← All posts

Platform & Architecture

97 posts on platform & architecture.

OpenAI API Gateway Setup: An Implementation Walkthrough for Enterprise Deployments

A production OpenAI deployment that satisfies EU AI Act Article 12, NIST AI RMF MANAGE 1.3, and HIPAA audit obligations needs a gateway between the application and api.openai.com. This guide walks through the gateway's request path, the TLS handling, the identity model, the four classification stages, and the audit-record format that holds up under a regulator read. Code samples included.

openaiai-gatewayimplementation-guideenterprise-aiai-securityapi-proxy
Read post →

Anthropic API Gateway Setup: An Implementation Walkthrough for Enterprise Claude Deployments

Direct integrations with api.anthropic.com terminate TLS at Anthropic's edge, which leaves the deployer with no inspection point and no audit record. This guide walks through the gateway architecture that sits between the application and Anthropic's API, with attention to Claude-specific patterns: system prompts, tool use, prompt caching, and the message-completion streaming format. Code samples for the Anthropic Python SDK included.

anthropicclaudeai-gatewayimplementation-guideenterprise-aiapi-proxy
Read post →

AI Security for Coding Agents: The Source-Code, Secret, and Action Boundaries the Agent Crosses

Coding agents read source code, write code changes, run shell commands, call external APIs, and commit results back to the repository. The agent crosses multiple action boundaries inside a single workflow with the developer identity at the top and machine credentials at the bottom. This piece walks through the source-code data the agent reads at request time, the secret-handling surface the agent exposes, the action boundaries the inspection layer commits decisions at, and the audit record format the security team and the regulator consume.

coding-agentai-securityidentity-awareaudit-logsinline-enforcementdeveloper-tools
Read post →

AI Inline Enforcement Architecture: Where the Policy Decision Sits and What It Has To Commit

AI inline enforcement runs the policy decision in the request path, before the model API call returns to the calling application. The architecture places a deterministic policy decision point between the application identity and the model endpoint and commits a per-decision audit record before the response forwards. This piece walks through the architectural components, the decision-time data shape, the failure modes the implementation has to handle, and the regulatory profile that the inline placement satisfies (EU AI Act Article 12, NIST AI agent identity and authorization Pillar 2 and Pillar 3, Fannie Mae LL-2026-04, DORA Article 6).

inline-enforcementai-architectureai-gatewaypolicy-decision-pointauditeu-ai-act
Read post →

LiteLLM vs an AI Security Gateway: What Each One Does and Where They Compose

LiteLLM is an open-source LLM proxy that normalizes the API surface across more than 100 model providers and handles routing, retries, fallbacks, cost tracking, and basic key management. An AI security gateway sits at the same network position but answers a different question: identity-bound policy on prompt content, data classification at the request boundary, and a per-decision audit record that holds up under EU AI Act Article 12 review. The two products compose in production deployments. This piece walks through what each one does, where they overlap, and where the architectural responsibilities split.

litellmai-gatewaycomparisoninline-enforcementai-architectureaudit
Read post →

Amazon Bedrock Gateway Patterns: How To Front Bedrock with Inline Enforcement

An Amazon Bedrock gateway sits between calling applications and the Bedrock runtime endpoints, attaches identity context to every InvokeModel and InvokeModelWithResponseStream call, evaluates a per-request policy, and commits a per-decision audit record before the request reaches Anthropic, Mistral, Meta, Cohere, AI21, or Amazon Titan. The gateway pattern complements Bedrock Guardrails by adding identity-bound policy enforcement and a per-decision audit record format that satisfies EU AI Act Article 12 and the Fannie Mae LL-2026-04 lender record requirement. This piece walks through the AWS SigV4 handling, the model-agnostic policy, and the audit record format.

amazon-bedrockai-gatewayapi-gatewayinline-enforcementawsaudit
Read post →

Anthropic API Gateway Patterns: How To Front api.anthropic.com with Inline Enforcement

