AI Inline Enforcement Architecture: Where the Policy Decision Sits and What It Has To Commit

Mandiant's M-Trends 2026 report, based on more than 500,000 hours of frontline incident response, found that the median time between initial access and handoff to a secondary threat group collapsed from over 8 hours in 2022 to 22 seconds in 2025. At that tempo, asynchronous controls cannot prevent damage. The enforcement decision has to happen before the request reaches the model and before the response reaches the application. AI inline enforcement is the architectural pattern that runs the policy decision in the request path with a deterministic outcome and a committed audit record. The decision is part of the request, not a downstream analysis of it.

I want to walk through the components of the inline enforcement architecture, the data shape at decision time, the failure modes the implementation has to handle, and the regulatory profile the inline placement satisfies.

The components of inline enforcement

An inline enforcement architecture has four components in the request path. The first is the policy decision point (PDP) that evaluates the policy. The second is the policy enforcement point (PEP) that applies the decision (pass, block, modify). The third is the audit commit that writes the per-decision record to durable storage. The fourth is the policy administration point (PAP) where operators edit policies and the policy store that the PDP reads from.

In a production deployment the PDP, the PEP, and the audit commit run inside the inspection layer that sits between the calling application and the LLM endpoint. The PAP is an external system that the inspection layer pulls policies from. The placement of the components inside the inspection layer keeps the request-time latency low and lets the inspection layer fail closed on its own.

The data shape at decision time

The policy decision evaluates against five categories of data. The identity context: the natural-person identity, the tenant, the role, the group memberships, and any authorization scopes the application attached. The route context: the route identifier, the policy bundle binding, and any operator metadata. The request content: the prompt text, the system prompt, the tool list, the model selection, and any structured fields the application carries. The data classification: the inspection layer's classifier output on the prompt content (PII, PHI, MNPI, source code, regulated identifiers). The state context: the policy version, any rate-limit counters, and any session metadata the policy needs.

The decision is a function of these inputs and the policy bundle. The output is one of pass (forward the request unchanged), block (reject with a structured error), modify (transform the request before forwarding, for example by redacting detected PII). The audit record stamps all of the inputs and the output, plus the cryptographic integrity signature.

Decision-time latency envelope

The latency envelope for an inline decision is bounded by the LLM's natural response time. End-to-end inspection-layer overhead measures under 50 ms in production deployments. LLM inference takes 500 ms to 5 seconds. The inspection-layer overhead is invisible relative to the model's response time. There is no architectural cost to making enforcement inline.

The 50 ms budget covers the policy lookup (indexed read against the policy table, under 5 ms), the data classification (regex and small-classifier passes over the prompt content, 10 to 30 ms), the policy evaluation (deterministic rule evaluation against the inputs, under 5 ms), and the audit commit (signed-record write to durable storage, 5 to 15 ms). The numbers are consistent across production deployments because the workload at decision time is small and bounded.

The failure modes the implementation has to handle

Three failure modes the inspection layer encounters and the architectural decisions each one forces.

The first is the inspection node crash mid-request. The implementation has to crash before the audit record commits if the policy evaluation has not completed, and the application's retry has to land on a different node that completes the evaluation. The architectural choice is fail-closed on partial state. The application sees a 5xx, retries, and lands on a clean evaluation. The alternative, fail-open, would let requests through without policy evaluation and is unacceptable for any regulated workload.

The second is the upstream LLM endpoint failure. The model returns a 5xx, a timeout, or a rate-limit error. The inspection layer's policy evaluation succeeded; the upstream call failed. The audit record commits with the upstream failure recorded as the decision outcome. The application sees the upstream error and retries (or fallback-routes, if the deployment uses a routing layer like LiteLLM). The audit pipeline shows the policy decision was made even when the model did not respond.

The third is the audit-storage failure. The inspection layer cannot commit the audit record because the durable storage is unavailable. The implementation has to fail closed. A request whose audit record cannot be committed cannot proceed. The architectural choice is the inspection layer treats the audit pipeline as a blocking dependency. The alternative, proceeding without an audit record, would produce decisions that did not get recorded, which is what the regulator and the audit reviewer treat as the primary failure mode of an inspection layer.

Why log-and-alert fails as enforcement

Log-and-alert architectures detect events after they happened. They produce a record of what occurred. They are useful for forensics. They are structurally incapable of preventing the action they recorded.

The forensic value is real. The audit record is the evidence the regulator and the incident responder consume. The prevention capability is zero at machine speed. A 22-second handoff from initial access to secondary threat group leaves no time for an alert to trigger, a human to assess, and an action to take. The model has responded, the response is in the application's hands, and the application has acted on it before any alert fires.

Inline enforcement covers both. The audit record is committed in the request path, which gives the same forensic value that log-and-alert provides. The policy decision is committed before the response forwards, which gives the prevention capability that log-and-alert lacks. The architectural choice is not between forensics and prevention; it is between an architecture that does both and an architecture that does only one.

What the regulatory profile expects

EU AI Act Article 12 expects records of events over the lifetime of the system that ensure traceability. The records have to include the period of use, the input data (or its reference), and the identity of natural persons involved. Inline enforcement produces these records by construction at decision time. Article 26 deployer obligations consume the same records. The Article 99 penalties for high-risk non-compliance reach EUR 15 million or 3% of global annual turnover, whichever is higher, which is the cost the deployer carries if the record series is unavailable when the supervisor asks for it.

Fannie Mae LL-2026-04 requires lenders to retain records that establish audit trails for AI-assisted lending decisions. The inline enforcement record carries the natural-person identity (the loan officer, the underwriter), the model and version, the prompt content fingerprint, and the policy version at decision time. The records compose the audit trail that the GSE inquiry asks for.

NIST AI agent identity and authorization Pillar 2 (delegated authority) and Pillar 3 (action lineage) require enforcement at the AI API call layer that is independent of the application. Inline enforcement satisfies both pillars: the decision is made at the request boundary outside the application, and the record is committed by the inspection layer not by the application.

DORA Article 6 (third-party ICT risk) consumes the inline enforcement audit record as evidence of the operational control over third-party model providers. The record format works the same regardless of which model provider served the request.

DeepInspect

This is exactly what DeepInspect does. DeepInspect sits inline between the calling applications and any LLM endpoint over HTTP. The PDP evaluates identity-bound policy against the request inputs and the policy bundle. The PEP applies the pass, block, or modify decision. The audit commit writes the per-decision record to durable storage with a cryptographic integrity signature before the response forwards. The architectural placement keeps the prevention capability and the forensic capability in the same record series.

End-to-end inspection-layer overhead measures under 50 ms in production. The overhead is invisible relative to the LLM's response time. The audit record carries identity, route, policy version, data classification outcome, decision outcome, model and version, request and response fingerprints, and the integrity signature in a format that EU AI Act Article 12, Fannie Mae LL-2026-04, NIST AI RMF, DORA Article 6, HIPAA 45 CFR 164.312, and the sector-specific regimes consume.

If you are running log-and-alert against AI traffic and the regulator's expectation is inline enforcement, let's talk.