Runtime Security Controls for Enterprise AI

SAIG by Terraxon applies security controls at runtime — on every AI request, before it reaches an LLM provider. This is not a post-hoc scanner or a monitoring overlay. It is an inline governance layer.

Sensitive-data handling

SAIG detects PII using hybrid NER and regex methods across 6 EU languages (EN, DE, FR, IT, CS, SK). Detected sensitive data is anonymized with reversible placeholders before provider egress. Outbound verification confirms anonymization before the request leaves your infrastructure.

Policy enforcement

A deterministic 6-rule decision matrix evaluates every request. Same input with same policy produces the same decision. Actions: ALLOW, ANONYMIZE, DENY, SYNTHETIC_ONLY. Intent classification covers 24+ business categories.

Provider routing and sovereignty

5 sovereignty modes control where AI requests can go: Standard, EU-Only, Swiss-Only, Air-Gapped, and Custom. Provider residency enforcement blocks non-compliant egress. Circuit breaker handles provider failures.

Tenant isolation and RBAC

Multi-tenant architecture with per-tenant policies, sovereignty modes, rate limits, and audit trails. OIDC/PKCE authentication via Keycloak. Role-based access control across 8 defined roles.

Signed audit evidence

Every governance decision is recorded in a SHA-256 hash chain with Ed25519 cryptographic signatures. Tamper-evident, exportable, structured for regulator reviews and SIEM integration.

Learn more about audit evidence →

Fail-closed posture

Unknown operations, unrecognized providers, and unclassifiable residency are denied by default. An emergency kill switch can instantly block all AI traffic. There is no permissive fallback.

Related resources

• Detailed security documentation
• Data sovereignty and provider routing
• Governance pipeline
• Start a proof of value