An Anthropic API gateway sits between calling applications and api.anthropic.com, attaches identity context, evaluates a per-request policy, and commits a per-decision audit record before the request reaches Claude. The gateway pattern addresses the Anthropic Messages API, the tool-use loop, the streaming response, and the prompt caching feature. This piece walks through the request rewriting pattern, the system-prompt evaluation, the tool-use policy, the streaming SSE handling, and the audit record format that satisfies EU AI Act Article 12 and the deployer obligations under Article 26.

anthropicclaudeai-gatewayapi-gatewayinline-enforcementaudit
Read post →

OpenAI API Gateway Patterns: How To Front api.openai.com with Inline Enforcement

An OpenAI API gateway sits between calling applications and api.openai.com, attaches identity context, evaluates per-request policy, and commits a per-decision audit record before the request reaches the model. The pattern replaces the direct calling convention that uses an organization-bound API key with an inspection layer that the application addresses instead. This piece walks through the request rewriting pattern, the SSE and streaming response handling, the function-calling and tool-use evaluation, and the audit record format that satisfies EU AI Act Article 12 and the deployer obligations under Article 26.

openaiai-gatewayapi-gatewayinline-enforcementstreaming-responsesaudit
Read post →

Stateless vs Stateful AI Proxy: Which Architecture Holds Up Under Production Load and Audit

A stateless AI proxy makes the policy decision on the contents of the current request and the per-decision audit record alone. A stateful AI proxy carries session memory, caches conversation history, or stores prompts across requests in its own storage. The choice has direct consequences for horizontal scaling, blast radius under compromise, the EU AI Act Article 12 record-keeping obligation, and the DORA third-party risk profile of the inspection layer. This piece walks through the architectural distinction, what each option requires from the deployment, and where most production teams settle once the trade-offs are visible.

ai-proxyai-gatewaystatelessai-architectureinline-enforcementaudit
Read post →

Per-Route AI Policies: How To Implement Endpoint-Specific Enforcement in Front of LLM APIs

Per-route AI policies attach a different enforcement rule to each LLM endpoint behind the inspection layer. A request to the customer-support route runs under one policy. A request to the developer-tooling route runs under another. The implementation lets a single inspection layer serve every team without the lowest common denominator policy that an organization-wide rule produces. This piece walks through the data model, the matching algorithm, the policy state that has to be present at decision time, and the operational characteristics that hold up at production scale across OpenAI, Anthropic, Azure OpenAI, and Bedrock endpoints.

ai-gatewayper-route-policiesinline-enforcementai-architectureidentity-awareaudit
Read post →

Signed Audit Logs for AI Requests: Per-Decision Signing and What Regulators Will Accept

A signed audit log binds a cryptographic signature to each record at the moment the record is committed. For AI requests, the signature ties the record to the inspection layer that produced it and lets a verifier confirm authenticity without trusting the storage layer. The technique is the cryptographic foundation under tamper-evident audit trails the EU AI Act Article 12, Fannie Mae LL-2026-04, HIPAA, DORA, and NIST AI agent identity framework all expect. This piece walks through the signing schemes, the key management, and the verification flow that auditors and regulators will accept.

signed-auditaudit-logscryptographyai-complianceintegritypki
Read post →

Tamper-Evident Audit Logs for AI: What Cryptographic Integrity Brings to Compliance Records

Tamper-evident audit logs make any post-hoc modification of a record detectable through cryptographic integrity. For AI compliance records, the property closes the self-attestation gap that application-controlled logs cannot. The technique combines per-record signing, hash chaining, and external anchoring. EU AI Act Article 12, Fannie Mae LL-2026-04, HIPAA, DORA, and NIST AI RMF all expect records that an auditor can rely on as evidence. Application logs that the application can modify do not meet that standard. This piece walks through the cryptographic mechanisms, the operational characteristics, and the architectural placement.

audit-logstamper-evidentcompliancecryptographyai-auditintegrity
Read post →