Skip to content

RFC-010: Autonomous Intelligence Governance Protocol (AIGP) — 5A. Enforceable Surface Area

AIGP SpecificationRFC-010: Autonomous Intelligence Governance Protocol (AIGP) › 5A. Enforceable Surface Area

← 5. Governance Modes · Section index · 6. Consent Tiers →

5A. Enforceable Surface Area

AIGP ENFORCE mode maps governance policies to cloud provider native controls. The governance authority manages these controls via provider-specific adapters. The protocol itself is cloud-agnostic the enforcement adapter translates AIGP policies into provider API calls.

5A.1 Enforcement Architecture

The AIGP protocol is deployment-agnostic. The governance authority (governance-server) and governed applications can run anywhere on-premise, AWS, Azure, GCP, or hybrid. The protocol messages (REGISTER, REQUEST, RECORD) are identical regardless of where the participants are hosted.

Policies are where provider specificity enters. A policy is either:

  • Generic enforced at the protocol layer by the governance authority (e.g., rate limits, cost ceilings, model allowlists). No provider field.
  • Provider-specific delegated to a cloud enforcement adapter that translates the policy into native API calls (e.g., Bedrock Guardrails, Azure Content Safety). Carries a provider field.
flowchart TB
subgraph Protocol["AIGP Protocol Layer (agnostic — runs anywhere)"]
REG[REGISTER]
REQ[REQUEST]
REC[RECORD]
STAT[STATUS]
GP["Generic policies evaluated here:<br/>MODEL_ALLOWLIST, RATE_LIMIT, COST_CEILING"]
end
Protocol -->|provider-specific policies| Adapters
subgraph Adapters[Enforcement Adapters]
AWS[AWS Adapter]
AZ[Azure Adapter]
GCP[GCP Adapter]
end
AWS --> Bedrock[Bedrock APIs]
AZ --> AzAI[AI Services]
GCP --> Vertex[Vertex AI APIs]

An application running on-premise calling Azure OpenAI can be governed by the same governance-server instance that governs an AWS Bedrock application. The protocol doesn’t change only the enforcement adapter does.

5A.2 Enforcement Categories

Each category maps to one or more provider-native controls. The governance authority configures these through the provider’s APIs when policies are assigned to an application.

Category AIGP Policy Description
Model Access MODEL_ALLOWLIST Which models an application can invoke
Guardrails GUARDRAIL_REQUIRED Content filtering, PII detection, topic blocking
Rate Limits RATE_LIMIT Invocations per hour, tokens per day
Cost Controls COST_CEILING Daily/monthly spend caps
Prompt Governance PROMPT_GOVERNANCE Managed prompts, version pinning
Content Policy CONTENT_POLICY Input/output content restrictions
Data Retention DATA_RETENTION Logging, invocation history retention
Autonomy Limits AUTONOMY_LIMIT Agent action boundaries, human-in-the-loop

5A.3 AWS Bedrock Enforcement Map

AIGP Category Bedrock Service Enforceable Controls
Model Access Model Access Enable/disable model access per account; restrict to specific model IDs
Model Access Inference Profiles Route to specific model versions; cross-region inference control
Guardrails Guardrails Content filters, denied topics, word filters, sensitive info filters, contextual grounding, automated reasoning
Rate Limits Quotas Tokens-per-minute, invocations-per-minute per model
Cost Controls Provisioned Throughput Fixed capacity allocation; no on-demand overspend
Prompt Governance Prompt Management Managed prompt versions, prompt ARN pinning
Content Policy Guardrails Input/output content policies, PII redaction
Content Policy Watermark Detection AI-generated content identification
Data Retention Settings Invocation logging to S3/CloudWatch
Autonomy Limits Agents Action group restrictions, return-of-control configuration
Autonomy Limits AgentCore Runtime lifecycle, environment variable governance
Knowledge Scope Knowledge Bases Data source restrictions, retrieval scope
Evaluation Evaluations Model quality benchmarks, automated evaluation jobs
Orchestration Flows Workflow step restrictions, flow versioning

