Building Safe and Compliant Enterprise LLM Deployments

1. Introduction

1.1 The Enterprise AI Deployment Challenge

The rapid adoption of large language models in enterprise settings has exposed a critical gap between model capabilities and deployment readiness. While significant research attention has focused on model alignment and safety benchmarking [1, 2], comparatively little guidance exists for the infrastructure required to deploy LLM-based systems safely in regulated industries.

Enterprise LLM deployments face multifaceted challenges:

Governance: Who controls what the model can do, and how are policies enforced?
Security: How are the system and its data protected from both external threats and adversarial inputs?
Compliance: How does the deployment satisfy regulatory requirements across jurisdictions?
Operations: How is the system monitored, scaled, and maintained in production?

1.2 Scope and Contributions

This whitepaper presents AEGIS v5.2's production infrastructure, providing a reference architecture for enterprise LLM safety deployments. Our contributions include:

A layered governance framework with policy-as-code, comprehensive audit trails, and role-based access control supporting hierarchical role inheritance.
Defense-in-depth security architecture comprising 8 middleware layers, 14 agent security modules, and format-preserving PII pseudonymization.
Regulatory compliance automation with machine-readable mappings to EU AI Act, K-AI Act, and NIST AI RMF.
Verification methodology validated through 1,591+ automated tests, GS quality certification (ISO/IEC 25051), and continuous integration practices.
Production-grade operational infrastructure with Docker/Kubernetes orchestration, Prometheus/Grafana monitoring, and multi-tenant SaaS isolation.

All descriptions in this whitepaper are grounded in implemented, tested code rather than theoretical designs.

1.3 Paper Organization

Section 2 presents the governance framework. Sections 3--6 detail security from authentication through privacy protection. Section 7 addresses regulatory compliance. Section 8 covers verification and quality assurance. Sections 9--11 present operational readiness, multi-tenancy, and deployment infrastructure. Section 12 discusses lessons learned, and Section 13 concludes.

2. Governance Framework

2.1 Policy-as-Code Architecture

AEGIS implements governance through a policy-as-code paradigm where safety rules are expressed as structured, version-controlled configurations rather than ad-hoc code. The TAG (Threat Assessment Gateway) policy engine provides the foundational governance layer.

Table I: TAG Policy Configuration Structure

Component	Description	Implementation
Category Rules	Per-threat-category thresholds and actions	TagConfig with 10+ categories
Severity Tiers	CRITICAL/HIGH/MEDIUM/LOW with graduated responses	Enum-based severity mapping
Action Types	BLOCK, MODIFY, ESCALATE, APPROVE, REASK, THROTTLE	6-action verdict taxonomy
Custom Patterns	Organization-specific detection patterns	Regex + semantic pattern matching
Escalation Paths	Automatic routing for ambiguous cases	Configurable escalation chains

The policy engine supports domain-specific configurations. For example, a healthcare deployment can enforce HIPAA-specific rules:

TagConfig {
    category: ThreatCategory::PrivacyViolation,
    severity: Severity::Critical,
    action: VerdictAction::Block,
    patterns: vec!["patient_data", "medical_record", "diagnosis"],
    escalation: Some(EscalationPath::ComplianceOfficer),
    regulatory_refs: vec!["HIPAA §164.502", "EU_AI_Act_Art52"],
}

2.2 Audit Trail System

Comprehensive audit logging is implemented through 23 distinct event types covering every significant system interaction.

Table II: Audit Event Taxonomy

Category	Event Types	Data Captured
Authentication	UserLogin, UserLogout, TokenRefresh, ApiKeyCreated, ApiKeyRevoked	User ID, IP, timestamp, method
Authorization	PermissionGranted, PermissionDenied, RoleChanged	Resource, action, role, outcome
Safety Operations	ContentBlocked, ContentModified, ThreatDetected, EscalationTriggered	Input hash, verdict, confidence, tier
Configuration	PolicyUpdated, ModelConfigChanged, ThresholdAdjusted	Before/after values, change author
System	ServiceStarted, ServiceStopped, HealthCheckFailed, RateLimitExceeded	Service name, status, metrics
Data	DataExported, DataDeleted, PiiDetected, PiiPseudonymized	Data type, scope, method

