Frameworks for Enterprise AI

Long-form decision guides for security teams, platform engineers and architects evaluating how to deploy LLMs, MCP servers and AI agents in regulated environments.

Each guide is a decision framework, not a feature pitch.

A flat-lay of the four travel documents an enterprise AI agent carries: a Republic of Ferentin passport, a boarding pass, a Schengen-style visa and a luggage tag.

Agent identity22 min read

Itinerary-Based Access

Why securing agents needs to move beyond the Passport. International travel takes four documents, not one. So does enterprise AI. Inside the passport, the visa, the boarding pass and the luggage tag. And the gates that read them.

Seven control families for agentic AI with authority anchored in customer-held systems

Agentic AI governance25 min read

The CISO Reference for Agentic AI

Seven control families (identity, surface, action, network, execution, observability and containment) expanded into implementation criteria, common traps and the seams where real deployments fail. Authority anchored in customer-held systems.

MCP architectures compared: Direct (agent connecting to many MCP servers, each with its own auth) vs Gateway-Brokered (agent through a single trust layer for identity, audit, policy, elicitation and origin isolation).

MCP architecture18 min read

MCP Server Access: Direct vs Gateway-Brokered

A decision framework for connecting AI agents to MCP servers. Three architectures, three deltas (identity, elicitation, origin isolation) and a flowchart that gets most teams to the right answer.

Two deployment topologies compared: Cloud Gateway (data crosses customer perimeter to operator cloud) vs Customer-Private Edge (data path stays inside the customer VPC; only telemetry leaves to the control plane).

Data sovereignty22 min read

Edge LLM Routing vs Cloud Gateway

Same trust layer, two deployment topologies. Cloud-managed vs customer-private edge: data path, egress shape, failure mode and the regulatory regimes that force the choice.