Gartner published its Market Overview for AI Gateways in May.
Near the back, there’s a table. Fourteen example vendors. Three columns: vendor name, HQ city, HQ country.
Read the third column from the top.
United States. United States. United States. United States. United States. United States. United States. United States. United States. United States. United States. United States.
Then, one row from the bottom: United Kingdom.
That’s us. Tyk. London. Mind the gap.
Thirteen American companies and one British one. In the market that will decide how enterprise AI is governed.
I’ve been sitting with that table for a few days now, mostly over a nice cup of tea, and I think the interesting question is: why is the third column so uniform, and should that worry anyone?
What actually flows through an AI gateway
Gartner defines an AI gateway as the intermediary between your AI applications and agents and the models, tools and resources they use. The control point. And they project the market growing from under $250 million today to $1 billion by 2028, with 68 per cent of software engineering leaders already deploying, rolling out or evaluating one.
Now think about what that control point sees.
Every prompt your staff write. Every document an agent retrieves to answer a question. Every customer record flowing to a model for summarisation. Credentials. Costs. The full conversational exhaust of your company thinking out loud.
API gateways carry your transactions. AI gateways carry your reasoning.
There is no more concentrated view of what an organisation knows, worries about and plans to do than the traffic passing through this one piece of infrastructure. Which makes a boring procurement question suddenly very unboring: whose laws govern the company that built it?
The bit lawyers already know
In 2018 the United States passed the CLOUD Act. It compels American companies to hand over data on valid US government demand, wherever in the world that data is stored. Your Frankfurt region, your Paris availability zone, your “sovereign” European cloud with the US parent: the Act doesn’t care about geography. It cares about ownership.
European law points the other way. GDPR restricts handing personal data to non-EU authorities. That collision of approaches lands on you, the customer, not on the vendor.
This stopped being a theoretical argument some time ago. This June, the European Commission unveiled its tech sovereignty package, with the Cloud and AI Development Act putting cloud and AI infrastructure at the centre of the agenda, including a sovereignty framework for sensitive workloads. Brussels is weighing restrictions on US cloud platforms processing sensitive government data. One European official put the mood plainly: “we want to be sure nobody has a kill switch”.
The money is moving the same direction. Gartner reckons European sovereign cloud spending will grow 83 per cent in 2026. Industry has founded the EuroStack initiative to build European alternatives up and down the stack. Roughly 70 per cent of the EU cloud market currently sits with three American hyperscalers, and Europe has noticed.
Against that backdrop, look at the third column of that Gartner table again. The layer of infrastructure that will carry the most sensitive traffic your organisation produces has thirteen of its fourteen example vendors under one jurisdiction. Concentration like that is a risk profile, whatever you think of the country in question.
Before we deploy the Union Jack parachute
Three things, in the interest of playing this straight.
First: Gartner’s list is explicitly an example list. The market includes vendors and open-source projects beyond the fourteen names, and inclusion is a description of the market, and no endorsement of anybody. I’m only making an observation about the pattern in that third column. But reading the report, it’s clear that the pattern would hold with more rows added.
Second: the thirteen American companies on that list are good companies. Some of them are our fiercest competitors and I’d take any of them seriously in a deal. This piece argues with a concentration, and with a legal regime, and never with the engineers.
Third, and most important: a London HQ does not make your AI traffic sovereign. Jurisdiction over the vendor is one layer. What matters just as much is where the software runs and who can see the traffic. A gateway you can fully self-host, in your own datacentre or your own cloud tenancy, under your own keys, is worth more to your sovereignty posture than any vendor’s postcode, ours included. That’s why we’ve always been open source, and why self-managed deployment remains a first-class option at Tyk. And yes, Britain sits outside the EU, so for EU institutions we’re a third country too. The point survives: legal diversity in your critical infrastructure beats monoculture, and you currently have precisely one non-US option on the analyst shortlist.
Try this
If you’re selecting an AI gateway this year, and Gartner’s numbers say a majority of you are somewhere in that process, add four questions to the RFP. They cost nothing.
- Which jurisdiction can compel this vendor to disclose our traffic?
- Can we run the entire control plane ourselves, disconnected, if we choose to?
- What happens to our policies and configuration if we need to exit?
- Is the core open source, so the answer to the last question can be verified rather than promised?
Your AI strategy will pass through one narrow gate. Before you pick the gate, read the third column.
And if you find yourself at the bottom of it, in the one row that says United Kingdom: pop in. We’ll put the kettle on.
Further reading


