Budgets, DLP & audit

Governance is what aigw adds on top of “an endpoint for every model.” Finance signs one contract and gets control and visibility; developers keep every model and full speed.

Budgets

Every virtual key carries a monthly cap in cents, enforced at the gateway before a request reaches a provider. Spend rolls up per key, per team, and across the whole tenant — so the scattered shadow-AI spend on personal cards becomes one audited line.

DLP — redaction that doesn’t break streaming

The DLP engine runs in the gateway, not as a sidecar. A pluggable scanner detects PII (email, credit card with Luhn, AWS/OpenAI/GitHub secrets, plus your own custom dictionary) and applies a per-tenant mode:

off — no scanning.
flag — record findings, forward unchanged.
redact — replace matches before the request leaves your tenant.
tokenize — reversible redaction: matches become placeholders the provider (and even our own audit log) never see; the original is rehydrated in the response so your user sees real text.
block — refuse the request if PII is present.

Tokenize is streaming-safe: a cross-chunk rewriter holds back only the smallest tail that could still grow into a placeholder, so tokens stream through with the original text restored mid-stream.

Set the mode and custom terms per tenant under Settings → Data protection (DLP) in the console.

Audit log

With logging enabled, every request writes an append-only record: attribution (tenant, key, subject, user, source IP), the request (model, provider, params, prompt), the response, token counts (incl. cached and reasoning), cost, and latency. Content is sealed at rest with your master key; viewing a record emits its own audit event.

Three logging modes per tenant: off, metadata (no content), and full (sealed content). Findings from DLP attach to each record as compliance evidence — without storing the raw PII.

Sovereignty

Run aigw on EU infrastructure or self-host the stateless gateway in your VPC. The control plane holds the master key and never ships it; provider credentials are re-sealed with a separate edge key for transport, so a compromised gateway can spend an upstream key but decrypt nothing else.