← All posts

Platform & Architecture

56 posts on platform & architecture.

Amazon Bedrock Gateway Patterns: How To Front Bedrock with Inline Enforcement

An Amazon Bedrock gateway sits between calling applications and the Bedrock runtime endpoints, attaches identity context to every InvokeModel and InvokeModelWithResponseStream call, evaluates a per-request policy, and commits a per-decision audit record before the request reaches Anthropic, Mistral, Meta, Cohere, AI21, or Amazon Titan. The gateway pattern complements Bedrock Guardrails by adding identity-bound policy enforcement and a per-decision audit record format that satisfies EU AI Act Article 12 and the Fannie Mae LL-2026-04 lender record requirement. This piece walks through the AWS SigV4 handling, the model-agnostic policy, and the audit record format.

amazon-bedrockai-gatewayapi-gatewayinline-enforcementawsaudit
Read post →

Anthropic API Gateway Patterns: How To Front api.anthropic.com with Inline Enforcement

An Anthropic API gateway sits between calling applications and api.anthropic.com, attaches identity context, evaluates a per-request policy, and commits a per-decision audit record before the request reaches Claude. The gateway pattern addresses the Anthropic Messages API, the tool-use loop, the streaming response, and the prompt caching feature. This piece walks through the request rewriting pattern, the system-prompt evaluation, the tool-use policy, the streaming SSE handling, and the audit record format that satisfies EU AI Act Article 12 and the deployer obligations under Article 26.

anthropicclaudeai-gatewayapi-gatewayinline-enforcementaudit
Read post →

OpenAI API Gateway Patterns: How To Front api.openai.com with Inline Enforcement

An OpenAI API gateway sits between calling applications and api.openai.com, attaches identity context, evaluates per-request policy, and commits a per-decision audit record before the request reaches the model. The pattern replaces the direct calling convention that uses an organization-bound API key with an inspection layer that the application addresses instead. This piece walks through the request rewriting pattern, the SSE and streaming response handling, the function-calling and tool-use evaluation, and the audit record format that satisfies EU AI Act Article 12 and the deployer obligations under Article 26.

openaiai-gatewayapi-gatewayinline-enforcementstreaming-responsesaudit
Read post →

Stateless vs Stateful AI Proxy: Which Architecture Holds Up Under Production Load and Audit

A stateless AI proxy makes the policy decision on the contents of the current request and the per-decision audit record alone. A stateful AI proxy carries session memory, caches conversation history, or stores prompts across requests in its own storage. The choice has direct consequences for horizontal scaling, blast radius under compromise, the EU AI Act Article 12 record-keeping obligation, and the DORA third-party risk profile of the inspection layer. This piece walks through the architectural distinction, what each option requires from the deployment, and where most production teams settle once the trade-offs are visible.

ai-proxyai-gatewaystatelessai-architectureinline-enforcementaudit
Read post →

Per-Route AI Policies: How To Implement Endpoint-Specific Enforcement in Front of LLM APIs

Per-route AI policies attach a different enforcement rule to each LLM endpoint behind the inspection layer. A request to the customer-support route runs under one policy. A request to the developer-tooling route runs under another. The implementation lets a single inspection layer serve every team without the lowest common denominator policy that an organization-wide rule produces. This piece walks through the data model, the matching algorithm, the policy state that has to be present at decision time, and the operational characteristics that hold up at production scale across OpenAI, Anthropic, Azure OpenAI, and Bedrock endpoints.

ai-gatewayper-route-policiesinline-enforcementai-architectureidentity-awareaudit
Read post →

Signed Audit Logs for AI Requests: Per-Decision Signing and What Regulators Will Accept

A signed audit log binds a cryptographic signature to each record at the moment the record is committed. For AI requests, the signature ties the record to the inspection layer that produced it and lets a verifier confirm authenticity without trusting the storage layer. The technique is the cryptographic foundation under tamper-evident audit trails the EU AI Act Article 12, Fannie Mae LL-2026-04, HIPAA, DORA, and NIST AI agent identity framework all expect. This piece walks through the signing schemes, the key management, and the verification flow that auditors and regulators will accept.

signed-auditaudit-logscryptographyai-complianceintegritypki
Read post →

Tamper-Evident Audit Logs for AI: What Cryptographic Integrity Brings to Compliance Records

Tamper-evident audit logs make any post-hoc modification of a record detectable through cryptographic integrity. For AI compliance records, the property closes the self-attestation gap that application-controlled logs cannot. The technique combines per-record signing, hash chaining, and external anchoring. EU AI Act Article 12, Fannie Mae LL-2026-04, HIPAA, DORA, and NIST AI RMF all expect records that an auditor can rely on as evidence. Application logs that the application can modify do not meet that standard. This piece walks through the cryptographic mechanisms, the operational characteristics, and the architectural placement.

audit-logstamper-evidentcompliancecryptographyai-auditintegrity
Read post →

Identity-Aware AI Gateway Architecture: How Inline Enforcement Binds Decisions to Users and Agents

An identity-aware AI gateway sits at the AI request boundary, attaches verified identity context to every model API call, evaluates per-route and per-role policies, and commits a per-decision audit record before the model response returns to the calling application. The architecture closes the post-authentication gap that most enterprise AI deployments have inherited from the credential-pooling pattern used by SDKs and proxy frameworks. This piece walks through the architectural building blocks, the call path, the audit primitives, and where the identity-aware gateway sits relative to existing IAM, API gateway, and DLP infrastructure.

ai-gatewayidentity-awareai-architectureenforcementauditzero-trust
Read post →