You cannot govern a capability you can still reach around. Enforcement begins by collapsing every call path to a single mediated route, and deleting the alternatives — including the credentials that made them reachable.
A gate only governs what must pass through it. As long as an agent can reach a capability by a second route — a stray API key, a direct client, an un-migrated call site — the gate in front of the first route is decoration. Enforcement does not begin with the policy on the path; it begins with the deletion of every path but one.
Collapsing call paths to a single mediated choke point is the precondition for governance, not a detail of it. The control is the choke point: one route in, every alternative removed, and the provider credentials that made the alternatives reachable taken out of the environment entirely. Until the side doors are gone, the front door is advisory.