Each audit event is structured with:

pub struct AuditEvent {
    pub id: Uuid,
    pub timestamp: DateTime<Utc>,
    pub event_type: AuditEventType,   // 23 variants
    pub actor: ActorInfo,              // user_id, role, ip_address
    pub resource: ResourceInfo,        // resource_type, resource_id
    pub action: ActionInfo,            // action_type, outcome, details
    pub metadata: serde_json::Value,   // extensible context
    pub tenant_id: Option<TenantId>,   // multi-tenant isolation
}

2.3 Verdict Explanation and Transparency

Every safety judgment produces a structured VerdictExplanation providing full transparency into the decision process:

Table III: VerdictExplanation Schema

Field	Type	Purpose
decision_tier	DecisionTier	Which tier (Rule/ML/Judge) made the decision
layer_explanations		Per-layer analysis results
pattern_matches		Specific patterns that triggered
token_attributions		Per-token risk attribution
confidence	f64	Overall confidence score
regulatory_refs		Applicable regulatory references
recommended_action	VerdictAction	System recommendation

This structured explanation supports both human review and automated compliance reporting, satisfying the EU AI Act's transparency requirements (Article 13).

3. Authentication and Authorization

3.1 Dual Authentication System

AEGIS implements dual authentication supporting both interactive (JWT) and programmatic (API Key) access patterns.

JWT Authentication:

RS256 asymmetric signing for token integrity
Configurable expiration (default: 1 hour access, 7 days refresh)
Embedded claims: user_id, tenant_id, roles, permissions
Token refresh with rotation to prevent replay attacks

API Key Authentication:

SHA-256 hashed storage (plaintext never persisted)
Per-key scope restrictions (read-only, write, admin)
Rate limit binding per API key
Revocation with immediate effect across all nodes

┌─────────────────────────────────────────────────┐
│              Authentication Flow                 │
│                                                  │
│  Request ──► Extract Token/Key                   │
│              ├── JWT ──► Verify Signature         │
│              │          ├── Check Expiry          │
│              │          └── Extract Claims        │
│              └── API Key ──► Hash & Lookup        │
│                             ├── Check Scope       │
│                             └── Check Rate Limit  │
│              ▼                                    │
│         Authenticated Identity                    │
│              ▼                                    │
│         Authorization Check (RBAC + ABAC)         │
│              ▼                                    │
│         Request Processing                        │
└─────────────────────────────────────────────────┘

3.2 RBAC + ABAC Hybrid Authorization

Authorization combines Role-Based Access Control (RBAC) with Attribute-Based Access Control (ABAC) for fine-grained permission management.

Table IV: Role Hierarchy

Role	Inherits From	Key Permissions
SuperAdmin	All roles	System configuration, tenant management
TenantAdmin	Analyst, Operator	Tenant settings, user management, policy config
Operator	Analyst	Run evaluations, modify configurations
Analyst	Viewer	View reports, export data, run queries
Viewer	---	Read-only access to dashboards and results

ABAC Attributes extend RBAC with contextual checks:

Attribute	Type	Example Policy
tenant_id	Identity	Users can only access their own tenant's data
ip_range	Network	Admin access restricted to corporate VPN
time_window	Temporal	Destructive operations only during maintenance windows
resource_sensitivity	Data	PII access requires explicit pii_reader permission
request_rate	Behavioral	Burst requests trigger additional verification

The permission boundary module (permission_boundary.rs, 639 lines) implements this hybrid model:

pub struct PermissionBoundary {
    role_permissions: HashMap<Role, HashSet<Permission>>,
    abac_policies: Vec<AbacPolicy>,
    inheritance_graph: RoleGraph,
}

impl PermissionBoundary {
    pub fn check_access(&self, actor: &Actor, resource: &Resource,
                        action: &Action, context: &Context) -> AccessDecision {
        // 1. RBAC: Check role-based permissions (with inheritance)
        let rbac_result = self.check_rbac(actor, resource, action);
        // 2. ABAC: Apply attribute-based constraints
        let abac_result = self.check_abac(actor, resource, action, context);
        // 3. Combine: Both must permit (conjunction)
        AccessDecision::combine(rbac_result, abac_result)
    }
}

4. Security Hardening

4.1 Middleware Security Stack

AEGIS deploys an 8-layer middleware stack where every request passes through multiple security checks before reaching application logic.

