Blog

Analysis on enterprise AI governance, inline policy enforcement, agentic AI security, and regulatory compliance.

Per-Route AI Policies: How To Implement Endpoint-Specific Enforcement in Front of LLM APIs

Per-route AI policies attach a different enforcement rule to each LLM endpoint behind the inspection layer. A request to the customer-support route runs under one policy. A request to the developer-tooling route runs under another. The implementation lets a single inspection layer serve every team without the lowest common denominator policy that an organization-wide rule produces. This piece walks through the data model, the matching algorithm, the policy state that has to be present at decision time, and the operational characteristics that hold up at production scale across OpenAI, Anthropic, Azure OpenAI, and Bedrock endpoints.

Platform & Architectureai-gatewayper-route-policiesinline-enforcementai-architectureidentity-awareaudit
Read post →

Signed Audit Logs for AI Requests: Per-Decision Signing and What Regulators Will Accept

A signed audit log binds a cryptographic signature to each record at the moment the record is committed. For AI requests, the signature ties the record to the inspection layer that produced it and lets a verifier confirm authenticity without trusting the storage layer. The technique is the cryptographic foundation under tamper-evident audit trails the EU AI Act Article 12, Fannie Mae LL-2026-04, HIPAA, DORA, and NIST AI agent identity framework all expect. This piece walks through the signing schemes, the key management, and the verification flow that auditors and regulators will accept.

Platform & Architecturesigned-auditaudit-logscryptographyai-complianceintegritypki
Read post →

Tamper-Evident Audit Logs for AI: What Cryptographic Integrity Brings to Compliance Records

Tamper-evident audit logs make any post-hoc modification of a record detectable through cryptographic integrity. For AI compliance records, the property closes the self-attestation gap that application-controlled logs cannot. The technique combines per-record signing, hash chaining, and external anchoring. EU AI Act Article 12, Fannie Mae LL-2026-04, HIPAA, DORA, and NIST AI RMF all expect records that an auditor can rely on as evidence. Application logs that the application can modify do not meet that standard. This piece walks through the cryptographic mechanisms, the operational characteristics, and the architectural placement.

Platform & Architectureaudit-logstamper-evidentcompliancecryptographyai-auditintegrity
Read post →

Identity-Aware AI Gateway Architecture: How Inline Enforcement Binds Decisions to Users and Agents

An identity-aware AI gateway sits at the AI request boundary, attaches verified identity context to every model API call, evaluates per-route and per-role policies, and commits a per-decision audit record before the model response returns to the calling application. The architecture closes the post-authentication gap that most enterprise AI deployments have inherited from the credential-pooling pattern used by SDKs and proxy frameworks. This piece walks through the architectural building blocks, the call path, the audit primitives, and where the identity-aware gateway sits relative to existing IAM, API gateway, and DLP infrastructure.

Platform & Architectureai-gatewayidentity-awareai-architectureenforcementauditzero-trust
Read post →

AI in OT Environments: What IEC 62443 and NIS2 Require When LLMs Touch Industrial Control Systems

Manufacturing OT environments now host AI tools for predictive maintenance, anomaly detection, work-instruction generation, quality inspection, and operator copilots. The AI calls cross zones that IEC 62443 was designed to segment and bring NIS2 incident reporting and supply chain obligations into the operational technology footprint. Most OT deployments use AI through cloud APIs that violate the segmentation assumptions of the IEC 62443 reference model. This piece walks through where AI sits in modern OT, what IEC 62443 and NIS2 require for the AI traffic, and the inspection architecture that produces records the regulator and the customer auditor will accept.

Industry Verticalsot-securitymanufacturingiec-62443nis2ai-securityindustrial-control
Read post →

FERPA and AI: What School Records Confidentiality Requires from AI Tools in K-12 and Higher Ed

FERPA protects the confidentiality of education records. Schools and the edtech vendors operating on their behalf are now putting student data through AI tools for tutoring, grading assistance, behavioral analytics, and parent communication. The "school official" exception in FERPA covers vendors only when specific written agreement, legitimate educational interest, and direct control conditions are satisfied. Most AI vendor relationships were not constructed with those conditions in mind. This piece walks through what FERPA actually requires when AI processes education records, where the school official exception breaks for AI vendors, and the architecture that satisfies the disclosure controls.

