RFC-010: Autonomous Intelligence Governance Protocol (AIGP) — 5A. Enforceable Surface Area
AIGP Specification › RFC-010: Autonomous Intelligence Governance Protocol (AIGP) › 5A. Enforceable Surface Area
← 5. Governance Modes · Section index · 6. Consent Tiers →
5A. Enforceable Surface Area
AIGP ENFORCE mode maps governance policies to cloud provider native controls. The governance authority manages these controls via provider-specific adapters. The protocol itself is cloud-agnostic the enforcement adapter translates AIGP policies into provider API calls.
5A.1 Enforcement Architecture
The AIGP protocol is deployment-agnostic. The governance authority (governance-server) and governed applications can run anywhere on-premise, AWS, Azure, GCP, or hybrid. The protocol messages (REGISTER, REQUEST, RECORD) are identical regardless of where the participants are hosted.
Policies are where provider specificity enters. A policy is either:
- Generic enforced at the protocol layer by the governance authority
(e.g., rate limits, cost ceilings, model allowlists). No
providerfield. - Provider-specific delegated to a cloud enforcement adapter that
translates the policy into native API calls (e.g., Bedrock Guardrails,
Azure Content Safety). Carries a
providerfield.
flowchart TB subgraph Protocol["AIGP Protocol Layer (agnostic — runs anywhere)"] REG[REGISTER] REQ[REQUEST] REC[RECORD] STAT[STATUS] GP["Generic policies evaluated here:<br/>MODEL_ALLOWLIST, RATE_LIMIT, COST_CEILING"] end
Protocol -->|provider-specific policies| Adapters
subgraph Adapters[Enforcement Adapters] AWS[AWS Adapter] AZ[Azure Adapter] GCP[GCP Adapter] end
AWS --> Bedrock[Bedrock APIs] AZ --> AzAI[AI Services] GCP --> Vertex[Vertex AI APIs]An application running on-premise calling Azure OpenAI can be governed by the same governance-server instance that governs an AWS Bedrock application. The protocol doesn’t change only the enforcement adapter does.
5A.2 Enforcement Categories
Each category maps to one or more provider-native controls. The governance authority configures these through the provider’s APIs when policies are assigned to an application.
| Category | AIGP Policy | Description |
|---|---|---|
| Model Access | MODEL_ALLOWLIST |
Which models an application can invoke |
| Guardrails | GUARDRAIL_REQUIRED |
Content filtering, PII detection, topic blocking |
| Rate Limits | RATE_LIMIT |
Invocations per hour, tokens per day |
| Cost Controls | COST_CEILING |
Daily/monthly spend caps |
| Prompt Governance | PROMPT_GOVERNANCE |
Managed prompts, version pinning |
| Content Policy | CONTENT_POLICY |
Input/output content restrictions |
| Data Retention | DATA_RETENTION |
Logging, invocation history retention |
| Autonomy Limits | AUTONOMY_LIMIT |
Agent action boundaries, human-in-the-loop |
5A.3 AWS Bedrock Enforcement Map
| AIGP Category | Bedrock Service | Enforceable Controls |
|---|---|---|
| Model Access | Model Access | Enable/disable model access per account; restrict to specific model IDs |
| Model Access | Inference Profiles | Route to specific model versions; cross-region inference control |
| Guardrails | Guardrails | Content filters, denied topics, word filters, sensitive info filters, contextual grounding, automated reasoning |
| Rate Limits | Quotas | Tokens-per-minute, invocations-per-minute per model |
| Cost Controls | Provisioned Throughput | Fixed capacity allocation; no on-demand overspend |
| Prompt Governance | Prompt Management | Managed prompt versions, prompt ARN pinning |
| Content Policy | Guardrails | Input/output content policies, PII redaction |
| Content Policy | Watermark Detection | AI-generated content identification |
| Data Retention | Settings | Invocation logging to S3/CloudWatch |
| Autonomy Limits | Agents | Action group restrictions, return-of-control configuration |
| Autonomy Limits | AgentCore | Runtime lifecycle, environment variable governance |
| Knowledge Scope | Knowledge Bases | Data source restrictions, retrieval scope |
| Evaluation | Evaluations | Model quality benchmarks, automated evaluation jobs |
| Orchestration | Flows | Workflow step restrictions, flow versioning |
5A.4 Azure AI Enforcement Map
| AIGP Category | Azure Service | Enforceable Controls |
|---|---|---|
| Model Access | Azure OpenAI Service | Model deployment management; restrict deployments per resource group |