Table V: Middleware Stack (Execution Order)

Layer	Module	Function
1	security_headers	CSP, HSTS, X-Frame-Options, X-Content-Type
2	rate_limit	Redis sliding window, per-tenant quotas
3	auth	JWT/API Key validation, identity extraction
4	rbac_check	Role + attribute authorization
5	input_validation	SQL injection, XSS, path traversal detection
6	request_logging	Structured request/response audit logging
7	sensitive_scrub	Scrub PII/secrets from logs and responses
8	error_handler	Sanitized error responses (no stack traces)
Total		End-to-end middleware overhead

4.2 Input Validation and Injection Prevention

The security middleware implements pattern-based detection for common injection attacks:

SQL Injection Detection:

Pattern matching for UNION SELECT, DROP TABLE, '; --, OR 1=1
Parameterized query enforcement at the ORM layer
Prepared statement validation for dynamic queries

XSS Prevention:

Script tag detection (<script>, javascript:, on*= event handlers)
Content-Security-Policy headers restricting inline scripts
Output encoding for all user-supplied content in responses

Path Traversal Protection:

Rejection of ../, ..\\, encoded variants (%2e%2e)
Canonicalization of all file paths before access
Chroot-style containment for file operations

4.3 Sensitive Data Scrubbing

A dedicated scrubbing layer ensures sensitive information never leaks through logs or error responses:

pub struct SensitiveDataScrubber {
    patterns: Vec<ScrubPattern>,
}

impl SensitiveDataScrubber {
    pub fn scrub(&self, content: &str) -> String {
        // Patterns include:
        // - Credit card numbers (Luhn-validated)
        // - Social security numbers
        // - API keys and tokens (Bearer, sk-*, etc.)
        // - Email addresses in error contexts
        // - IP addresses in non-audit contexts
        self.patterns.iter().fold(
            content.to_string(),
            |acc, pattern| pattern.apply(&acc)
        )
    }
}

4.4 Security Headers

Table VI: Deployed Security Headers

Header	Value	Purpose
Content-Security-Policy		Prevent XSS via inline scripts
Strict-Transport-Security	max-age=31536000; includeSubDomains	Enforce HTTPS
X-Frame-Options	DENY	Prevent clickjacking
X-Content-Type-Options	nosniff	Prevent MIME sniffing
X-XSS-Protection	1; mode=block	Browser XSS filter
Referrer-Policy	strict-origin-when-cross-origin	Control referrer leakage
Permissions-Policy		Restrict browser APIs

4.5 Security Audit Classification

All security fixes follow a priority classification system:

Table VII: Security Fix Priority Classification

Priority	Criteria	SLA	Examples
P0 --- Critical	Exploitable vulnerability, data exposure risk	Immediate	Missing auth on endpoints, SQL injection
P1 --- High	Security weakness, defense gap	24 hours	Missing rate limiting, weak input validation
P2 --- Medium	Hardening opportunity, best practice gap	1 week	Missing security headers, log scrubbing
P3 --- Low	Code quality, defense-in-depth improvement	1 month	Error message verbosity, unused imports

5. Agent Security Architecture

5.1 The Agent Security Challenge

LLM-powered agents that interact with external tools, APIs, and data sources introduce attack surfaces beyond traditional prompt injection. AEGIS addresses this with 14 specialized agent security modules.

