AI Gateway Service — Security Model
Status: populated Owner: TBD Last updated: 2026-04-17 Companion: Service Template · 13 security-compliance-tenancy · 14 compliance-security-extended
1. AuthN / AuthZ
- JWT validated by Kong + service-level guard. Claims:
sub,tenant_id,scope,realm_access.roles. - Scopes:
svc:ai:assist,svc:ai:review,svc:ai:admin. - Internal service-to-service: mTLS + JWT with
service_accountaudience.
2. RBAC / ABAC matrix
| Role | assist | moderate | review | accept | admin (routing, templates) |
|---|---|---|---|---|---|
clinician | ✅ own scope | ✅ | ✅ reviewer-marked only | N/A (consumer service) | ❌ |
nurse | ✅ limited features | ✅ | ✅ | N/A | ❌ |
patient | ✅ portal.* only | ✅ | ❌ | ❌ | ❌ |
reviewer | ❌ | ✅ | ✅ | ❌ | ❌ |
service_account (consumer svc) | ✅ | ✅ | ❌ | ✅ | ❌ |
tenant_admin | ❌ | ❌ | ❌ | ❌ | ✅ (tenant-scoped rules/templates) |
platform_admin | ❌ | ❌ | ❌ | ❌ | ✅ (global) |
ABAC rules enforced pre-inference: feature-to-resource compatibility, residency compatibility (tenant residency ⊆ provider region allowed list), consent presence (PHI features).
3. Consent gating
| Feature type | Consent required | Source |
|---|---|---|
| PHI-touching clinical features | ConsentForAIAssistance resource on file for the patient | patient-chart/registration |
| Patient portal triage | Informed consent at portal onboarding | patient-portal-service |
| De-identified / cohort features | None (data de-identified before leaving platform) | — |
4. Encryption classes
| Data | Class | Protection |
|---|---|---|
| JWT | Transport | TLS 1.3 |
ai_decision.draft_text_enc | Confidential PHI (optional persistence) | Tenant KMS envelope encryption |
ai_provenance.* | Sensitive metadata | AES-256 at rest |
| Prompt templates | Internal IP | Secure registry, signed releases |
| Provider API keys | Secret | KMS; never in env files in production |
5. Audit events emitted to audit-service
Every ai_gateway.* event is consumed by audit-service. Additional audit-only records written for admin mutations: routing_rule.updated, prompt_template.published, provider_config.rotated, quota.overridden.
6. Tenant isolation
- RLS on every table.
- JWT tenant claim set via
app.tenant_idsession var. - Cross-tenant references in payloads rejected (
CROSS_TENANT). - Kong audience check: tenant realm must match token's issuer.
7. Data residency
Routing rules filtered by tenantResidency ∈ rule.residency. For AF tenants, default to on-prem vLLM unless explicitly opted into cross-border processing via signed DPA in config-service.
8. GDPR / local privacy participation
| Right | Behaviour |
|---|---|
| Access | Provenance and draft history exportable per patient (when PHI persisted). |
| Erasure | Decisions tied to a deleted patient are redacted: draft_text_enc zeroised, metadata retained under legal hold 7y. |
| Objection | Patient-level opt-out disables AI features touching their chart. |
9. Threat model highlights
| Threat | Mitigation |
|---|---|
| Prompt injection | Input moderation, system prompt hardening, guardrails hash check |
| Model output exfiltration of PHI | Output moderation, PHI sniffer, redaction |
| Provider key leakage | Keys server-side only, KMS, short-lived adapter credentials |
| Replay / double-charge | Idempotency key + provenance uniqueness |
| Cross-tenant leak | RLS, JWT binding, no shared caches without tenant key |
| Abuse / scraping | Quotas, circuit breakers, Kong rate-limit |
10. OWASP ASVS checkpoints
Aligned with ASVS v5 L2 for authentication, session handling, input validation, crypto, logging, and data protection. PHI-safe logging is gated by FR-NFR-018.