Interviews

Rory Blundell, CEO of Gravitee – Interview Series

mm

Rory Blundell, CEO of Gravitee, brings a rare blend of technical depth, commercial leadership, and founder experience to the API management space. Before taking over as CEO in September 2020, he joined Gravitee as Chief Revenue Officer and helped shape the company’s growth strategy after earlier roles leading EMEA field technical operations at SnapLogic, where he worked across pre-sales, professional services, training, and customer success. His background also includes founding Velinko, a UK software and consultancy business serving the legal and accounting sectors, where he worked hands-on across APIs, ETL, AWS, Java, PHP, WordPress, databases, reporting, and data transformation projects. That mix of engineering fluency, enterprise sales experience, and startup execution has positioned him to lead Gravitee as APIs, event streams, and AI agents become increasingly central to enterprise infrastructure.

Gravitee is an API management company focused on helping enterprises manage, secure, govern, and scale the digital connections between applications, services, event streams, and AI agents. Its platform combines API management, an event-native gateway, developer portal capabilities, support for event streaming, and emerging AI agent management features, giving organizations a unified control plane for synchronous APIs, asynchronous events, MCP/A2A agent interactions, and governance across distributed environments. The company describes its platform as open-source and scalable, and it has been recognized as a Leader in the 2025 Gartner Magic Quadrant for API Management, reflecting its positioning at the intersection of API infrastructure, real-time event-driven systems, and the new agentic AI stack.

You founded Velinko, built software solutions yourself across technologies ranging from AWS and APIs to data transformation platforms, then went on to lead technical teams at SnapLogic before becoming CEO of Gravitee. How has that journey from hands-on builder to CEO shaped your vision for the future of AI agents and enterprise infrastructure?

My background made it possible for me to see enterprise infrastructure from multiple angles, as a builder, an operator, and now as a CEO. At Velinko, we were solving a practical data problem, pulling information from different places, transforming it, aggregating it and making it usable. That experience grounded my view of what enterprise technology has to do: connect systems, protect data, and turn complexity into something people can act on.

During my time at SnapLogic, I saw how central API management was coming to the enterprise stack. APIs were more than technical interfaces. They became the way companies exposed, controlled and scaled access to critical systems and data. That’s what first brought me to Gravitee, and it remains the foundation of how I think about this market.

Enterprises need to know who can access what, how those access points are found and used, and what is actually happening across the environment. Those principles were essential for APIs, and they are now just as essential for agents. Enterprises are moving into a world where agents can act across APIs, applications, data and workflows. The companies that succeed won’t just build the most agents. They’ll be the ones that put the right infrastructure around them: clear permissions, strong governance and control across the systems they touch.

Gravitee built its reputation in API management and has since expanded its focus to AI agent management. What convinced you that AI agents represented the next major technology shift, and why was now the right time to evolve the company in that direction?

I see AI agent management as the next evolution of the same problem we have always helped enterprises solve.

API management was and is fundamentally about three things: security, discoverability and observability. Agents are the next place where those principles need to be applied.

Today, enterprises are starting to confront the same questions with agents that they faced with APIs. How do we ensure security? How do we know which agents are running, where they are running, and what they can access? How do we understand what they’re doing, why they are acting and whether they’re operating within adequate boundaries?

The timing matters because companies are moving from experimenting with AI to asking how they can put agents into real work. The hard question is no longer whether an agent can be built, it’s whether an enterprise can govern agents across the models, tools, APIs and systems they touch.

That is where Gravitee’s heritage in API management becomes very relevant. Agents will only scale in the enterprise if organizations can bring the same discipline to them that they expect from the rest of their infrastructure: clear permissions, visible actions, auditability, governance and control.

Many organizations are experimenting with AI agents, but relatively few have deployed them at scale. What separates successful adopters from companies that remain stuck in the pilot stage?

The difference is whether an organization treats agents as isolated experiments or as part of a new operating model. At a small scale, one or two agents can look manageable. The challenge comes when an enterprise starts moving toward multiple agents across teams, systems and workflows. At that point, the issue is no longer whether an agent can complete a task. It is whether the organization can control how agents work, what they touch and how they fit into the way the business operates.

Organizations that build management discipline around agents early understand where agents fit into the workflow, what decisions must remain with people and what controls need to be in place before agents are trusted with real work.

This is not only a technology shift. It is also a change in how organizations work. Successful adopters will understand that shift and put the right structure around it from the beginning.

AI agents are increasingly interacting with APIs, databases, enterprise applications, and even other agents. How do you see agent orchestration evolving, and what challenges must organizations solve before these systems can operate reliably at scale?

The challenge isn’t technical complexity alone; it’s accountability complexity. As agents call APIs, query databases, and invoke other agents, the authority chain multiplies and most enterprises have no way to see it.

Orchestration evolves from single-agent task execution toward multi-agent workflows where one agent’s output becomes another agent’s input, often across models, vendors, and enterprise boundaries, and that is precisely when governance breaks down.

Before these systems can operate reliably at scale, organizations must solve four things: giving every agent a known, authenticated identity; scoping what each agent is permitted to touch (tools, data, downstream APIs); enforcing those permissions at runtime; and maintaining a complete lineage record from the human prompt to the system the agent finally touched.

Businesses that treat orchestration as a pure engineering problem and skip the governance layer will find themselves managing incidents rather than scaling operations.

The industry spent years dealing with API sprawl as organizations adopted cloud technologies. Are we now entering an era of “agent sprawl,” and what lessons can enterprises apply from previous technology transformations?

Yes, I see a real risk of recreating the same pattern we saw with APIs: broad adoption across the business before the right management model is in place. The lesson from the API era is that organizations should not wait until the environment is already fragmented before putting visibility and control around it.

