Blog

Analysis on enterprise AI governance, inline policy enforcement, agentic AI security, and regulatory compliance.

AI Gateway Architecture: The Components That Sit Between an Enterprise Caller and an LLM Endpoint

An AI gateway architecture has six core components: TLS termination, identity binding, request inspection, policy evaluation, the model router, and the audit record emitter. Each component is a placement decision that ties to a regulatory obligation or an operational property. This piece walks through the components, the placement decisions, and how the gateway integrates with the corporate IdP and the SIEM.

Platform & Architectureai-gateway-architectureai-gatewayai-securityinline-enforcementaudit-logs
Read post →

The AI Agent Post-Authentication Gap: Why Identity at Login Is Not Identity at the Tool Call

Most enterprise agent architectures authenticate the user at the start of the session and then let the agent run with a service identity that carries no user context. The gap between the login identity and the per-tool-call identity is the post-authentication gap. This piece walks through the gap, where it shows up in production, the audit record fields it breaks, and the architectural pattern that closes it.

Problem-Awareai-agent-post-authentication-gapagentic-aiai-agent-securityai-agent-identityaudit-logs
Read post →

AI Agent Action Lineage: Reconstructing What an Autonomous Agent Did From the Audit Record

AI agent action lineage is the record series that lets a security team reconstruct what an autonomous agent did across a sequence of LLM calls, tool invocations, and downstream actions. The record has to carry the agent identity, the originating user identity, the prompt and response on every step, the policy state, and the cross-references between steps. This piece walks through the lineage record, where it sits, and what audit obligations it satisfies.

Problem-Awareai-agent-action-lineageagentic-aiai-agent-securityaudit-logseu-ai-act
Read post →

Generative AI Governance: The Inspection-Layer Decisions That Sit Between Policy and Production

Generative AI governance has to bind organizational policy to per-request enforcement on the production traffic. The inspection layer between authenticated users or agents and any LLM is where the binding sits. This piece walks through the categories generative AI governance has to decide on, the enforcement placement, the record series, and how the program maps to EU AI Act Article 12 and NIST AI RMF.

Compliance & Regulationgenerative-ai-governanceai-governanceeu-ai-actnist-ai-rmfinline-enforcement
Read post →

AI Governance Framework: The Operational Layers Between Policy Documents and the Audit Record

An AI governance framework that survives an audit has three operational layers: a policy layer that names what the program will and will not do, an enforcement layer that binds the policy to production traffic, and a record layer that produces the per-decision evidence. This piece walks through each layer, what artifacts each one produces, and how the layers map to EU AI Act Article 12, NIST AI RMF, and ISO 42001.

Compliance & Regulationai-governance-frameworkai-governanceeu-ai-actnist-ai-rmfiso-42001
Read post →

EU AI Act Records of Processing: What the Article 12 + 19 Record Has to Contain Beyond GDPR Article 30

GDPR Article 30 records of processing describe what data the organization processes. EU AI Act Article 12 plus Article 19 records describe what the AI system did with a specific request at a specific moment. The two record series carry different fields at different granularities. This piece walks through the GDPR baseline, the Article 12 plus Article 19 fields, where they sit operationally, and what the audit expects on each.

Compliance & Regulationeu-ai-actrecords-of-processinggdprarticle-12article-19
Read post →

EU AI Act and Open-Source AI: Where the Open-Weight Exemption Stops and the Deployer Obligation Starts

The EU AI Act carves out a limited exemption for free and open-source AI models in Recital 89 and Article 2. The exemption covers some provider obligations on the model itself but does not cover the deployer of a high-risk system that uses the model. This piece walks through what the exemption actually says, where the obligations remain bound to the deployer, and what the operational stack has to produce regardless of model licensing.

Compliance & Regulationeu-ai-actopen-source-aicompliancedeployer-obligationsarticle-12
Read post →

EU AI Act August 2, 2026 Deadline: The Operational Cutover for High-Risk AI Systems

August 2, 2026 is when the EU AI Act high-risk system obligations bind. The deadline applies to credit scoring, employment screening, education access, biometric identification, and the rest of the Annex III list. The operational cutover requires logging, identity binding on the AI request path, conformity assessment evidence, and the per-decision record under Article 12. This piece walks through the cutover, what the obligation expects, and what the operational stack has to produce.

Compliance & Regulationeu-ai-actaugust-2-2026compliancehigh-risk-aiarticle-12
Read post →

AI Prompt Redaction: The Substitution Step That Lets the Model Reason Without Touching the Raw Data

AI prompt redaction substitutes placeholders for sensitive content in the prompt before the model receives the request. The substitution preserves the structural cues the model needs to produce a coherent response while keeping the raw PII or PHI off the model provider. This piece walks through the redaction pattern, how placeholders feed the model, the audit record fields the redaction lands on, and the EU AI Act and HIPAA framing.

AI Security Solutionsai-prompt-redactionllm-dlpai-dlpai-securityinline-enforcement
Read post →

Prompt-Level DLP: Inspection at the Field Where the User Says What They Mean

Prompt-level DLP runs inspection at the prompt body sent to an LLM endpoint, not at file boundaries or network egress. The prompt is the data, and the prompt sits inside an encrypted POST body to a SaaS destination. This piece walks through where prompt-level DLP sits, the classifier categories it has to recognize, how the redaction decision feeds the model, and the regulatory framing under EU AI Act Article 12 and HIPAA.

AI Security Solutionsprompt-level-dlpllm-dlpai-dlpai-securityinline-enforcement
Read post →

AI Data Classification: The Categories the Audit Record Has to Carry at the LLM Request Boundary

AI data classification is the layer that labels prompt content before policy evaluates and before the audit record commits. Deterministic categories for PII, PHI, source code, customer data, and free-form sensitive labels supply the field the EU AI Act Article 19 record expects on every decision. This piece walks through the categories, the placement where the classifier runs, the regulatory framing, and how the labels feed identity-bound policy at the request boundary.

AI Security Solutionsai-data-classificationllm-dlpai-securitydata-governanceeu-ai-act
Read post →

LLM DLP: The Inspection Point Where Prompt Content Becomes Sensitive Data

LLM DLP is the inspection layer that catches PII, PHI, source code, and customer data inside the prompt body before it reaches an LLM endpoint. Network DLP, endpoint DLP, and email DLP each terminate inspection before the prompt is in scope. This piece walks through where each traditional layer stops, why the LLM request path slips through, the regulatory framing under EU AI Act Article 12 and HIPAA, and the architectural placement that produces a defensible per-request record.

AI Security Solutionsllm-dlpai-dlpdata-loss-preventionai-securityinline-enforcement
Read post →