Skip to content

Composable AI architectures: Governing multiple providers and models under one control plane

Updated July 14, 2026

TL;DR: Designing a multi-provider AI architecture offers flexibility, but tying your security controls to specific vendor APIs creates lock-in and compliance gaps that follow you into every audit cycle. A truly composable AI systems architecture decouples policy enforcement from model execution. Routing all model and agent interactions through a unified, self-hosted control plane lets engineering teams swap providers transparently while security teams maintain consistent, standards-aligned enforcement across AIUC-1, OWASP Top 10 for Agentic Applications, and ISO/IEC 42001, with all governance logic and audit evidence generated and retained within your own infrastructure.

Most engineering teams design multi-model AI systems for redundancy or cost optimization but tie governance to a specific provider's API in the process, creating an irreversible architectural problem: when your security controls live inside a vendor's infrastructure, swapping models means rebuilding your entire compliance posture from scratch. That is not a portability trade-off. It is a liability that compounds with every model upgrade and every new regulatory obligation.

The answer is to decouple policy enforcement from model execution entirely. That principle separates a composable AI systems architecture from a distributed patchwork of point solutions, and this guide covers how to design, build, and govern a multi-provider AI architecture without accumulating technical debt that surfaces in your next AIUC-1 assessment or Federal Financial Institutions Examination Council (FFIEC) examination.

Defining the composable AI architecture

A composable AI systems architecture is a design pattern where AI capabilities are built from independent, interchangeable modules rather than hardcoded into a single monolithic system. Your organization can use OpenAI for document summarization, Anthropic for conversational interfaces, a specialized self-hosted model for sensitive data classification, and a fine-tuned domain model for reasoning, all within the same AI workflow, governed by the same policies, and visible in the same audit trail.

The sovereign AI control plane is what makes this architecture work in practice. The control plane acts as air-traffic control for your AI: it does not train models or store customer data, but it decides which model can access which data, under what policy, and keeps structured audit logs inside your own environment rather than in a vendor's infrastructure.

Decoupling policy from model execution

Policy enforcement hardcoded into application logic is a structural mistake that most teams recognize only after their first model migration. When your validation logic calls a provider-specific safety API directly, you cannot swap your model provider without rewriting that logic. Policy and model are fused, and the result is that every governance control becomes a per-provider implementation problem.

A zero-trust control plane architecture solves this by making the control plane the single policy execution environment, keeping raw data and compute local while only holding metadata and policy definitions. Policy becomes external to the model, lives inside your infrastructure, and applies uniformly whether the request routes to a closed API or a self-hosted model running on your own GPU cluster.

Mitigating vendor dependency risks

Hyperscaler-native governance features are insufficient point solutions, not a governance architecture. AWS Bedrock Guardrails and Azure AI Content Safety each address content filtering within their respective ecosystems, but neither delivers portable multi-vendor governance. The deeper problem is fragmentation: governance configuration built against one cloud provider's APIs does not transfer when you add a second provider or self-hosted model. Each team interpreting policy differently means one missed implementation becomes the audit finding. Rolling a custom abstraction to bridge multiple providers is itself a multi-quarter engineering project.

The table below shows how the three main governance approaches differ across the criteria that matter most to regulated enterprises.

Governance approach

Data sovereignty

Multi-vendor portability

Active runtime enforcement

Unified audit logging

Hyperscaler point solutions (AWS Bedrock Guardrails, Azure AI Content Safety)

Logs default to AWS-managed services (CloudWatch); export to customer-controlled storage requires additional configuration

Partial (ApplyGuardrail API supports third-party models but limited to content filtering categories)

Partial (content filtering only)

No (fragmented per service)

External SaaS gateways (WitnessAI)

Limited (single-tenant option available; default routing remains external)

Limited (API normalization only)

Yes (policy enforced at gateway)

Partial (vendor-controlled logs)

Self-hosted sovereign control plane (Prediction Guard)

Yes (all data stays in customer environment)

Yes (model-agnostic routing)

Yes (policy enforced before execution)

Yes (structured logs in customer SIEM)

The comparison above shows how three architectural patterns for governing AI workloads across multiple providers differ across data residency, portability, and audit control.

Architecting for model portability

Model portability requires a model-agnostic control plane that sits between your application and any model provider. Your application issues a single API request to the control plane, which resolves routing based on governance policy, data sensitivity requirements, or cost thresholds, and passes the governed request to the appropriate model. The control plane standardizes input and output formats so your application code never accommodates provider-specific differences. With that abstraction in place, a provider swap becomes a tested configuration change with rollback capability, not a code rewrite.