5.2 Agent Security Module Inventory

Table VIII: 14 Agent Security Modules

#	Module	Threat Addressed	Detection Method
1	direct_prompt_injection (DPI)	Direct adversarial prompts	Pattern + ML classifier
2	indirect_prompt_injection (IPI)	Hidden instructions in retrieved data	Context boundary analysis
3	stochastic_attack (STAC)	Probabilistic jailbreak attempts	Statistical distribution analysis
4	memory_poisoning	Corrupted conversation memory	Memory integrity verification
5	reasoning_manipulation	Chain-of-thought exploitation	Reasoning consistency checks
6	tool_disguise	Malicious tools masquerading as benign	Tool signature verification
7	supply_chain	Compromised model weights or data	Provenance chain validation
8	credential_guard	Credential leakage through prompts	Secret pattern detection
9	autonomy_control	Unauthorized autonomous actions	Action boundary enforcement
10	token_monitor	Token budget exhaustion attacks	Usage tracking and limits
11	tool_chain_anomaly	Unusual tool invocation sequences	Sequence anomaly detection
12	permission_boundary	Privilege escalation attempts	RBAC+ABAC enforcement
13	mcp_trust	Untrusted MCP server connections	Trust score evaluation
14	credential_guard (enhanced)	Runtime credential exposure	Real-time scanning

5.3 Tool Chain Anomaly Detection

The tool chain anomaly detector monitors sequences of tool invocations for suspicious patterns:

Normal:  search → read → summarize → respond
Anomaly: search → execute_code → read_credentials → send_email
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
         Unusual tool sequence: execution + credential access + exfiltration

Detection uses a Markov chain model of expected tool transition probabilities, flagging sequences with cumulative surprise exceeding a configurable threshold.

5.4 MCP Trust Evaluation

The Model Context Protocol (MCP) trust module evaluates external server connections:

Trust Factor	Weight	Assessment
Server identity verification	0.30	TLS certificate, domain reputation
Historical behavior	0.25	Past interaction success rate
Capability declarations	0.20	Scope of requested permissions
Data handling policy	0.15	Privacy policy compliance
Community reputation	0.10	Registry ratings, audit history

Connections below the trust threshold (default: 0.7) are blocked with detailed explanations logged for audit.

6. Privacy and Data Protection

6.1 PII Proxy Engine

The PII Proxy Engine provides format-preserving pseudonymization for 7 personally identifiable information types.

Table IX: PII Types and Pseudonymization Strategies

PII Type	Detection Pattern	Pseudonymization Method
Credit Card	Luhn-valid 16-digit	Random Luhn-valid number
Phone Number	International formats	Prefix-preserving random
Email	RFC 5322 pattern	Domain-preserving hash
SSN/ID	Country-specific formats	Format-preserving encryption
Name	NER + pattern matching	Consistent pseudonym mapping
Address	Structured address parsing	Locality-preserving transform
Date of Birth	Date format detection	Age-bracket preserving shift

Key properties of the pseudonymization engine:

Session isolation: Each session maintains independent pseudonym mappings
Consistency: The same real value always maps to the same pseudonym within a session
Reversibility: Authorized users can restore original values via restore() API
Auto/Confirm modes: Automatic pseudonymization or user-confirmed replacement
DOM integration: MutationObserver + TreeWalker for real-time response pseudonymization

6.2 Federated Learning Infrastructure

For organizations requiring model improvement without data centralization, AEGIS provides three federated learning strategies:

Table X: Federated Learning Strategies

Strategy	Module	Privacy Guarantee
FedAvg	fed_avg.rs	Data locality (no raw data shared)
Secure Aggregation	secure_aggregation.rs	Cryptographic (no individual updates visible)
Differential Privacy	differential_privacy.rs

The DP-SGD implementation clips per-sample gradients and adds calibrated Gaussian noise:

θ_{t+1} = θ_t - η · (1/B) · Σ_i [clip(∇L_i, C) + N(0, σ²C²I)]

where C is the clipping bound and σ is calibrated to achieve the target (ε, δ) privacy budget per the moments accountant.

6.3 Embedding Scanner

The embedding scanner detects PII leakage in vector representations using:

Cosine similarity search: Identifying embeddings suspiciously close to known PII representations
LSH-based approximate nearest neighbor: Scalable detection across large embedding stores
Canary token injection: Planted synthetic PII to verify pipeline integrity

7. Regulatory Compliance

7.1 Multi-Framework Compliance Engine

The regulatory reporting module (regulatory_report.rs, 620 lines) generates compliance assessments against four regulatory frameworks simultaneously.

