Per-user identity propagation to 31 backends. Tamper-evident HMAC audit chain. Fail-closed by default. Each backend's own IAM as the sole arbiter. SOX, GDPR, EU AI Act, and SAP API Policy 4.2026a §2.2.2 alignment provided by one architecture — certification stays the customer's program.
Architecture-leg compatible. Documented BAPIs only. Per-user identity propagation.
Per-end-user audit attribution. Tamper-evident chain. Re-walkable from any machine with the HMAC key. (Customer's SOX program; AegisAI provides the audit substrate.)
Per-field PII classification. Mask strategies driven by user clearance. Self-hosted by default; data plane stays with customer. (Customer's DPA + data residency posture; AegisAI provides the controls.)
Deterministic policy decisions. No LLM in the decision path. Reproducible from logged inputs. ADR 0001. (Article 14 alignment is the customer's system classification; AegisAI provides the deterministic substrate.)
Every decision is a Postgres row in an HMAC hash chain. SHA-256 row hash + HMAC signature. SELECT FOR UPDATE row lock prevents race conditions. Independently re-walkable: python -m audit_service.verify_chain.
The end-user's JWT subject becomes the principal at every backend: Trusted RFC at SAP, STS at AWS, OBO at Azure, WIF at GCP, External SSO at Snowflake, Unity Catalog at Databricks, OAuth at Salesforce. ADR 0002.
Redis down → trust denies. Postgres down → 503. JWKS unreachable → 401. PRODUCTION mode refuses to start with default secrets. Verified by automated tests.
No LLMs in the policy path. Safe AST whitelist. Deny-by-default, deny-wins-on-tie. Same inputs → same verdict, every time, every replay. ADR 0001.
SafeQuery uses :named placeholders only. User input never enters the SQL string. SQL injection is a category error, not a defended threat.
Every field carries a classification, PII kind, and mask strategy. Salary aggregates. Email partial-masks. Tenant ID drops. Schema-driven, deterministic.
The full threat model with mitigation per row lives in the whitepaper. Headline categories below.
Short TTL JWTs (5min–24h). Issuer + audience binding. Optional JTI denylist. Rotate JWT_SECRET to invalidate every token in flight.
Adaptive trust signals catch the "asking for things you've never asked for before" pattern. Rate limit bands tighten. Policy engine denies novel scope under block_scope_expansion restriction.
Cross-user coordination signals catch swarm patterns — many agents asking small slices to assemble a full extract. Trust score collapses across the coordinated set.
HMAC-SHA256 over canonical JSON; rows are immutable from the DB role's perspective. SELECT FOR UPDATE row lock prevents concurrent appends from skipping links. Chain break triggers the kill switch automatically.
Email hello@aegisai.digital with subject AegisAI security disclosure, a description of the issue, reproduction steps, and your timeline expectations. We aim to publish a fix within 30 days for high-severity issues.
30-minute architecture call. We walk through your data sources, your auth model, and what a 4.2026a-compatible AI integration looks like for your stack.