Foundational layers for multi-model governance

Effective multi-model governance depends on three interconnected layers: codified policy, a unified API abstraction, and active runtime enforcement. Each layer addresses a distinct failure mode that emerges when governance is left to individual developers or vendor-specific tooling.

Codifying policy for model portability

Policies documented in wikis are suggestions that disappear under delivery pressure. Codified, machine-enforceable policies defined centrally and enforced at the API level are a different category entirely. When policies are configured on the Govern page of the Admin Console and enforced at the control plane level, security teams define rules once and those rules apply to every model call, regardless of which SDK, framework, or developer wrote the application.

Unified API abstraction and routing

The control plane abstracts provider-specific API differences so developers never write model-specific handling in application code. Requests arrive at a single endpoint, and the control plane resolves routing based on governance policy, data sensitivity classification, cost thresholds, or availability before passing the governed request to the appropriate model. Developers target one endpoint, security teams manage one policy surface, and compliance teams get one audit log. Every model, tool, and API connection operates under the same governance policy set from the first registered asset onward, which is the only way to prevent the fragmentation that makes an AIUC-1 assessor or FFIEC examiner ask for documentation you cannot produce on short notice.

Enforcing policy at runtime on live AI calls

Runtime AI enforcement means the control plane evaluates every agent call as it happens, checks the call, allows it, blocks it, or rewrites it before the response returns. This is not monitoring and alerting after something goes wrong. It is active enforcement that prevents violations before they land. The distinction matters when regulated data is in scope: a violation you detect in a log five minutes later has already propagated to a downstream system, while a violation intercepted at the API level never completes. The Practical AI episode on agentic AI governance covers the practical architecture decisions that make runtime enforcement viable at enterprise scale across multi-model deployments.

Capturing compliance evidence at runtime

The audit log is evidence that enforcement happened, not the enforcement mechanism itself. The control plane generates structured, SIEM-ready audit log output as a byproduct of active enforcement, consumed by your SIEM (Splunk, Datadog, or any syslog-compatible target), which handles storage and retention entirely within your own environment. Prediction Guard generates the audit log output and formats it for native ingestion. Your SIEM stores and retains it. Prediction Guard does not hold SIEM credentials, API keys, or HEC tokens of any kind.

Standardizing multi-provider AI policy enforcement

A control plane enforces the same governance policy regardless of whether a request routes to an external provider or a self-hosted model running inside your own infrastructure. Standardizing enforcement at the API layer eliminates the per-provider policy drift that creates audit gaps in hybrid deployments.

Governing external APIs and self-hosted models

Whether your application calls an external provider like OpenAI or Anthropic, or routes to a self-hosted Llama or Mistral model running on your own infrastructure, the control plane applies the same governance policy uniformly. For outbound requests to third-party endpoints, the control plane intercepts and evaluates against your governance policy before the request leaves your environment. Sensitive content, proprietary IP, or regulated data that would violate policy is blocked or rewritten before reaching the external API. The same enforcement applies to self-hosted models with no separate policy configuration required.

Deploying across private and public clouds

The control plane is hardware and infrastructure agnostic, running in AWS VPCs, Azure environments, GCP, or fully self-hosted data centers with no changes to governance configuration. When a third-party AI service dependency is disrupted by regulatory action or an outage, organizations that self-host their governance infrastructure are insulated because their policies, routing rules, and audit log generation all remain operational inside their own environment.

API compatibility for multi-provider environments

The control plane exposes OpenAI-compatible and Anthropic-compatible endpoints so existing SDK calls and orchestration frameworks integrate without code rewrites. Governance enforcement is transparent to the developer: only the base_url changes.

Connecting LangChain to the control plane

For teams already building with LangChain, the official langchain-predictionguard Python package connects existing workflows to the governed control plane without rebuilding the toolchain. The package is listed in the official LangChain integration catalogue. Governance enforcement is transparent to the developer: application code does not change, only the base_url is repointed at the control plane endpoint, and every request automatically receives the policy treatment configured in the Admin Console.

from langchain_predictionguard import ChatPredictionGuard  # Only the base_url changes - governance is transparent llm = ChatPredictionGuard(     model="your-registered-model",     base_url="https://your-control-plane.example.com/v1" ) 

Connecting LlamaIndex to control planes

LlamaIndex workflows connect through the same OpenAI-compatible API interface. Pointing the base_url at the control plane endpoint routes all retrieval and query calls through governed enforcement without any framework-level changes. RAG workflows benefit from prompt injection defense and grounding verification automatically, without requiring developers to add validation logic at each retrieval step. This Practical discussion explains why governed retrieval, rather than model retraining, tends to be the pragmatic control for enterprise deployments where source-of-truth documents change frequently.

