, version, owner, description.
Allowed model(s) it can use.
Required permissions / scopes.
Approval state (pending, approved, deprecated).
Audit history.

Approval flow: A developer submits an agent or tool to the Registry. Security/platform review flags scope creep, sensitive data access, or risky tool combinations. Approved entries become callable. Rejected entries are not.

Without Registry: Anyone can ship anything; you cannot prove a tool is governed.

Agent Gateway — the air traffic control

What it is: The runtime policy enforcement layer. Every tool call from any agent passes through Gateway.

What it enforces:

Authentication — is this agent who it claims to be (via Agent Identity)?
Authorization — is this agent approved to call this tool (via Registry)?
Quota and rate limits — is this within usage caps?
Cost guardrails — is the projected spend within budget?
Model Armor — prompt-injection detection, sensitive-data leakage prevention.
Audit logging — every call is recorded.

Why it exists separately from Registry: Registry is policy-as-data; Gateway is policy-as-runtime. You need both: a policy that isn’t enforced is decoration, and an enforcement layer without a policy source has nothing to enforce.

Without Gateway: Registry approvals exist on paper, but agents can route around them. There’s no choke point for prompt injection defense.

Agent Identity — the crypto IDs

What it is: Each agent in the platform gets a unique cryptographic identity. Tool calls, audit logs, and inter-agent messages are signed and attributable.

What it provides:

Forensic attribution. An incident tracks back to a specific agent, not to a shared service account used by 47 agents.
Fine-grained access control. Tools can grant access to agent X without granting it to agent Y, even if both are in the same workspace.
Inter-agent trust. Agent A can verify that the message claiming to come from Agent B actually does — important for the Agent2Agent (A2A) protocol.
Third-party agent action. When a partner organization’s agent acts on your data, you can prove which agent did what.

Why it exists separately from Gateway: Gateway needs an identity assertion to authenticate. Identity is the issuance and verification layer. Splitting them keeps the PKI clean and lets Gateway scale horizontally without rolling its own crypto.

Without Identity: Audit logs say “an agent did this.” Useless for forensics.

Agent Sandbox — the blast-radius container

What it is: A hardened, isolated execution environment for running model-generated code and computer-use tasks. Browser automation, code execution, and arbitrary shell invocations run inside the sandbox, not on host systems.

What it contains:

Per-task ephemeral compute (containerized).
Isolated network egress with policy-controlled allow-lists.
Filesystem isolation; the sandbox cannot read host secrets.
Time-bounded execution; runaway processes are killed.
Output scrubbing before results are returned to the agent.

Why it exists: The Trustfall attack class disclosed in late April 2026 made this urgent. When agent-generated code or tool output is treated as trusted by the next step, an attacker who controls one input can compromise the whole chain. Sandboxing contains the blast radius.

Why it exists separately from Identity: Identity is “who is acting”; Sandbox is “where the action happens.” Even fully authenticated, fully approved agents can generate dangerous code. Sandbox assumes that and contains it.

Without Sandbox: A compromised tool output or a prompt-injection payload that reaches code execution owns the underlying host.

How they compose — a worked example

A finance ops agent runs the workflow “summarize Q1 vendor spend and email the CFO.”

Registry check (build time). The agent was registered by the finance platform team. Its approved tools are bigquery.read, gmail.send, and a custom spend-analyzer skill. All three are in the Registry. The agent’s allowed model is Gemini 3.1 Pro.
Identity issuance (deployment time). The agent gets cryptographic ID agent-fin-spend-q1-v3. All its actions will be signed with this ID.
Runtime tool call: bigquery.read. The agent issues the call. Gateway intercepts. Gateway checks: is agent-fin-spend-q1-v3 registered (yes), is bigquery.read an approved tool for this agent (yes), is the query within quota (yes), does the query trip any Model Armor data-leakage rules (no). Call is allowed. Audit log entry created.
Code execution: spend-analyzer generates a Python aggregation script. Code is shipped to Sandbox. Sandbox executes in isolation. The script attempts to read /etc/secrets (poisoned via prompt injection in vendor names). Sandbox blocks — that path isn’t in the egress allow-list. Result returned to the agent: error, no data exfiltrated.
Runtime tool call: gmail.send. Gateway checks scope: this is to the CFO; agent identity has approval for this recipient. Call is allowed. Audit log entry created.
Audit pull (post-hoc). Security team queries the Gateway audit log by agent ID. Sees every tool call. Sees the blocked sandbox attempt. Pulls the offending vendor name. Updates Model Armor rules.

Each layer caught something the others wouldn’t have. That’s defense in depth working.

How it compares to other platforms

Capability	Gemini Enterprise Agent Platform	Microsoft Agent 365	OpenAI Workspace Agents
Catalog of approved agents	✅ Agent Registry	✅ Approval flow	Permission controls
Runtime tool-call enforcement	✅ Agent Gateway	Entra policies	Per-action approvals
Per-agent crypto identity	✅ Agent Identity	Entra-backed identities	Workspace-scoped
Hardened code execution sandbox	✅ Agent Sandbox	Via Foundry / Copilot Studio	Codex sandbox
Endpoint Shadow AI detection	❌	✅ via Defender + Intune	❌
Prompt-injection defense	Model Armor (Gateway)	Across the stack	Codex-level

Gemini’s stack is the most explicitly architected. Microsoft’s is the strongest at endpoint reach. OpenAI’s is the lightest-weight at this stage.

What it doesn’t do

Not a policy engine standard. The implementations are GCP-managed; there’s no open spec for “Agent Registry.”
Not free. Each component is part of the Gemini Enterprise Agent Platform Vertex AI billing surface.
Not portable. You can’t run Agent Gateway in front of agents on another cloud (as of May 2026).
Not magic. A bad Registry policy is still a bad policy. Sandbox can be misconfigured. Identity can be issued too generously. These tools are levers, not guarantees.

What to watch next

Whether Agent Gateway gains support for agents running outside GCP via A2A.
Pricing visibility for long-running agents that hit Gateway thousands of times per run.
Whether Microsoft Agent 365 and AWS Bedrock Agents ship analogous four-component breakdowns.
Whether AgentSandbox features close the gap with Anthropic’s sandbox after Trustfall.
Open-source equivalents for self-hosted agents (some early projects exist).

Sources

Google Cloud Blog, “Introducing Gemini Enterprise Agent Platform”
blog.google, “Gemini Enterprise Agent Platform” announcement
Virtualization Review, “Google Cloud Next ‘26: Gemini Enterprise Agent Platform leads AI-centric news”
MindStudio, “Gemini Enterprise Agent Platform business automation”
Google Cloud, “Gemini Enterprise / Agents” product page

Last verified: May 12, 2026.

Agent Registry vs Gateway vs Identity vs Sandbox (May 2026)

TL;DR

Agent Registry — the catalog

Agent Gateway — the air traffic control

Agent Identity — the crypto IDs

Agent Sandbox — the blast-radius container

How they compose — a worked example

How it compares to other platforms

What it doesn’t do

What to watch next

Sources

Related reading