
Extend ISO 27001
to every model call.
Your app already meets ISO 27001. Your AI calls to outside models usually do not. AegisPlane extends access control, logging, and evidence retention to every model request, so the AI layer meets the same bar.
No code changes. Live on your traffic in a day.
One control sits in front of every model your teams already call, checking each request against the standards your auditors recognize.
What is ISO 27001?
Your ISMS was built before your app called an LLM. ISO/IEC 27001 is the international standard for information security management. It requires you to manage security risk systematically, with a catalogue of controls (Annex A) for access, logging, and cryptography. Certification is table stakes in enterprise procurement.
- Defines an information security management system (ISMS).
- Annex A controls cover access control, logging, and monitoring.
- Requires evidence retention and continual risk treatment.
- Certification is widely expected by enterprise buyers.
What ISO 27001 requires
Annex A controls have to reach your AI traffic too. AegisPlane extends the ones enforceable at runtime.
Risk treatment
Identify and treat information-security risk. AI calls to outside models are treated as an access surface, not an exception.
Access control
Least-privilege access to models and providers, enforced by RBAC and SPIFFE mTLS between services.
Logging and monitoring
Every event is captured via OpenTelemetry, with alerting on anomalies.
Evidence retention
Decision logs are retained and exportable, so control evidence outlives the interaction.
One request, checked in real time
Here is one interaction. AegisPlane classifies the request, checks it against the framework, blocks what it must, and logs the decision as evidence. It happens in milliseconds, on live traffic.
Business value
- Reinforces AI information-security posture.
- Reduces operational gaps in sensitive processes.
- Aligns the AI layer with corporate security standards.
How AegisPlane applies ISO 27001 controls to AI
AegisPlane brings Annex A control discipline to the AI Control Plane (AICP), treating every model call and provider connection as an access event to be controlled and logged.
Access control as config
RBAC, identity, and provider access rules are expressed as versioned config and compiled into signed bundles, the documented control state auditors look for.
Enforced at the gateway
The OPA policy engine enforces least-privilege access to models and providers on every request, backed by SPIFFE mTLS between services.
Logging and monitoring
Every event is captured via OpenTelemetry for the logging and monitoring controls of Annex A, with alerting on anomalies.
Evidence retention
Decision logs can be retained and offloaded to object storage so control evidence is available for audit long after the interaction.
Frequently asked questions
No. It extends your existing ISMS to cover AI traffic, supplying the access control, logging, and evidence that Annex A expects for this new surface.
Primarily the access control, logging and monitoring, and information-handling controls, the ones observable and enforceable at runtime on AI traffic.
Service-to-service traffic uses SPIFFE-based mTLS, and access to models and providers is governed by RBAC enforced at the gateway.
Yes. Enforcement and access logs are queryable and exportable, and can be retained in object storage for long-term evidence.
Yes. The two standards are complementary; AegisPlane can enforce both packs on the same traffic.
Why now
Continuous checks and evidence, not a stale annual assessment
Security reviews now cover your AI traffic, not just your app. Every selected framework is checked on live AI traffic and the decision is logged as evidence, so audit prep stops being a fire drill. No code changes.