OpenAI-compatible API endpoints

The control plane exposes standard OpenAI-compatible /chat/completions and /completions endpoints alongside an Anthropic-compatible /messages endpoint, meaning existing SDK calls work out of the box. Governance is transparent: application code is identical before and after integration.

Policy-driven selection for AI endpoints

Routing decisions in a composable architecture are driven by governance policy, not just cost or model capability. Deterministic rules configured at the control plane level ensure that data sensitivity, compliance boundaries, and latency requirements are resolved before any request reaches a model.

Defining deterministic routing rules

Routing rules direct requests to specific model endpoints based on criteria such as data sensitivity classification, workload type, latency requirements, or compliance boundary. A request flagged as containing regulated financial data routes only to self-hosted endpoints. A high-volume classification task routes to a cost-optimized open-source model. A complex reasoning task routes to a closed-vendor API with the appropriate governance policy applied. These rules are configured once and enforced at every request with no developer involvement after initial setup.

Route requests by workload needs

Matching workloads to endpoints based on governance requirements, not just cost or capability, is where composable architecture delivers its clearest operational benefit:

  • High-volume classification: Self-hosted open-source models are a cost-efficient option where throughput requirements are high and task complexity is lower
  • Complex multi-step reasoning: Closed-vendor APIs are a common option for tasks requiring strong reasoning capability, with appropriate data handling policies applied at the control plane level
  • Sensitive data processing (PII, Controlled Unclassified Information (CUI), regulated financial data): Self-hosted endpoints within your own infrastructure boundary are the recommended option for workloads where data sovereignty and regulatory obligations require that sensitive data does not transit external infrastructure
  • RAG and retrieval workflows: Models with strong grounding capabilities are well-suited to retrieval-intensive workloads, with grounding verification available at the control plane level to validate output consistency against source documents.

Automating compliance across multi-provider AI workflows

Compliance in a multi-provider AI environment requires controls that generate evidence continuously, not documentation assembled retrospectively before an audit. The control plane operationalizes the key requirements of AIUC-1, OWASP Top 10 for Agentic Applications, and ISO/IEC 42001 as a byproduct of normal runtime enforcement.

Operationalizing AIUC-1 controls

AIUC-1 is purpose-built for agentic AI systems, covering 51 requirements and 130 controls across six risk pillars. It operationalizes ISO/IEC 42001, the NIST AI Risk Management Framework, and the EU AI Act within a single, use-case-level standard designed for autonomous and agentic deployments. Prediction Guard's AIUC-1 policy mapping is built into the control plane to address the enterprise vendor due diligence requirement directly: when an AIUC-1 assessor asks for evidence of runtime controls on agentic AI interactions, the structured audit log output generated by the control plane provides the artefacts needed, generated and retained inside your own infrastructure.

For organizations with EU or multinational exposure, ISO/IEC 42001 and the EU AI Act share significant structural overlap, with seven of the EU AI Act's core articles for high-risk AI systems having direct counterparts in ISO 42001's 38 Annex A controls. EU AI Act Article 17 explicitly requires controls across design, development, testing, deployment, and post-market monitoring, and a self-hosted control plane enforcing policy across all of those phases provides the continuous evidence trail a market surveillance authority or notified body requires.

Mapping OWASP risks to control policies

The OWASP Top 10 for Agentic Applications identifies the most critical risks facing autonomous AI systems. Three of those risks map directly to composable architecture decisions:

  • ASI01 Agent Goal Hijack: Attackers redirect agent objectives by manipulating instructions or tool outputs. Runtime enforcement at the control plane intercepts injected instructions before the agent acts on them.
  • ASI02 Tool Misuse and Exploitation: Agents misuse legitimate tools due to prompt injection or unsafe delegation. Runtime prompt injection defense at the control plane intercepts injected instructions before they reach the agent's tool-calling logic.
  • ASI03 Agent Identity & Privilege Abuse: Inherited credentials and agent-to-agent trust relationships create privilege escalation paths. Routing all agent interactions through a single control plane provides a centralized audit point for agent-to-agent calls; dedicated identity governance controls for multi-agent privilege escalation are planned for a future release.