Table XI: Regulatory Framework Coverage

Framework	Articles/Functions Mapped	Key Requirements	AEGIS Coverage
EU AI Act	Articles 6, 9, 13, 14, 52, 71	Risk classification, transparency, human oversight	Full
K-AI Act	Articles 4, 7, 10, 15	Safety standards, impact assessment, accountability	Full
NIST AI RMF	Govern, Map, Measure, Manage	Risk identification, assessment, mitigation, monitoring	Full
ISO/IEC 25051	Sections 5--9	Software quality, documentation, testing	GS Certified

7.2 EU AI Act Compliance Mapping

Table XII: EU AI Act Article Mapping

Article	Requirement	AEGIS Implementation
Art. 6	Risk-based classification	Threat taxonomy with CVSS-like AI severity scoring
Art. 9	Risk management system	SABER statistical risk framework, continuous monitoring
Art. 13	Transparency	VerdictExplanation schema, per-layer audit trails
Art. 14	Human oversight	ESCALATE verdict, manual review queues, override capability
Art. 52	Transparency obligations	AI-generated content marking, interaction disclosure
Art. 71	Penalties framework	Severity-based response (BLOCK/MODIFY/THROTTLE)

7.3 K-AI Act Compliance

Article	Requirement	AEGIS Implementation
Art. 4	Safety and reliability standards	3-Tier defense pipeline, 1,591+ tests, GS certification
Art. 7	Impact assessment
Art. 10	Accountability and transparency	23-type audit logging, verdict explanations
Art. 15	User protection	PII pseudonymization, rate limiting, content filtering

7.4 NIST AI RMF Mapping

Function	Sub-function	AEGIS Implementation
Govern	Policies, roles, accountability	TAG policy engine, RBAC+ABAC, audit trails
Map	Context, risk identification	Threat taxonomy (OWASP Top 10), attack vector catalog
Measure	Assessment, metrics
Manage	Mitigation, monitoring, response	3-Tier defense, Prometheus metrics, auto-escalation

7.5 Automated Compliance Reporting

The system generates structured compliance reports:

pub struct RegulatoryReport {
    pub framework: RegulatoryFramework,
    pub assessment_date: DateTime<Utc>,
    pub overall_compliance: ComplianceLevel,  // Full, Partial, NonCompliant
    pub article_assessments: Vec<ArticleAssessment>,
    pub gaps: Vec<ComplianceGap>,
    pub recommendations: Vec<Recommendation>,
    pub evidence_refs: Vec<EvidenceReference>,  // Links to audit logs, test results
}

8. Verification and Quality Assurance

8.1 Test Coverage

AEGIS maintains comprehensive automated testing across all components:

Table XIII: Test Suite Summary

Component	Test Count	Coverage Focus
aegis-defense	944 unit + 43 integration	All defense algorithms, Korean/multilingual modules
aegis-core	28	Core data structures, verdict logic
aegis-ml	83	ML inference, embedding scanner, federated learning
aegis-redteam	146	All 8 attack algorithms, meta-attack generator
Chrome Extension	28 (Vitest)	PII proxy engine, detection layers
API Integration	150+	Endpoint validation, auth flows, error handling
Total	1,591+	Full-stack coverage

8.2 GS Quality Certification

AEGIS has achieved GS (Good Software) certification under ISO/IEC 25051, validated through 9 certification documents:

Table XIV: GS Certification Document Suite

Document	Standard Reference	Content
Product Description		Product scope, target users, operating environment
Functional Specification		All functional requirements with traceability
Test Documentation		Test plans, cases, results, coverage analysis
User Documentation		Installation, configuration, operation guides
Quality Requirements	ISO/IEC 25010	Functionality, reliability, usability, efficiency, maintainability, portability
Installation Guide		Step-by-step deployment procedures
API Reference	OpenAPI 3.0	Complete REST API documentation
Security Assessment	Internal	Penetration test results, vulnerability remediation
Performance Report	Internal	Load testing, latency benchmarks, scalability analysis

