AegisAI is the deterministic control plane between AI agents (Copilot, Joule, Claude, ChatGPT, Gemini, LangChain) and the enterprise systems they touch (SAP, Snowflake, BigQuery, RDS, Synapse, Salesforce, MongoDB — 24 more). Per-user identity propagates end-to-end. The backend's own IAM decides. Every decision HMAC-audited.
AegisAI ships with four production-grade connectors today. Twenty-seven more are in the catalog — enabled per pilot. Every backend uses its own IAM as the sole arbiter (ADR 0002), so the audit trail is defensible across the entire stack.
Trusted RFC + SNC
STS AssumeRole
AAD OBO flow
WIF principal
External SSO
Unity Catalog
IAM DB auth
SCRAM + RLS
OEM proxy auth
AAD integrated
OAuth 2.0 UA
OAuth + SAML
OAuth + ACLs
Token + RBAC
OAuth per-user
OAuth 2.0
Atlas users
OIDC realm
SASL OAuth
LDAP plugin
LDAP + RBAC
IAM per-table
The same 9-stage pipeline solves all six. Pick the closest to your stack — the others come along for free.
SAP API Policy 4.2026a §2.2.2 requires AI to use sanctioned architectures. AegisAI is the architecture leg of the carve-out. Trusted RFC + per-user AUTHORITY-CHECK.
Backends: SAP S/4HANA, ECC 6.0
External SSO + Unity Catalog grants applied per end-user. Auditor sees the actual analyst's query, not a service account. Row-level security is enforced by the warehouse, not bypassed.
Backends: Snowflake, Databricks, BigQuery
OAuth per-user means the AI assistant sees only what the calling user can see. Field-level permissions stay enforced. No "AI sees everything" data leak risk.
Backends: Salesforce, Workday, ServiceNow, NetSuite
OIDC realm or LDAP-bound auth. Per-collection / per-index permissions. AI agents can search what users can search — nothing else.
Backends: MongoDB, Elasticsearch, DynamoDB
AegisAI federates across systems in a single intent. "Top customers by revenue in PX1 SAP and Snowflake" runs in parallel under the user's identity in each system. Partial-failure resilient.
Backends: Any combination · concurrent execution
Built-in governance queries answer security questions an analyst would ask SUIM. Federated across multiple SAP systems with one prompt. Result is HMAC-audited.
Backends: SAP user_authorizations, role_assignments, profile_assignments
Whether you're an SAP shop, a Snowflake shop, a Salesforce shop, or all three — the failure modes are identical.
Most "AI gateways" log in as one user with broad authority. SOX, GDPR, EU AI Act, and SAP API Policy 4.2026a all require per-end-user attribution. A service account gives the regulator nothing.
Kong, Apigee, MuleSoft rate-limit and authenticate — that's all. They cannot evaluate SAP AUTHORITY-CHECK, Snowflake row-level security, Salesforce field permissions, or any backend's native IAM.
LLM-judged policy decisions are unrepeatable. The same input gives a different verdict tomorrow. Regulators reject it. AegisAI's policy path is 100% deterministic AST evaluation — no model in the decision.
Same identity, same intent, same context, same data — same response every time. Bounded per-stage latency.
Per-user / per-tenant Redis fixed-window
Body / URL / wall-time caps at ASGI
JWT HS/RS/ES/PS + JWKS rotation
Trusted RFC · STS · OBO · WIF · SCRAM
Frequency · scope expansion · coordination
Deterministic deny-by-default AST
SafeQuery with :named placeholders
SAP / Snowflake / BigQuery / Salesforce · per-user
Schema firewall · HMAC chain
One JWT becomes a Trusted RFC ticket at SAP, an STS-assumed role at AWS, an OBO token at Azure, a WIF principal at GCP, an external-SSO session at Snowflake. One identity, every backend.
Every decision is a Postgres row in an HMAC hash chain. SELECT FOR UPDATE row lock. Independently re-walkable from any machine with the key.
One query across multiple backends in parallel. "Customers in production SAP + Snowflake DWH + Salesforce" executes under the user's identity in each. Partial-failure resilient.
Frequency, scope expansion, coverage growth, cross-user coordination. Patterns that look like exfiltration trigger per-user rate limits before the backend sees the request.
Every schema field carries a classification, PII kind, and mask strategy. Salary aggregates. Email partial-masks. Tenant ID drops. Works for any backend's schema.
OTLP HTTP exporter ships in the box. MCP server endpoint for Claude Desktop, ChatGPT, LangChain. Drop in any observability or any AI client.
Architecture-leg compatible · sanctioned
Per-end-user audit attribution
Helm chart · BYOC managed
No LLMs in policy path · ADR 0001
30-minute architecture call. We open the operator console and run real queries through your stack — SAP, Snowflake, BigQuery, Salesforce, whatever you have. You see the audit chain tick up in real time.
