Azure Extends Content Safety to Agent-to-Agent AI Traffic

Microsoft's Azure API Management now supports a unified approach to managing AI model calls, allowing a single OpenAI Chat Completions client request to be translated into native calls for Anthropic, Google Vertex AI, Amazon Bedrock, or Microsoft Foundry models. This extends API governance, including rate limits, token quotas, and content safety, to previously uninspected agent-to-agent traffic and tool calls. The Build 2026 update treats large language model (LLM) inference, tool execution, and inter-agent communication as a single traffic plane governed by familiar API management policies.

The Unified Model API, currently in public preview, standardizes client traffic on the OpenAI Chat Completions format, with APIM transparently translating requests to backend-native protocols. Developers can register model aliases in APIM, call a unified `/models` discovery endpoint, and route traffic across providers without client redeployments. APIM also logs reasoning tokens, cached tokens, and audio tokens to Application Insights for traffic flowing to any supported backend, providing a consolidated view of spend and utilization across heterogeneous model fleets. Runtime policies, including semantic caching and token limits, execute at the edge regardless of the provider handling inference.

The `llm-content-safety` policy now covers MCP tool-call arguments, MCP response text, and A2A agent payloads, in addition to traditional LLM I/O. It applies category-based filters—Hate, SelfHarm, Sexual, Violence—across a severity scale from 0 (most restrictive) to 7 (least restrictive), and includes a `shield-prompt` attribute for adversarial injection detection. Messages exceeding Azure Content Safety's 10,000-character limit are chunked using configurable `window-size` and `window-overlap-size` attributes before evaluation. Microsoft also exposes existing REST APIs as MCP servers through APIM, enabling teams to tool-enable legacy services without protocol rewrites.

In streaming mode, when the safety policy triggers on a non-streaming request, APIM returns an explicit 403. However, in streaming mode, the gateway buffers events in a sliding window and silently stops forwarding tokens without an error code, requiring agents to detect and recover from abrupt stream termination. The API Center MCP server, now generally available, acts as a unified enterprise discovery endpoint, but automated agent assessment using an LLM-as-a-Judge framework for safety and reliability evaluation adds another gating dependency before agents publish to enterprise catalogs.

The AI gateway capabilities are available across APIM tiers, with the Unified Model API in public preview and content safety for MCP and A2A, extended token metrics, and the API Center MCP server generally available. While AWS Bedrock Guardrails and Cloudflare AI Gateway compete on filtering and spend controls, neither currently offers equivalent multi-provider protocol normalization or MCP and A2A content inspection. Architects should consider the latency and memory overhead of the 10,000-character chunking boundary and sliding-window buffering when designing high-throughput agent pipelines, particularly given the silent failure path in streaming configurations. Decouple client API contracts from backend provider protocols behind a centralized governance plane, but instrument every agent to handle silent stream drops and tune chunking windows against your safety latency budget.