8.3 Continuous Integration Pipeline

┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────┐
│  Commit  │───►│  Lint +  │───►│  Build   │───►│  Test    │───►│  Deploy  │
│  Push    │    │  Format  │    │  (Cargo) │    │  1,591+  │    │  Staging │
└──────────┘    └──────────┘    └──────────┘    └──────────┘    └──────────┘
                 rustfmt          cargo build     cargo test      docker-
                 clippy           --release       --all           compose up

8.4 Security Testing

Static Analysis: Clippy lints with #![deny(clippy::all)], custom security lint rules
Dependency Audit: cargo audit integrated into CI pipeline
Input Fuzzing: Property-based testing with proptest for parser modules
Penetration Testing: Manual and automated security assessment per GS certification

9. Operational Readiness

9.1 Health Check System

AEGIS implements three-tier health checking for Kubernetes-compatible orchestration:

Table XV: Health Check Endpoints

Endpoint	Purpose	Checks Performed	Use Case
/health	General health	Service version, uptime	Human monitoring
/health/live	Liveness probe	Process alive, memory OK	K8s liveness probe
/health/ready	Readiness probe	DB connected, Redis connected, models loaded	K8s readiness probe

9.2 Prometheus Metrics

12 metric types are exported for comprehensive observability:

Table XVI: Prometheus Metric Types

Metric	Type	Description
aegis_requests_total	Counter	Total requests by endpoint, method, status
aegis_request_duration_seconds	Histogram	Request latency distribution (P50, P95, P99)
aegis_active_connections	Gauge	Current active connections
aegis_verdict_total	Counter	Verdicts by type (APPROVE/BLOCK/MODIFY/...)
aegis_tier_latency_seconds	Histogram	Per-tier processing latency
aegis_threat_detected_total	Counter	Threats by category and severity
aegis_model_inference_seconds	Histogram	ML model inference time
aegis_cache_hits_total	Counter	Redis cache hit/miss ratio
aegis_rate_limit_exceeded_total	Counter	Rate limit violations by tenant
aegis_pii_detected_total	Counter	PII detections by type
aegis_audit_events_total	Counter	Audit events by type
aegis_system_memory_bytes	Gauge	Process memory usage

9.3 Alerting Configuration

Alert	Severity	Response
High Error Rate	Critical	Page on-call
Latency Spike	Warning	Investigate
Memory Pressure	Warning	Scale up
Threat Surge	Critical	Security review
Auth Failures	Critical	Potential brute force

9.4 Fail-Safe Policies

When components fail, AEGIS defaults to safe behavior:

Component Failure	Default Behavior	Rationale
ML Classifier unavailable	Escalate to LLM Judge	Maintain safety with higher-tier review
LLM Judge unavailable	Apply conservative rule-based blocking	Prefer false positives over false negatives
Redis unavailable	In-memory rate limiting with conservative limits	Maintain protection with degraded capacity
Database unavailable	Read-only mode from cache	Preserve existing configurations
All tiers unavailable	Block all non-whitelisted requests	Fail-closed for safety

10. Multi-Tenant SaaS Architecture

10.1 Tenant Isolation Model

AEGIS supports multi-tenant deployment with strict data isolation:

┌────────────────────────────────────────────────┐
│                  API Gateway                    │
│          (Tenant ID extraction + routing)       │
├────────────────────────────────────────────────┤
│  Tenant A    │  Tenant B    │  Tenant C        │
│  ┌────────┐  │  ┌────────┐  │  ┌────────┐     │
│  │ Config │  │  │ Config │  │  │ Config │     │
│  │ Policies│  │  │ Policies│  │  │ Policies│   │
│  │ Quotas │  │  │ Quotas │  │  │ Quotas │     │
│  └────────┘  │  └────────┘  │  └────────┘     │
├────────────────────────────────────────────────┤
│           Shared Infrastructure                 │
│  (PostgreSQL with row-level security,           │
│   Redis with key prefixing)                     │
└────────────────────────────────────────────────┘

