Where the ai risk shows up
Teams ship AI faster than they can secure it.
By the time someone asks what your agent sent to a model, or which tools an agent called last week, the answer requires reconstructing logs from multiple places if it even exists at all. Here are the governance gaps we see most often.
Getting BAAs with AI providers is slow, fragile, and doesn't scale
Teams end up locked to one model because it's the only BAA they could get. At some companies, every new AI vendor requires annual approval from health insurance and pharma partners. Teams work around it by avoiding models they need or staying in a compliance gray area.
AI is in production but the audit trail is DIY or missing
Engineers integrate models through provider APIs with whatever logging they had time to build. Customer security questionnaires now include AI sections, requiring reconstructing logs from multiple places (if they exist at all).
Every Claude Desktop user has a different MCP configuration
Developers add servers on their own, manage their own credentials, and run local processes nobody else can see. Designers could have the same access to Snowflake as engineers, with no way to differentiate.
Agents are using their creator's credentials
Agents, service accounts, and workload identities already outnumber human users by roughly 45-to-1. Most have no security controls of their own. An agent running on a human's identity is invisible in the audit log: its calls look like the engineer's calls, and there's no way to trace what it did or what arguments it passed.
Tool access is all-or-nothing, and uncontrolled MCP is a supply chain risk
Claude Desktop and Claude Code give a user everything a server exposes or nothing. There's no tool-level scoping. Any MCP server with shell or credential access is tier-0 supply chain: a changed tool definition affects everyone connecting through it with no visibility.
For teams building with PHI
Learn more about HIPAA-Compliant AI
role
CRM Team
Robots (No PHI)
Robots (PHI Access)
Account Owners
servers
notion
sentry
+ 3 more
github
notion
github
pylon
sentry
+ 2 more
github
pylon
sentry
+ 5 more
allowed tools
23/47
12/20
18/31
55/58
Access Grant Details
Role
*
CRM Team
Tools Available (20)
Search...
github
0/24
notion
8/17
All tools (wildcard *)
notion_notion-create-comment
notion_notion-create-database
notion_notion-create-pages
notion_notion-create-view
notion_notion-duplicate-page
notion_notion-fetch
notion_notion-get-comments
notion_notion-get-teams
notion_notion-get-users
notion_notion-move-pages
notion_notion-query-database-view
notion_notion-query-meeting-notes
notion_notion-search
notion_notion-update-data-source
notion_notion-update-page
notion_notion-update-view
sentry
12/12
shortcut
0/20
Ship AI features that touch sensitive data without building the security layer from scratch
Route LLM traffic through AI Gateway and get audit logging, de-identification, and BAA coverage enforced automatically.
Expand LLM usage beyond one provider without new BAAs
Teams locked to Bedrock or a single provider because it's the only BAA they have can access all supported models through AI Gateway's single BAA. Switching models or testing new providers stays a product decision, not a compliance event.
Answer customer security questionnaires with actual evidence
Customer security reviews now include AI sections. Pull audit records for LLM usage and agent tool calls directly from the platform, without a reconstruction effort.
Secure developer tooling, not just production features
Engineers using Claude Code with internal tools connected through MCP are part of the same risk surface as production features. MCP Gateway applies the same access controls and audit logging to developer workflows automatically.
Separate PHI and non-PHI contexts as your team and agent count grow
As teams scale, the same agent or engineer may need different tool access depending on the task. Assign distinct permission profiles for workflows that touch regulated data vs. those that don't, enforced at the gateway rather than relying on the agent to self-limit.