Industry Verticalsferpaedtechstudent-dataai-complianceauditk12
Read post →

Finance AI and Pre-Announcement Earnings Exposure: How AI Tools Create MNPI Leakage

Pre-announcement earnings exposure inside finance teams now flows through AI tools that finance teams use for drafting, modeling, and summarization. The exposure is functionally a material non-public information leak when an employee pastes a draft press release, a working forecast, or a board-pack excerpt into an unauthorized AI tool. SEC Regulation FD, insider trading regimes, and individual market-abuse regulations in the EU and the UK reach the conduct regardless of whether the leak was intentional. This piece walks through where the AI exposure sits inside the financial close and earnings preparation cycle, what controls regulators expect, and the inspection architecture that prevents MNPI from leaving the perimeter.

Industry Verticalsmnpireg-fdfinanceai-securityshadow-aimarket-abuse
Read post →

Fannie Mae LL-2026-04: What the Lender AI Governance Mandate Requires from Mortgage Originators

On April 8, 2026, Fannie Mae issued Lender Letter LL-2026-04, a governance framework for AI and ML in mortgage origination and servicing. It takes effect August 6, 2026, 120 days after publication. Freddie Mac Section 1302.8 has been enforced since March 3, 2026. The combined GSE regime requires inventory, governance, audit trails, and disclosure on demand for AI used in any step of the loan lifecycle, including vendor AI tools the lender does not control. This piece walks through what the mandate requires, where lender deployments are exposed, and the inspection architecture that satisfies the disclosure obligation.

Industry Verticalsfannie-maemortgageai-governanceai-complianceauditlender-letter
Read post →

AI Credit Scoring Under Annex III Point 5(b): What High-Risk Classification Requires of Banks

Annex III point 5(b) of the EU AI Act classifies AI used to evaluate the creditworthiness of natural persons or establish a credit score as high-risk. From August 2, 2026 the deployer obligations under Article 26 and the provider obligations under Articles 8 through 17 apply. The text exempts AI used only for the detection of financial fraud. Most bank credit deployments today combine scoring, fraud detection, and bureau enrichment in a single pipeline that triggers high-risk classification end-to-end. This piece walks through what the classification means, where bank pipelines blur the fraud-vs-scoring line, and the architecture that produces audit records the supervisor will accept.

Industry Verticalseu-ai-actcredit-scoringbankingai-complianceauditannex-iii
Read post →

EU AI Act for Fintech: How Credit Scoring and Fraud Detection Become High-Risk in August 2026

On August 2, 2026 the EU AI Act high-risk system requirements begin to apply to fintech credit scoring, creditworthiness assessment, and several adjacent financial decisions. The classification falls under Annex III point 5(b). Deployers inherit Article 26 obligations including per-decision logging, human oversight, instructions for use, and incident notification. The provisions overlap with DORA on third-party risk and incident reporting. This piece walks through which fintech AI use cases become high-risk, what the deployer obligation actually requires, and where most lender deployments are exposed.

Industry Verticalseu-ai-actfintechcredit-scoringai-compliancefinancial-servicesaudit
Read post →

B2B SaaS with AI Features: How Enterprise Security Reviews Now Block the Deal

B2B SaaS vendors that added AI features in the last twelve months are now meeting an enterprise security review process that did not exist when the product was scoped. Buyers ask about identity context at the model API call, per-decision audit records, prompt-level data classification, and the deployment regime under the EU AI Act. Sales cycles stall on questions the engineering team did not anticipate. This piece walks through what enterprise security reviews now ask of SaaS-with-AI vendors, where most product architectures are exposed, and the inspection layer that closes the gap before procurement does.

Industry Verticalsb2b-saasai-compliancesecurity-revieweu-ai-actenterpriseaudit
Read post →

EU AI Act for Healthcare: What Articles 6, 12, and Annex III Require of Hospital AI Deployments

EU AI Act high-risk classification applies to several healthcare AI use cases including AI as a safety component of medical devices under Article 6(1) and the Annex III categories covering access to essential services, biometric categorization, and emergency triage. From August 2, 2026, hospitals deploying these AI systems take on deployer obligations under Article 26 and have to support providers in meeting Articles 8 through 17. The Medical Device Regulation and the EU AI Act layer for software-as-a-medical-device. The architecture that satisfies the high-risk regime is per-decision audit records that capture identity, data class, policy state, and decision outcome on the hospital side.

Industry Verticalshealthcareeu-ai-actmedical-devicesmdrai-compliancehospital-ai
Read post →