Sentinel  /  Integration & Deployment

Route AI traffic
through governed infrastructure.

Keep your existing agent and app shape where supported. Route model traffic through Aera Gateway, attach operating metadata, and enable PriviShield, Vault, Sentinel, telemetry, and evidence controls by route.

Start with the route. Add controls where risk exists.

§ 01Adoption path

You should not need
to rebuild every agent.

Adoption starts by moving model traffic onto a governed Gateway route where supported. Your applications can keep a familiar request shape while Aera adds controls around provider access, credentials, sensitive data, runtime decisions, telemetry, and evidence.

Start

Route the traffic.

Point existing AI calls at Aera Gateway where supported, instead of scattering provider access across every app, agent, or workflow.

Attach

Add operating context.

Attach tenant, workspace, team, app, agent, workflow, environment, provider, and model metadata where supported.

Control

Enable the route controls.

Enable PriviShield, Vault, Sentinel, telemetry, and evidence according to each route’s risk, data, and operating environment.

§ 02Drop-in developer route

Start with a base URL,
then add route intelligence.

Developers can begin with the smallest useful change: route model calls through Aera Gateway where OpenAI-compatible integration is supported. The first step is familiar. The operating path around it becomes governed.

Drop-in route example
illustration only
from openai import OpenAI

client = OpenAI(
    api_key="AERA_GATEWAY_KEY",
    base_url="https://gateway.aera.example/v1"
)

response = client.chat.completions.create(
    model="aera/openai/gpt-4o-mini",
    messages=[
        {"role": "user", "content": "Summarise this customer request."}
    ],
    extra_body={
        "metadata": {
            "tenant": "customer.demo",
            "workspace": "ops",
            "team": "support",
            "agent": "support.triage",
            "workflow": "ticket.summary"
        }
    }
)

Illustration only. Endpoint, key, model, and metadata syntax are confirmed during implementation or onboarding.

§ 03Route configuration

Every call needs
an operating identity.

A route is more than a provider and model choice. Metadata gives Aera the operating context needed for cost visibility, behavioural telemetry, policy decisions, replay, customer reporting, and team accountability.

§ 04Controls by route

Enable protection
where the route needs it.

Different AI routes carry different risk. Some routes only need visibility. Some need sensitive-data sanitization. Some need Vault-backed credential release. Some need Sentinel review or block mode before execution continues.

Gateway

Provider access and usage route

Centralise provider access, route metadata, usage records, model selection, and cost visibility.

PriviShield

Sanitize sensitive-data exposure

Detect, redact, mask, strip, block, or route sensitive cases for consent before provider execution where enabled.

Vault

Protect execution rights

Keep credentials and access objects out of model context, then release capabilities through controlled paths where required.

Sentinel

Control continuation

Control continuation using policy, pathway risk, behavioural telemetry, runtime decisions, evidence, trajectory, and replay where integrated.

Route control example
illustration only
{
  "route": "agent.support.triage",
  "provider": "openai",
  "model": "gpt-4o-mini",
  "controls": {
    "privishield": "redact",
    "sentinel": "review",
    "vault": "on_demand",
    "evidence": "metadata_first"
  }
}

Illustration only. Control names and modes are configured during implementation or onboarding.

§ 05Builder path

Built an agent with AI?
Put a governed route in front of it.

If you have built agents, automations, copilots, or internal tools with AI, the first safety step is not a full rebuild. Put a governed route in front of model calls, protect keys, sanitize sensitive prompts, and make agent behaviour visible.

Fear

“Will this leak my keys?”

Move direct provider calls onto a Gateway route and migrate credentials into Vault when ready.

Privacy

“Will it send private data?”

Enable PriviShield where supported so common PII, secrets, and unsafe disclosure patterns can be sanitized before provider execution.

Control

“Will it do something unsafe?”

Enable Sentinel to observe, review, or block continuation decisions where integrated.

Visibility

“What actually happened?”

Use run telemetry, cost telemetry, control telemetry, behavioural telemetry, and replayable evidence in supported paths to understand route behaviour.

§ 06Enterprise and MSP paths

One route model.
Different deployment doors.

Developers, internal platform teams, and MSPs need different entry points, but the operating model stays the same: route AI traffic through Gateway, attach metadata, apply controls, and keep telemetry and evidence tied to the customer environment.

Developer / local

Local and development routes

Test route metadata, provider access, and control enablement before wider rollout.

Team / company

Team and company routes

Connect provider accounts, teams, workspaces, policies, and evidence posture into a controlled operating path.

MSP

MSP and managed environments

Support tenant-aware routing, telemetry, cost visibility, policy posture, privacy decisions, evidence, and replay across managed customer environments.

Private / VPC

Private deployment planning

Private, VPC, or customer-managed deployment patterns depend on release capability, security requirements, and the customer environment.

§ 07Integration checklist

Bring your route map.
Connect the control path.

Aera integration works best when the operating environment is clear: which apps call models, which provider accounts are used, where credentials live, which teams own the routes, and what evidence posture each workflow needs.

Traffic

Identify the model calls.

Map which apps, agents, workflows, tools, or automations currently call provider APIs.

  • AI traffic sources
  • Provider accounts and model routes
Access

Locate keys and credentials.

Identify provider keys, tool credentials, service tokens, and execution rights that should move into controlled handling.

  • Credentials and execution rights
  • Tenant, workspace, team, app, agent, and workflow metadata
Controls

Choose route posture.

Decide which routes need visibility, PriviShield sanitization, Vault release, Sentinel review, or Sentinel block mode.

  • Sensitive-data posture
  • Sentinel policy posture
Evidence

Set the reporting boundary.

Decide how route evidence, telemetry, cost reporting, and retention should work for each team, tenant, or customer environment.

  • Telemetry and cost reporting
  • Evidence and retention preferences

Start with the route. Add controls as you grow.

Move from scattered direct model calls to a governed AI route. Gateway centralises provider access, metadata, and usage. PriviShield, Vault, and Sentinel add sanitization, credential control, runtime governance, telemetry, and evidence where each route needs them.