Skip to main content

Security

:::info Source Sourced from services/ai-gateway-service/SECURITY_MODEL.md in the documentation repo. :::

1. Authentication

JWT internal. S2S mTLS for AIClient SDK → gateway calls.

2. Authorization

  • ai:call — scoped per capability (ai:completion, ai:embed, ai:image, etc.).
  • ai:admin — prompt management.
  • ai:audit — compliance officer.

Admin UIs limit based on plan entitlements.

3. Multi-Tenant Isolation

  • RLS on every table.
  • Embeddings partitioned by tenant; k-NN always filters by tenant.
  • Prompts: platform (null tenant) + per-tenant.
  • Tenant cannot read another tenant's prompts.

4. Provider Egress

  • Egress via NAT gateway with allowlist to provider endpoints.
  • noTrain flag configured on all provider requests.
  • Per-tenant provider preference (e.g., HIPAA tenant → AzureOpenAI with BAA).
  • TLS 1.3 only; pinned certs where providers support.

5. PII Handling

  • Pre-call PII redaction (Presidio-like classifier).
  • Redaction tokens reversible (for response merging) but never sent to provider.
  • Restricted tenants: PII always blocked, never just redacted.
  • Full PII audit log restricted tier access only.

6. Prompt Injection Defense

  • Heuristic: known injection patterns (ignore previous instructions, etc.).
  • Classifier: trained on injection corpus.
  • Isolation: system prompts separated from user input via template boundaries.
  • Monitoring: injection score logged; patterns fed back into classifier.

7. Threat Model

ThreatMitigation
Prompt injection → hijack AIShield classifier; system prompt isolation
PII exfil to providerPre-call redaction; noTrain
Cross-tenant embedding leakPartitioned vector index; mandatory tenant filter
Prompt theft (tenant prompt IP)Per-tenant ACL; prompts encrypted at rest
Budget bypassAtomic debit before provider call
Replay of cached output (stale)TTL + cache invalidation on prompt version bump
Provider response tamperingTLS + response schema validation
Audit log tamperAppend-only + Merkle anchor
API key theftKMS + scoped IAM + rotation
Over-consumption via burstRate limit + budget
CSAM/illegal content generationPost-gen moderation; hits → block + report

8. Key Management

  • Provider API keys in KMS (per-region, per-environment).
  • Rotation quarterly.
  • Per-tenant signing key for audit entries.

9. Audit

  • Every AI call → audit entry (completionId, prompt, cost, safety, actor).
  • 7-year retention.
  • Merkle-anchored daily.

10. EU AI Act Compliance

  • High-risk capabilities documented in tenant-facing Trust Center.
  • Post-market monitoring records.
  • Incident reporting procedure.
  • Right-to-explanation UI in all consumer surfaces.

11. HIPAA

  • Allowlisted providers (Azure OpenAI BAA, Anthropic BAA).
  • Restricted tenants enforce allowlist at routing layer.
  • PHI never sent to non-BAA providers.

12. GDPR

  • Erase embeddings + audit for user (retain audit when legal hold applies).
  • Tenant data residency enforced at provider routing.
  • Right-to-object to profiling honored per request.