Skip to main content
AegisPlane
What is ISO 27001?

Extend ISO 27001

to every model call.

Your app already meets ISO 27001. Your AI calls to outside models usually do not. AegisPlane extends access control, logging, and evidence retention to every model request, so the AI layer meets the same bar.

No code changes. Live on your traffic in a day.

ISMSSecurity management
Annex AControls aligned
0Code changes
12frameworks & standards checked
11LLM providers, one gateway
Article-levelpolicy engine (OPA)
Every requestlogged as evidence

One control sits in front of every model your teams already call, checking each request against the standards your auditors recognize.

The framework

What is ISO 27001?

Your ISMS was built before your app called an LLM. ISO/IEC 27001 is the international standard for information security management. It requires you to manage security risk systematically, with a catalogue of controls (Annex A) for access, logging, and cryptography. Certification is table stakes in enterprise procurement.

  • Defines an information security management system (ISMS).
  • Annex A controls cover access control, logging, and monitoring.
  • Requires evidence retention and continual risk treatment.
  • Certification is widely expected by enterprise buyers.
What it requires

What ISO 27001 requires

Annex A controls have to reach your AI traffic too. AegisPlane extends the ones enforceable at runtime.

1

Risk treatment

Identify and treat information-security risk. AI calls to outside models are treated as an access surface, not an exception.

2

Access control

Least-privilege access to models and providers, enforced by RBAC and SPIFFE mTLS between services.

3

Logging and monitoring

Every event is captured via OpenTelemetry, with alerting on anomalies.

4

Evidence retention

Decision logs are retained and exportable, so control evidence outlives the interaction.

See it work

One request, checked in real time

Here is one interaction. AegisPlane classifies the request, checks it against the framework, blocks what it must, and logs the decision as evidence. It happens in milliseconds, on live traffic.

Business value

  • Reinforces AI information-security posture.
  • Reduces operational gaps in sensitive processes.
  • Aligns the AI layer with corporate security standards.
In the AI Control Plane

How AegisPlane applies ISO 27001 controls to AI

AegisPlane brings Annex A control discipline to the AI Control Plane (AICP), treating every model call and provider connection as an access event to be controlled and logged.

01

Access control as config

RBAC, identity, and provider access rules are expressed as versioned config and compiled into signed bundles, the documented control state auditors look for.

02

Enforced at the gateway

The OPA policy engine enforces least-privilege access to models and providers on every request, backed by SPIFFE mTLS between services.

03

Logging and monitoring

Every event is captured via OpenTelemetry for the logging and monitoring controls of Annex A, with alerting on anomalies.

04

Evidence retention

Decision logs can be retained and offloaded to object storage so control evidence is available for audit long after the interaction.

FAQ

Frequently asked questions

No. It extends your existing ISMS to cover AI traffic, supplying the access control, logging, and evidence that Annex A expects for this new surface.

Primarily the access control, logging and monitoring, and information-handling controls, the ones observable and enforceable at runtime on AI traffic.

Service-to-service traffic uses SPIFFE-based mTLS, and access to models and providers is governed by RBAC enforced at the gateway.

Yes. Enforcement and access logs are queryable and exportable, and can be retained in object storage for long-term evidence.

Yes. The two standards are complementary; AegisPlane can enforce both packs on the same traffic.

Why now

Continuous checks and evidence, not a stale annual assessment

Security reviews now cover your AI traffic, not just your app. Every selected framework is checked on live AI traffic and the decision is logged as evidence, so audit prep stops being a fire drill. No code changes.