Analysis on enterprise AI governance, inline policy enforcement, agentic AI security, and regulatory compliance.
Article 26 of the EU AI Act puts operational obligations on the deployer of a high-risk AI system. The deployer must monitor operation, suspend use under specific risk conditions, keep automatically generated logs, and inform the provider and authorities. The mandate takes effect August 2, 2026.
Read post →Article 19 of the EU AI Act sets the operational floor for log retention from high-risk AI systems at six months and specifies what the automatically generated logs must contain. The mandate takes effect August 2, 2026. Application logs fail the structural test.
Read post →Article 13 of the EU AI Act requires providers of high-risk AI systems to design them so deployers can interpret outputs, understand limitations, and exercise human oversight. The mandate takes effect August 2, 2026. Generic model cards fail the test.
Read post →Mandiant M-Trends 2026 measured median attack handoff at 22 seconds. At that tempo, log-and-alert fails as a control. Inline enforcement at the AI request boundary makes the policy decision before the request reaches the model. Under 50 ms enforcement overhead is invisible against 500 ms to 5 second model inference.
Model guardrails are trained behaviors inside the inference process. They degrade under fine-tuning, adversarial prompting, and role-play framing. External enforcement at the AI request boundary produces deterministic controls and identity-bound audit records that guardrails alone cannot.
Zero trust applied to AI means evaluating every model request against verified identity, current policy, and prompt-level classification. The architectural pattern is an enforcement proxy at the HTTP AI request boundary. The post-authentication gap is the most common failure mode in current deployments.
NIST Pillar 1 names verified agent identity as the foundation of the AI agent identity and authorization framework. Per-agent identifiers, delegated authority from the authorizing user, and structured propagation to the model API call are the production requirements. Static service credentials fail the test.
AI agent security is the operational practice of constraining autonomous agents to act only within delegated authority and producing per-decision audit records that survive regulatory review. The NIST three-pillar framework names the architecture. Application logs and model guardrails do not satisfy it.
Read post →Six agentic AI architecture patterns dominate production deployments today: ReAct, plan-and-execute, multi-agent crews, retrieval-augmented agents, code-executing agents, and tool-using single agents. The security architecture differs across each. The enforcement layer always sits at the HTTP AI request boundary.
Read post →LangChain, LangGraph, AutoGen, CrewAI, and the OpenAI Assistants API each ship a different agent loop. The security properties of each framework determine what an enforcement layer can see and what it cannot. The architectural divergence matters at the AI request boundary.
Read post →Generative AI returns a response to a human-issued prompt and waits for the next instruction. Agentic AI issues prompts on its own initiative, applies the response, and chains the next call. The architectural divergence has direct consequences for identity, policy enforcement, and audit trails.
Read post →Agentic AI security is the practice of constraining what autonomous agents can request, what data they can include in prompts, and what evidence each decision leaves behind. Static credentials, model guardrails, and application logs fail the test. The enforcement layer has to sit at the HTTP AI request boundary.