10.2 Subscription Tiers

Table XVII: SaaS Subscription Tiers

Tier	Rate Limit	Features	Target
Free	100 req/hr	Basic safety check (Tier 1 only)	Evaluation
Starter	1,000 req/hr	Tier 1 + 2, basic audit logs	Small teams
Professional	10,000 req/hr	All 3 tiers, full audit, compliance reports	Enterprise
Enterprise	Custom	Custom policies, dedicated resources, SLA	Large org

Feature gating is implemented at the middleware level:

pub fn check_feature_access(tenant: &Tenant, feature: Feature) -> bool {
    match (tenant.plan, feature) {
        (Plan::Free, Feature::LlmJudge) => false,
        (Plan::Free, Feature::ComplianceReport) => false,
        (Plan::Starter, Feature::ComplianceReport) => false,
        (Plan::Enterprise, _) => true,
        _ => tenant.plan.includes(feature),
    }
}

10.3 Rate Limiting

Redis-backed sliding window rate limiting with per-tenant quotas:

Algorithm: Sliding window log (precise, no boundary issues)
Granularity: Per-tenant, per-API-key, per-endpoint
Headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset
Burst allowance: 2x sustained rate for 10-second windows
Graceful degradation: Falls back to in-memory counting if Redis is unavailable

11. Deployment Infrastructure

11.1 Docker Composition

Table XVIII: Service Architecture

Service	Image	Port	Role
aegis-api	Custom (Rust)	8000	API Gateway + middleware
aegis-ml	Custom (Rust + ONNX)	8081	ML inference service
aegis-redteam	Custom (Rust)	8082	Red team evaluation service
aegis-vla	Custom (Rust)	8083	VLA (Vision-Language-Action) service
postgres	PostgreSQL 16	5432	Primary database
redis	Redis 7	6379	Cache, rate limiting, sessions
prometheus	Prometheus	9090	Metrics collection
grafana	Grafana	3000	Visualization dashboards
alertmanager	Alertmanager	9093	Alert routing

11.2 Database Schema

32 SQL migration files manage the database schema evolution:

Schema Area	Tables	Purpose
Core	tenants, users, api_keys	Identity management
Safety	verdicts, threat_events, escalations	Safety operation records
Config	policies, thresholds, model_configs	System configuration
Audit	audit_events, access_logs	Compliance audit trail
Billing	subscriptions, usage_records, invoices	SaaS billing
RedTeam	evaluations, attack_results, saber_reports	Red team assessment data

11.3 Kubernetes Deployment Considerations

Horizontal Pod Autoscaling: Based on CPU utilization and request queue depth
Pod Disruption Budgets: Minimum 2 replicas for API and ML services
Network Policies: Strict inter-service communication rules
Secret Management: Kubernetes secrets with optional HashiCorp Vault integration
Rolling Updates: Zero-downtime deployments with readiness probe gating

12. Discussion and Lessons Learned

12.1 Defense-in-Depth is Non-Negotiable

Our experience deploying AEGIS across multiple environments confirms that no single security measure is sufficient. The combination of network-level controls (security headers, rate limiting), application-level checks (auth, input validation), and AI-specific safeguards (agent security modules, SABER risk analysis) creates overlapping protection zones where a failure in one layer is caught by another.

12.2 Compliance as Code

Treating regulatory requirements as machine-readable artifacts rather than static documents enables continuous compliance monitoring. Our automated compliance reporting has reduced audit preparation time by an estimated 70% compared to manual documentation approaches.

12.3 The Multi-Tenant Challenge

Achieving true tenant isolation while maintaining resource efficiency requires careful architectural decisions:

Row-level security in PostgreSQL provides strong data isolation without per-tenant database overhead
Redis key prefixing enables shared infrastructure with logical separation
Feature gating at middleware prevents unauthorized access to tier-restricted features

12.4 Operational Observability

The 12 Prometheus metric types and 23 audit event types provide comprehensive visibility, but volume management is critical. Key practices:

Structured logging (JSON format) enables efficient log analysis
Metric cardinality control prevents Prometheus storage explosion
Audit log retention policies balance compliance requirements with storage costs

12.5 Security Hardening Prioritization

The P0/P1/P2/P3 priority classification (Table VII) proved essential for systematic security improvement. In our most recent security audit:

P0 fixes: Authentication enforcement on previously unprotected endpoints
P1 fixes: Rate limiting, input validation strengthening
P2 fixes: Security header deployment, sensitive data scrubbing

12.6 Agent Security is an Emerging Frontier

The 14 agent security modules represent one of the most novel aspects of AEGIS. As LLM agents gain autonomy --- executing tools, managing memory, making decisions --- the attack surface expands dramatically. Our modular approach allows new threat detectors to be added without architectural changes.