| Model Access | Azure AI Foundry | Model catalog access; deployment approvals |
| Guardrails | Content Safety | Content filtering (severity levels), blocklists, prompt shields, groundedness detection |
| Rate Limits | Azure OpenAI Quotas | Tokens-per-minute per deployment; rate limiting per subscription |
| Cost Controls | Azure Cost Management | Budget alerts, spending caps per resource group |
| Prompt Governance | Prompt Flow | Managed prompt versions, flow-based prompt orchestration |
| Content Policy | Content Safety | Custom categories, jailbreak detection, protected material detection |
| Data Retention | Diagnostic Settings | Log Analytics, Azure Monitor, storage account logging |
| Autonomy Limits | AI Agents | Tool restrictions, function calling policies |
| Knowledge Scope | Azure AI Search | Index-level access control, data source restrictions |
| Evaluation | Azure AI Evaluation | Built-in metrics, custom evaluators |
5A.5 GCP Vertex AI Enforcement Map
| AIGP Category | GCP Service | Enforceable Controls |
|---|---|---|
| Model Access | Model Garden | Model access per project; IAM-based model restrictions |
| Model Access | Endpoints | Endpoint deployment control; traffic splitting |
| Guardrails | Responsible AI | Safety filters (harm categories), citation verification |
| Rate Limits | Quotas | Requests-per-minute per project; tokens-per-minute per model |
| Cost Controls | Budgets & Alerts | Project-level budget caps, billing alerts |
| Prompt Governance | Prompt Management | Prompt templates, version control |
| Content Policy | Safety Settings | Harm category thresholds (BLOCK_NONE to BLOCK_ALL) |
| Data Retention | Cloud Logging | Prediction logging, audit logs to BigQuery |
| Autonomy Limits | Extensions / Agents | Tool declarations, function calling restrictions |
| Knowledge Scope | Vertex AI Search | Data store access control, search scope |
| Evaluation | Model Evaluation | AutoML evaluation, custom evaluation pipelines |
5A.6 Enforcement Policy Schema
Generic policy (no provider enforced at protocol layer):
{ "policy_id": "pol-rate-limit-001", "rule_type": "RATE_LIMIT", "enforcement": { "layer": "protocol", "config": { "max_invocations_per_hour": 100, "max_tokens_per_day": 500000 } }}Provider-specific policy (has provider delegated to adapter):
{ "policy_id": "pol-bedrock-guardrails-001", "rule_type": "GUARDRAIL_REQUIRED", "provider": "aws", "enforcement": { "layer": "provider", "service": "bedrock:guardrails", "action": "APPLY", "config": { "guardrail_id": "gr-abc123", "guardrail_version": "1", "use_cases": ["*"], "content_filters": { "hate": "HIGH", "violence": "HIGH", "sexual": "HIGH", "misconduct": "HIGH" }, "sensitive_info_filters": ["SSN", "CREDIT_CARD", "EMAIL"], "denied_topics": ["competitor_products", "legal_advice"] } }}The layer field determines where enforcement happens:
| Layer | Meaning | Example |
|---|---|---|
protocol |
Evaluated by governance-server at REQUEST time | Rate limits, cost ceilings, model allowlists |
provider |
Delegated to cloud adapter via native APIs | Bedrock Guardrails, Azure Content Safety, Vertex Safety Settings |
5A.7 Multi-Cloud Enforcement Example
A single AIGP policy can target multiple providers:
{ "policy_id": "pol-model-access-001", "rule_type": "MODEL_ALLOWLIST", "enforcement_targets": [ { "provider": "aws", "service": "bedrock:model-access", "config": { "allowed_models": ["us.anthropic.claude-opus-4-7"] } }, { "provider": "azure", "service": "openai:deployments", "config": { "allowed_deployments": ["gpt-4o-prod"] } }, { "provider": "gcp", "service": "vertex:endpoints", "config": { "allowed_models": ["gemini-2.5-pro"] } } ]}5A.8 Provider Adapter Interface
class EnforcementAdapter(ABC): """Cloud-agnostic enforcement adapter interface."""
@abstractmethod async def apply_policy(self, policy: dict, app_registration: dict) -> dict: """Apply an AIGP policy to the provider's native controls.""" ...
@abstractmethod async def verify_policy(self, policy: dict, app_registration: dict) -> dict: """Verify that a policy is currently enforced at the provider level.""" ...
@abstractmethod async def revoke_policy(self, policy: dict, app_registration: dict) -> dict: """Remove a policy from the provider's native controls.""" ...
@abstractmethod async def list_enforceable_controls(self) -> list[dict]: """List all controls this adapter can enforce.""" ...