Planes & Components

For each component: controls, recommendations and references, by maturity tier.

Identity & Policy

Identity Provider (IdP)

Source of authority for human identities: it authenticates people and federates access to AI systems (OIDC, SAML, MFA).

Token Service (TSS)

Issuance and exchange of short-lived tokens for workloads and agents (mTLS, DPoP).

Agent Identity & Governance

Per-agent non-human identity (NHI) and its governance: issuance, rotation, revocation, least agency.

Policy Information Point (PIP)

Supplies the PDP with decision context: attributes, posture, risk score, data sensitivity.

Policy Administration Point (PAP)

Where authorization policies are authored, versioned, reviewed and governed.

Policy Decision Point (PDP)

The heart of Zero-Trust: it renders the authorization decision (permit / deny / permit-with-obligations) that the distributed PEPs enforce.

Edge & Ingress

WAF / CDN

First network line of defense: a web application firewall (WAF) and CDN that filter traffic and absorb spikes before they reach the AI services.

API Gateway

Single entry point for APIs: authentication, quotas and routing. A Policy Enforcement Point (PEP) at the system edge.

Edge AI Guardrail

Inline AI security inspection at the edge: DLP, PII and abuse detection before content enters the system.

Gateway & Protection

AI Gateway

Single entry point to the models: multi-provider routing, cache, quotas — and a policy enforcement point.

Input Guardrail

Prompt security and intent detection: validate and sanitize input before orchestration and the model.

Output Guardrail

Redaction, grounding verification and response filtering before delivery to the user or a downstream system.

Orchestration

Orchestrator

The agent’s brain: it plans, decomposes and chains calls to the model and tools.

Agent Guardrail

The agent’s guardrail: it constrains, in real time, the actions and tool calls decided by the orchestrator.

HITL Approval

Human-in-the-loop approval: a human approves sensitive actions before they execute.

Agent Memory

Agent memory (short and long term): stores context, facts and history across steps and sessions.

Execution & Tools

Runtime Guardrail

Execution sandbox: it isolates and constrains the actual execution of the tools and code the agent decides on.

Model (LLM)

The language model: the inference engine, whether hosted, API-based or self-hosted.

Retriever

The retriever (RAG): it selects and returns relevant documents to augment the model’s context.

Vector DB

Vector database: stores the embeddings queried by the retriever.

Tools / MCP

Tools and MCP servers: the external capabilities (APIs, functions, systems) the agent can call.

Data & Storage

RAG Security & PBAC

RAG security and permission-based access control (PBAC): ensure retrieval respects the caller’s rights.

Data Sources

Data-source governance: provenance, quality and integrity of the data feeding the AI.

Encryption & Tokenization

Encryption and tokenization: protect data at rest, in transit and in use.

DLP / Egress

Data loss prevention (DLP) and egress control: keep sensitive data from leaving the perimeter.