Nine deterministic stages. Each backend's own IAM as the sole authorisation arbiter (ADR 0002). No LLMs in the decision path (ADR 0001). Same architecture for SAP, Snowflake, Databricks, BigQuery, Salesforce, Workday, MongoDB — one pipeline, 31 backends.
Same identity, same intent, same context, same data — same response every time. Each stage is independently observable and bounded.
Per-user / per-tenant Redis fixed-window
Body / URL / wall-time caps at ASGI
JWT HS/RS/ES/PS + JWKS rotation
Trusted RFC · SAML Bearer · OBO · WIF
Frequency · scope expansion · coordination
Deterministic deny-by-default AST
SafeQuery with :named placeholders
Under propagated identity
Schema firewall · HMAC chain append
These are not aspirations. They are written down, ADR-tracked, and enforced by tests.
No LLMs in gateway/, policy_engine/, query_planner/, response_firewall/, or the audit chain. Every deny decision is reproducible from inputs. ADR 0001.
AegisAI propagates identity and relays the verdict. SAP AUTHORITY-CHECK, Snowflake Unity Catalog, Salesforce sharing rules, Databricks notebook ACLs — each backend decides for itself. AegisAI never substitutes. ADR 0002.
Redis down → trust system denies. Postgres (audit) down → 503. JWKS down → 401. Default secrets in PRODUCTION → refuse to start.
SAP documented BAPIs. Snowflake / Databricks REST. Salesforce / Workday OAuth. MongoDB Atlas. No reserved-namespace endpoints, no scraping, no undocumented surfaces. SAP 4.2026a §2.2.2 compliance is structural — same posture applies to every backend.
AegisAI sees every query and response so it can mask. That access pattern is unacceptable as SaaS, so we don't offer it.
Vendor-hosted sandbox with fixture data. For 2-4 week proofs of concept and architecture demos. Sandbox data only.
Customer runs AegisAI in their own k8s. Non-root, read-only-rootfs container. Audit CronJob bundled. No outbound dependency on AegisAI infrastructure.
AegisAI deployed and operated in the customer's cloud account. They own the data plane, we operate the control plane. Premium tier.
The end-user's token at the gateway becomes the right principal at every backend — without service-account substitution.
The user's JWT subject becomes an SNC-protected RFC connection authenticated as the end user. SAP's AUTHORITY-CHECK evaluates against that user's profile at execute time. No SAP_ALL service account.
STS AssumeRoleWithSAML or AssumeRoleWithWebIdentity establishes an assumed role bearing the end user's federated identity. RDS Data API sees the right principal ARN for row-level security.
AAD OBO produces a delegated token whose oid claim is the end user. Synapse RBAC sees the user; not the service principal.
WIF produces a short-lived token bound to the user's external identity. BigQuery dataset ACL and project IAM evaluate against that principal.
30-minute architecture call. We walk through your data sources, your auth model, and what a 4.2026a-compatible AI integration looks like for your stack.
