Skip to content

Security

Enterprise-grade security with SPIFFE identity, streaming guardrails, and semantic tool firewall.

# Security

BrainstormRouter implements six security layers designed for production AI workloads. Several of these are unique to BrainstormRouter and address gaps in other AI gateways.

SPIFFE Identity

Every service in the BrainstormRouter infrastructure has a cryptographic identity issued by a SPIFFE-compatible identity provider. Certificates rotate every 5 minutes, eliminating long-lived credentials. Mutual TLS (mTLS) authenticates all service-to-service communication.

This means:

  • No static API keys between internal services
  • Compromised credentials expire within minutes
  • Full audit trail of which service made which call

Streaming Token Guardrails

Most AI gateways can only inspect complete responses. BrainstormRouter inspects tokens as they stream, detecting and blocking harmful content in real-time before it reaches the client.

The guardrail system operates on a sliding window of tokens and can:

  • Halt generation mid-stream if a policy violation is detected
  • Redact sensitive information from the stream
  • Alert on suspicious patterns without blocking

This is particularly important for agent use cases where a compromised model response could trigger dangerous tool calls before the full response is available.

Semantic Tool Firewall

When BrainstormRouter proxies requests that include tool definitions, the semantic tool firewall analyzes both the tool call and its arguments against a policy engine:

  • Tool allowlists: Only permitted tools can be called
  • Argument validation: Tool arguments are checked against semantic rules (e.g., file paths must be within allowed directories)
  • Escalation patterns: Sequences of tool calls that match known attack patterns are flagged
  • Rate limiting: Per-tool rate limits prevent abuse

``json

{

"tool_policy": {

"allow": ["file_read", "web_search"],

"deny": ["shell"],

"rules": [

{"tool": "file_read", "args.path": {"not_match": "/etc/*"}}

]

}

}

``

PII Detection

Automatic detection and handling of personally identifiable information in both requests and responses:

  • Email addresses, phone numbers, SSNs, credit card numbers
  • API keys and secrets (high-entropy string detection)
  • Configurable handling: redact, warn, or block
  • PII events are logged to the audit trail

Prompt Injection Defense

Multi-layer defense against prompt injection attacks:

1. Input scanning: Detects known injection patterns and obfuscation techniques

2. System prompt isolation: System prompts are cryptographically separated from user input

3. Output validation: Checks if the model response indicates a successful injection

4. Behavioral analysis: Detects when model behavior deviates from expected patterns

Graduated Trust Degradation

Instead of binary allow/deny, BrainstormRouter implements graduated trust levels that degrade smoothly when anomalies are detected:

| Trust Level | Behavior |

|-------------|----------|

| Full | All tools and models available |

| Elevated | Sensitive tools require confirmation |

| Restricted | Read-only tools only, model limited to safe options |

| Quarantine | Request logged and blocked, admin notified |

Trust degradation is temporary and recovers automatically after the anomaly period passes. The degradation speed and recovery rate are configurable per organization.

Audit Trail

Every security event is recorded in an immutable audit log with:

  • Timestamp, request ID, and user identity
  • Security layer that triggered
  • Action taken (allow, redact, block, escalate)
  • Full request/response context for forensic analysis

Export audit logs via the API in CEF or ECS JSON format for integration with your SIEM.