13. Conclusion

This whitepaper has presented AEGIS's comprehensive approach to enterprise LLM deployment safety, covering governance, security, compliance, and operational readiness. Key takeaways:

Governance requires structure: Policy-as-code, structured audit trails, and transparent verdict explanations are foundational for responsible AI deployment.
Security must be layered: The 8-layer middleware stack, 14 agent security modules, and PII pseudonymization engine provide defense-in-depth against both traditional and AI-specific threats.
Compliance can be automated: Machine-readable regulatory mappings across EU AI Act, K-AI Act, and NIST AI RMF enable continuous compliance monitoring rather than periodic manual audits.
Verification must be comprehensive: 1,591+ automated tests, GS quality certification, and structured CI/CD pipelines ensure that safety properties are maintained through development and deployment.
Operations need observability: 12 Prometheus metric types, 3-tier health checks, and fail-safe policies enable reliable production operation with rapid incident response.

The AEGIS platform demonstrates that safe enterprise LLM deployment is achievable with deliberate architectural choices, rigorous testing, and continuous monitoring. As the regulatory landscape for AI continues to evolve, platforms that embed compliance into their architecture --- rather than treating it as an afterthought --- will be best positioned to meet emerging requirements.

References

[1] J. Wei et al., "Jailbroken: How does LLM safety training fail?" NeurIPS, 2023.

[2] A. Zou et al., "Universal and transferable adversarial attacks on aligned language models," arXiv:2307.15043, 2023.

[3] European Parliament, "Regulation (EU) 2024/1689 --- Artificial Intelligence Act," Official Journal of the European Union, 2024.

[4] National Institute of Standards and Technology, "AI Risk Management Framework (AI RMF 1.0)," NIST AI 100-1, 2023.

[5] 과학기술정보통신부, "인공지능 산업 육성 및 신뢰 기반 조성 등에 관한 법률 (K-AI Act)," 2025.

[6] OWASP Foundation, "OWASP Top 10 for LLM Applications," v1.1, 2023.

[7] ISO/IEC, "ISO/IEC 25051:2014 --- Software engineering --- Systems and software Quality Requirements and Evaluation (SQuaRE)," 2014.

[8] M. Abadi et al., "Deep learning with differential privacy," ACM CCS, 2016.

[9] B. McMahan et al., "Communication-efficient learning of deep networks from decentralized data," AISTATS, 2017.

[10] K. Bonawitz et al., "Practical secure aggregation for privacy-preserving machine learning," ACM CCS, 2017.

[11] A. Narayanan and V. Shmatikov, "Robust de-anonymization of large sparse datasets," IEEE S&P, 2008.

[12] NIST, "NIST Special Publication 800-53: Security and Privacy Controls," Rev. 5, 2020.

[13] S. Yao et al., "Tree of attacks: Jailbreaking black-box LLMs with auto-generated subtrees," arXiv:2312.02119, 2023.

[14] C. Dwork and A. Roth, "The algorithmic foundations of differential privacy," Foundations and Trends in Theoretical Computer Science, 2014.

[15] R. Shokri et al., "Membership inference attacks against machine learning models," IEEE S&P, 2017.

[16] F. Tramer et al., "Stealing machine learning models via prediction APIs," USENIX Security, 2016.

[17] P. Kairouz et al., "Advances and open problems in federated learning," Foundations and Trends in ML, 2021.

[18] N. Carlini et al., "Extracting training data from large language models," USENIX Security, 2021.

[19] M. Fredrikson et al., "Model inversion attacks that exploit confidence information," ACM CCS, 2015.

[20] TI-DSA, "GS인증 품질기준 --- 소프트웨어 품질인증 기준," 한국정보통신기술협회, 2023.