5A.4 Azure AI Enforcement Map

AIGP Category Azure Service Enforceable Controls
Model Access Azure OpenAI Service Model deployment management; restrict deployments per resource group
Model Access Azure AI Foundry Model catalog access; deployment approvals
Guardrails Content Safety Content filtering (severity levels), blocklists, prompt shields, groundedness detection
Rate Limits Azure OpenAI Quotas Tokens-per-minute per deployment; rate limiting per subscription
Cost Controls Azure Cost Management Budget alerts, spending caps per resource group
Prompt Governance Prompt Flow Managed prompt versions, flow-based prompt orchestration
Content Policy Content Safety Custom categories, jailbreak detection, protected material detection
Data Retention Diagnostic Settings Log Analytics, Azure Monitor, storage account logging
Autonomy Limits AI Agents Tool restrictions, function calling policies
Knowledge Scope Azure AI Search Index-level access control, data source restrictions
Evaluation Azure AI Evaluation Built-in metrics, custom evaluators

5A.5 GCP Vertex AI Enforcement Map

AIGP Category GCP Service Enforceable Controls
Model Access Model Garden Model access per project; IAM-based model restrictions
Model Access Endpoints Endpoint deployment control; traffic splitting
Guardrails Responsible AI Safety filters (harm categories), citation verification
Rate Limits Quotas Requests-per-minute per project; tokens-per-minute per model
Cost Controls Budgets & Alerts Project-level budget caps, billing alerts
Prompt Governance Prompt Management Prompt templates, version control
Content Policy Safety Settings Harm category thresholds (BLOCK_NONE to BLOCK_ALL)
Data Retention Cloud Logging Prediction logging, audit logs to BigQuery
Autonomy Limits Extensions / Agents Tool declarations, function calling restrictions
Knowledge Scope Vertex AI Search Data store access control, search scope
Evaluation Model Evaluation AutoML evaluation, custom evaluation pipelines

5A.6 Enforcement Policy Schema

Generic policy (no provider enforced at protocol layer):

{
"policy_id": "pol-rate-limit-001",
"rule_type": "RATE_LIMIT",
"enforcement": {
"layer": "protocol",
"config": {
"max_invocations_per_hour": 100,
"max_tokens_per_day": 500000
}
}
}

Provider-specific policy (has provider delegated to adapter):

{
"policy_id": "pol-bedrock-guardrails-001",
"rule_type": "GUARDRAIL_REQUIRED",
"provider": "aws",
"enforcement": {
"layer": "provider",
"service": "bedrock:guardrails",
"action": "APPLY",
"config": {
"guardrail_id": "gr-abc123",
"guardrail_version": "1",
"use_cases": ["*"],
"content_filters": {
"hate": "HIGH",
"violence": "HIGH",
"sexual": "HIGH",
"misconduct": "HIGH"
},
"sensitive_info_filters": ["SSN", "CREDIT_CARD", "EMAIL"],
"denied_topics": ["competitor_products", "legal_advice"]
}
}
}

The layer field determines where enforcement happens:

Layer Meaning Example
protocol Evaluated by governance-server at REQUEST time Rate limits, cost ceilings, model allowlists
provider Delegated to cloud adapter via native APIs Bedrock Guardrails, Azure Content Safety, Vertex Safety Settings

5A.7 Multi-Cloud Enforcement Example

A single AIGP policy can target multiple providers:

{
"policy_id": "pol-model-access-001",
"rule_type": "MODEL_ALLOWLIST",
"enforcement_targets": [
{
"provider": "aws",
"service": "bedrock:model-access",
"config": {
"allowed_models": ["us.anthropic.claude-opus-4-7"]
}
},
{
"provider": "azure",
"service": "openai:deployments",
"config": {
"allowed_deployments": ["gpt-4o-prod"]
}
},
{
"provider": "gcp",
"service": "vertex:endpoints",
"config": {
"allowed_models": ["gemini-2.5-pro"]
}
}
]
}

5A.8 Provider Adapter Interface

class EnforcementAdapter(ABC):
"""Cloud-agnostic enforcement adapter interface."""
@abstractmethod
async def apply_policy(self, policy: dict, app_registration: dict) -> dict:
"""Apply an AIGP policy to the provider's native controls."""
...
@abstractmethod
async def verify_policy(self, policy: dict, app_registration: dict) -> dict:
"""Verify that a policy is currently enforced at the provider level."""
...
@abstractmethod
async def revoke_policy(self, policy: dict, app_registration: dict) -> dict:
"""Remove a policy from the provider's native controls."""
...
@abstractmethod
async def list_enforceable_controls(self) -> list[dict]:
"""List all controls this adapter can enforce."""
...

← 5. Governance Modes · Section index · 6. Consent Tiers →