Agents create a similar challenge, but with a more active layer of risk because they can operate across systems and workflows. The questions enterprises need answered are simple: what agents exist, who owns them, and what they’re allowed to touch.

If enterprises apply that discipline from the start, they can avoid ending up with agents they cannot see, secure or control.

What are the biggest misconceptions business leaders have about AI agents today, and where do you think expectations are running ahead of reality?

The dominant misconception is that agent capability is the bottleneck. It isn’t. The bottleneck is whether the organization can hold agents accountable the way it already holds people accountable, with a defined role, scoped access, and an auditable record.

Many leaders believe deploying more agents leads to automatically moving faster. In practice, ungoverned agents create shadow AI spend, uncontrolled data access, and operational failures nobody can diagnose because there is no audit trail.

Recent examples of AI agents being pulled back from production after operational errors are instructive. We’ve seen an agent with broad calendar permissions and no defined boundary wipe out an entire corporate calendar in a single action. The model wasn’t the problem; nobody had scoped what it was allowed to touch. This isn’t the case of an AI hype problem. It is a governance problem. In many cases, the agent may have been capable of performing the task but lacked a defined role and a boundary on what it could access and a clear escalation plan when something goes off course.

Expectations are running furthest ahead of reality on autonomous decision-making. Leaders want agents that act, but what they need first are agents whose actions are visible, reversible, and attributable.

Security and governance have become major concerns as AI agents gain access to sensitive systems and data. What do you see as the most significant risks, and how should organizations approach managing them?

The biggest risk is that agents are moving into production faster than enterprises can govern them. Gravitee’s State of AI Agent Security report found that enterprise AI agent estates have roughly doubled since December 2025, while monitoring coverage, accountability structures and pre-deployment controls have barely moved. The research also showed that nearly half (48%) of production AI agents are running without security or governance, and 54% of organizations have experienced or suspected an AI agent security or data privacy incident in the past 12 months.

That data emphasizes why governance has to mature alongside adoption. As agents gain access to sensitive data, applications and workflows, ownership and accountability have to be just as clear as the access itself: who is responsible for this agent, what actions has it taken, and how is that actively monitored.

The answer though, is not to slow agents down. It is to establish clear visibility from the start across each agent, the models it connects to, the tools it uses and the other agents it interacts with.

From there, organizations can deploy the right operating model around agents: clear ownership, scoped permissions, pre-deployment controls, continuous monitoring, auditability and a clear escalation path when something goes wrong. That is what gives enterprises the confidence to use agents safely at scale.

As governments and regulators begin paying closer attention to AI systems, how should enterprises balance innovation with compliance, transparency, and risk management?

Regulatory attention should be a catalyst, not a reason to wait.

Compliance starts with lineage: the full, auditable record from the human prompt to the API call the agent made downstream. Without it, enterprises cannot answer the basic regulatory question of what your agent did and why. This is not a future problem. The EU AI Act’s August 2026 compliance deadline is already on the calendar, and the organizations that have lineage and policy enforcement in place today will meet it without a scramble.

Policy-as-code and centralized policy enforcement are the practical implementation of that model. Enterprises need one policy engine, one audit trail, consistent enforcement across every agent regardless of model or vendor.

The risk management posture that wins is not slow deployment; it is bold deployment with accountability built in from day one. Those that treat agent accountability as a head start rather than a compliance hurdle won’t be slowed by regulation. They’ll be ready for it.

Open standards such as Model Context Protocol (MCP) and Agent-to-Agent (A2A) communication are gaining momentum. How important will interoperability be to the future of enterprise AI, and do you believe the industry is moving quickly enough toward common standards?

Interoperability is not optional. Enterprises are not running one model or one vendor, they are running ecosystems. Standards like MCP and A2A are what allow agents to call tools, access context, and communicate across that ecosystem without bespoke integrations for every pair of systems.

The momentum is real, but the speed question misses the more important one: standards that enable agents to act must be accompanied by standards that govern how they act. Connectivity without accountability at the protocol level just moves the governance problem around.

The enterprises that will benefit most from MCP and A2A are the ones that pair protocol-level interoperability with a centralized control plane, so that cross-agent and cross-system interactions are observable, policy-enforced, and auditable from one place.

This is where Gravitee’s approach becomes important. API management, agent management, and identity in one platform means one policy engine governs every agent interaction regardless of which protocol it travels over.

Looking ahead to the next five years, what does success look like for AI agents in the enterprise, and what advice would you give to organizations that want to build a scalable and future-proof AI strategy today?

Success over the next five years will be measured by whether agents can do meaningful work safely, reliably and at scale. AI agents can help companies become more agile and give people much greater leverage. But that only happens if organizations are intentional about how they deploy them. The organizations that simply go “full agent” and worry about governance later will see early wins, but those wins won’t survive the complexity that follows. A better course of action is to treat agents like production infrastructure from the beginning.

My advice is to build the management model early. Define ownership, permissions, monitoring, auditability and escalation paths before agents are operating across critical workflows. The future is not just humans building every task themselves. It is humans becoming the architects of the process, with agents helping them move faster, scale impact and do more than they could before.

Thank you for the great interview, readers who wish to learn more should visit Gravitee

Antoine is a visionary leader and founding partner of Unite.AI, driven by an unwavering passion for shaping and promoting the future of AI and robotics. A serial entrepreneur, he believes that AI will be as disruptive to society as electricity, and is often caught raving about the potential of disruptive technologies and AGI.

As a futurist, he is dedicated to exploring how these innovations will shape our world. In addition, he is the founder of Securities.io, a platform focused on investing in cutting-edge technologies that are redefining the future and reshaping entire sectors.