Architecting secure data egress paths

The control plane scans and filters model outputs before they leave your trust boundary. Sensitive content, proprietary IP, or regulated data that violates policy is blocked or rewritten before it reaches the downstream system or end user. Raw data never transits Prediction Guard's infrastructure: the correct architecture keeps the control plane responsible for metadata and policy, and keeps heavy data and compute within your own environment.

Capturing runtime data for AI audits

The control plane generates the primary evidence artefact for an AIUC-1 assessor, an ISO/IEC 42001 certification body, or an FFIEC examiner reviewing a financial services AI governance program. The log records which policy was applied, whether the call was allowed, blocked, or rewritten, and what the model and agent returned, all structured for native ingestion into your SIEM. On the Monitor page of the Admin Console, you select your SIEM integration and confirm it is live, and the control plane begins formatting audit log output to match your SIEM's native field structure. Your existing ingestion pipeline handles delivery under your own controls.

Operationalizing multi-provider AI governance

Here is how to implement this architecture from registration to runtime evidence.

  1. Catalog managed AI endpoints: Register every model, external API, and Model Context Protocol (MCP) server into the control plane as an AI System (the control plane's inventory unit). This closes the gap where teams deploy agents faster than governance processes can capture them and produces a centralized inventory. The exportable AIBOM in CycloneDX format is the audit-ready byproduct of that registration.
  2. Configure governance policies centrally: On the Govern page of the Admin Console, security and GRC teams configure policies: prompt injection defense, toxicity filtering, and grounding verification. These policies apply to all registered models and agents automatically, with no custom validation logic required from developers. Separation of duties is built into this design: developers ship features, security teams own policy.
  3. Set dynamic model routing rules: Define routing policies based on data sensitivity classification, latency requirements, and cost thresholds. Sensitive data routes only to self-hosted endpoints. High-volume classification tasks route to cost-optimized models. Rules are deterministic and centrally managed, with no per-application configuration required.
  4. Embed governance into developer workflows: Developers repoint their existing OpenAI-compatible or Anthropic-compatible SDK calls to the control plane endpoint by changing the base_url. The langchain-predictionguard package handles LangChain workflows. No other application code changes are required, and governance enforcement is transparent from the developer's perspective.
  5. Configure SIEM output formatting: On the Monitor page of the Admin Console, select your Security Information and Event Management (SIEM) integration and confirm it is live. The control plane begins formatting structured audit log output to match your SIEM's native field structure. Your existing ingestion pipeline handles delivery. Prediction Guard formats the output only. It does not store logs or hold SIEM credentials.

Mitigating risks in multi-provider deployments

Multi-provider deployments introduce risks that single-vendor architectures do not surface: model version drift, model execution latency trade-offs from self-hosted infrastructure, and governance fragmentation across heterogeneous model families. The control plane architecture addresses each of these as a structural property rather than a per-incident remediation.

Mitigating version-specific policy gaps

Model providers update their models frequently, and a minor version change can alter output formatting, reasoning behavior, or content handling in ways that create compliance exposure without triggering an obvious error. Because policy enforcement lives in the control plane rather than in the model, upgrading from one model version to the next does not affect your policy configuration. The same rules apply, and the same audit log is generated, regardless of which model version processes the request. Treat portability as an architecture requirement from the start: define a stable agent blueprint with prompts, tool schemas, and retrieval configuration, and put model choice behind the control plane abstraction so provider swaps become tested configuration changes, not rewrites.

Minimizing model execution latency for local models

Self-hosting a control plane requires upfront infrastructure investment: provisioning the control plane host, registering AI assets, and integrating with your SIEM. That trade-off is worth examining honestly. The control plane itself is CPU-only and adds minimal overhead to round-trip latency, with the primary latency cost concentrated in the model execution phase. For air-gapped or self-hosted model deployments, eliminating the round-trip to an external provider API typically offsets the control plane overhead entirely. Prediction Guard states a 4X total cost of ownership (TCO) reduction compared to managing AI governance separately, though this is a company-stated figure that has not been independently verified.

