Glossary / runtime-ai-gateway

Runtime AI Gateway

A proxy that sits between the application and the LLM provider, applying DLP, tool allowlisting, rate limiting, and signed policy rules in real time.

ControlComponent

← All terms

A runtime AI gateway is a proxy that sits on the wire between the customer application and the upstream LLM provider. It enforces controls on every request and response: DLP redaction of sensitive identifiers, tool allowlisting for agent-driven MCP calls, per-domain rate limits, budget caps, and prompt-injection signature matching.

The deployment model matters for regulated buyers. A self-hosted runtime gateway runs inside the customer network so prompt content never leaves the customer boundary; only allow or block decisions and redacted finding metadata flow to the control plane. The policy bundle the gateway loads is typically signed (Ed25519) so a compromised host cannot apply unauthorised rules.

Runtime AI gateways complement rather than replace adversarial scanning. The gateway catches a class of attacks in production; scheduled scans catch regressions and feed control-mapped audit evidence.

Related terms

Other entries in this neighbourhood.

AI Security Posture Management (AI-SPM) Continuous discipline that discovers, assesses, secures, and proves the compliance posture of AI systems including LLM apps, agents, MCP servers, RAG pipelines, and vector databases. Adversarial Scan A scheduled execution of probe templates against an LLM endpoint, agent, or RAG pipeline, scored to produce control-mapped findings.

See Runtime AI Gateway in production.

The Penaxtra platform implements the controls and assessments described above as part of its AI-SPM programme.

AI-SPM platform overview