Unified governance for diverse AI models

A sovereign AI control plane consolidates what would otherwise be a patchwork of point solutions: a prompt filter here, a content safety API there, a compliance tool for regulated workloads, each with its own vendor relationship and potential data access. As Noblis CEO Mile Corrigan stated in connection with the company's strategic collaboration with Prediction Guard: "This alignment offers significant opportunities for strategic collaboration on secure deployment of AI systems, including through Noblis' Artificial Intelligence Assurance Implementation (AI2) solution for AI safety, and further strengthens our ability to help customers navigate AI adoption while safeguarding sensitive data."

Book a deployment scoping call to assess whether a sovereign AI control plane fits your infrastructure and risk and compliance requirements.

FAQs

How does a control plane ensure security policies remain identical when swapping from a closed API to a self-hosted model?

The control plane abstracts policy enforcement from model execution entirely, so policies configured on the Govern page of the Admin Console apply at the API level regardless of which underlying model processes the request. Swapping the model is a routing change, not a governance change.

Can I govern hyperscaler models alongside self-hosted ones?

Yes, a composable control plane unifies both external third-party APIs and self-hosted models under one governance policy set, allowing consistent governance across hybrid environments without rebuilding your security stack when you add or replace a provider. This also means governance configuration is portable and does not depend on a single cloud provider's infrastructure.

What happens to active security policies when I migrate workloads from one cloud provider to another?

Because the control plane is self-hosted and infrastructure agnostic, your governance configuration is fully portable across AWS, Azure, GCP, or self-hosted infrastructure with no policy rebuilding required. You can migrate without losing policy continuity or rewriting code.

How do I generate a unified audit log when developers are using different SDKs and model providers?

The control plane intercepts all model interactions at the API level regardless of the SDK or provider the developer used, standardizes them into a single structured audit log, and formats that output for native ingestion by your SIEM. Prediction Guard generates the log and your SIEM handles storage and retention.

What is the latency overhead of routing model calls through a self-hosted control plane?

The control plane is CPU-only and adds minimal overhead to round-trip latency, with the primary latency cost concentrated in the model execution phase. For air-gapped or self-hosted model deployments, eliminating the round-trip to an external provider API typically offsets the control plane overhead entirely.

Does implementing this architecture require developers to rewrite existing code?

No. Developers repoint their existing OpenAI-compatible or Anthropic-compatible SDK calls to the control plane endpoint by changing the base_url, and the langchain-predictionguard package handles LangChain workflows without code changes.

Key terms glossary

Composable AI systems architecture: A design pattern where AI applications are built from modular, interchangeable components (models, tools, databases) decoupled from any single vendor's ecosystem, allowing independent updates or replacements without rebuilding the overall system.

Sovereign AI control plane: A self-hosted system that runs inside an organization's trust boundary to unify, secure, and govern all AI model and agent interactions, with governance logic, policy enforcement, and audit log generation all occurring within the customer's own infrastructure.

Active runtime enforcement: The real-time evaluation and modification (allowing, blocking, or rewriting) of AI inputs and outputs at the API level before model execution completes, rather than after the response has propagated downstream.

AI System registration: The process of cataloging all models, datasets, MCP servers, and tools within the control plane to establish a centralized inventory, with an exportable AIBOM in CycloneDX format generated as the audit-ready byproduct.

AIUC-1: An independent certification standard purpose-built for agentic AI systems, covering 51 requirements and 130 controls across six risk pillars, with a published crosswalk to ISO/IEC 42001, NIST AI RMF, and the EU AI Act.

Grounding verification: A probabilistic validation module within the control plane that verifies whether a model's output is factually consistent with and supported by the provided reference documents, applied at runtime before the response is returned.

PII (Personally Identifiable Information): Data that can identify an individual, such as names, addresses, social security numbers, and biometric records. In AI governance contexts, PII masking refers to runtime redaction or anonymization of such data before it is processed by a model or stored in logs.

MCP (Model Context Protocol): A protocol that enables AI models to interact with external data sources and tools in a standardized way. MCP servers expose these capabilities to models and agents through a common interface, allowing composable AI architectures to integrate multiple data sources without custom integrations.

SIEM (Security Information and Event Management): A category of security software that aggregates, correlates, and analyzes log data and security events from across an organization's infrastructure. In AI governance, SIEM integration enables audit logs generated by the control plane to be consumed, stored, and analyzed within the organization's existing security operations workflows.

AIBOM (AI Bill of Materials): An exportable inventory of all registered AI assets in CycloneDX format, generated as a byproduct of AI System registration. Used to provide structured artefacts for AI supply chain transparency and enterprise procurement due diligence.