AI Digital Trust & Runtime Governance
The NST Assure Architecture
Most teams treat AI safety as a guardrail bolted onto a chatbot. NST Assure treats it as a 5-plane runtime fabric where telemetry flows up and enforcement flows down continuously.
In this short blog, Pradeep Kumar, Head of Engineering at NST Cyber, explains why enterprise AI trust can no longer rely on static controls or isolated guardrails and how NST Assure treats AI trust as a continuously enforced runtime architecture spanning identity, observability, governance, policy enforcement, and execution control.
NST Assure is designed to ensure that every AI interaction, agent action, and runtime decision is identity-attested, policy-governed, observable, traceable, and enforceable in real time across the enterprise AI stack.
Runtime Plane
LLM gateway, agent orchestrator, MCP tool layer, RAG, memory, model serving
Observability Plane
OTel GenAI semconv + OpenInference; every span signed, traceable, replayable
Trust Processing Plane
OPA/Cedar policy, guardrails, semantic evaluation, threat detection, trust scoring with conformal uncertainty
Enforcement Plane
API gateway, service mesh, sandboxing (Firecracker/gVisor), DLP, HITL, fail-mode controller (open/closed/static)
Governance Plane
WORM audit ledger (Merkle-chained), SIEM, regulator-ready reporting, trust-SLO budgets
Wrapped by
Identity & Security
SPIFFE/SPIRE workload identity, delegation tokens (Macaroons/Biscuit), Sigstore supply chain, SBOM attestations
Build-Time Governance
Evaluation harness (Promptfoo/Inspect), red team (PyRIT/Garak), judge calibration, shadow → canary → production promotion
For engineers
NST Assure runs the same trust engine in CI and production. Red-team findings feed runtime threat detection. Every span becomes a node in a signed W3C PROV-O DAG where replay is a first-class operation, not a forensic exercise. Multi-tenancy is isolated at every layer including Kafka partitions, Kubernetes namespaces, OPA bundles, and SPIFFE trust domains.
For leaders
EU AI Act Articles 9-15, NIST AI RMF + 600-1 (GenAI Profile), ISO/IEC 42001, and SOC 2 become emergent properties of the architecture instead of controls added later during audits. Board-level trust KPIs originate from the same pipeline as the developer PR comment bot.
Reference Architecture
AI Digital Trust & Runtime Governance Platform
Enterprise Reference Architecture v2.0 — Runtime Governance & Trust Fabric
Telemetry flows
Enforcement flow
Lateral / control
Governance Plane
Audit · Compliance · Reporting · Risk Analytics · Board-level visibility
Audit Ledger
WORM / immutable · Merkle-chained · Signed events
Compliance
EU AI Act Art. 9–15 · NIST AI RMF · ISO 42001, SOC 2
SIEM
Splunk / Sentinel · Chronicle · Sigma rule mgmt
Risk Analytics
Trust score trends · Incident KPIs · Hallucination rate
Reporting
Regulator exports · Model cards · DPIA artefacts
SLA / SLO
Trust-SLO budgets · Error budget burn · Per-tenant SLOs
Executive UI
Grafana / Superset · Custom React · Per-tenant tiles
Policy Registry
Versioned bundles (OPA) · Promotion workflow · Shadow + canary modes
Enforcement Plane
Block · Quarantine · HITL escalation · Throttle · Sandbox isolation · Fail-mode policy
API Gateway
Kong / APISIX · Rate limits, quotas · JWT validation
Service Mesh
Istio AuthZ · Per-call policy · Mesh-wide mTLS
WAF / Edge
Cloudflare / AWS WAF · DDoS, bot mgmt · L7 inspection
Tool Sandbox
Firecracker / gVisor · WASM isolation · Egress allowlist
Runtime Sec
Falco (syscall) · Tetragon (eBPF) · Container escape det.
DLP / PII
MS Purview · Presidio (in-proc) · Egress scanning
HITL Approval
Temporal workflow · Slack / Teams bots · Reviewer routing
Fail-Mode Controller
Open / closed / static · Circuit breakers · Cached last-known-good
Trust Processing Plane
Policy · Semantic eval · Threat detection · Risk scoring · Correlation · Calibration
Policy Engine
OPA (Rego bundles) · Cedar (ABAC) · Promote / shadow
Guardrails
NeMo / Llama Guard · Granite Guardian · Custom classifiers
Semantic Eval
Ragas, DeepEval · NLI (DeBERTa) · LLM-as-judge (cal.)
Stream Compute
Apache Flink · Kafka Streams · Windowed correlation
ML Monitoring
Arize Phoenix · Drift, embeddings · Cohort analysis
Feature Store
Feast · Online + offline · Trust-score inputs
Threat Detect
Sigma rules + ML · PII / jailbreak class. · ATLAS TTP mapping
Trust Scoring Engine
DAG propagation, floor sem. · Uncertainty (conformal) · Calibration vs golden sets
Observability Plane
OTel GenAI semconv · OpenInference · Traces · Metrics · Logs · Feedback · Event mesh
OTel Collector
GenAI semconv · OpenInference span · Tail sampling
Event Streaming
Apache Kafka · Schema Registry · Tenant partitioning
Traces
Tempo / Jaeger · ClickHouse backend · Long-trace stitching
Metrics
Prometheus / Mimir · Per-call cost & tokens · SLO recording rules
Logs
Loki / OpenSearch · Structured JSON · PII-scrubbed
Feedback Bus
👍/👎 edits, abandon · Implicit signals · Linked to trace
Embeddings Store
Drift detection · Cohort comparison · Compressed (PQ)
Conversation Graph
Turn ↔ session ↔ user · Multi-agent DAG joins · Replay-ready
Runtime Plane
Where AI actually executes — instrumented for observability, gated by enforcement, identity-attested
User Edge
Web / Mobile / API · OAuth, session · Conversation ID · Feedback capture
LLM Gateway
LiteLLM / Portkey · Routing, fallback · Cost attribution · Per-tenant budgets
Agent Orchestr.
LangGraph · Semantic Kernel · CrewAI / AutoGen · Plan-tree spans
Workflow Engine
Temporal · Durable, replayable · TTL, budgets · HITL signals
Tool Layer (MCP)
MCP servers · OpenAPI adapters · Sandboxed exec · Scoped tokens
RAG / Retrieval
LlamaIndex / Haystack · Qdrant / Weaviate · pgvector / Milvus · Hybrid + reranker
Memory
Redis (short-term) · PostgreSQL (long) · Trust-weighted · Per-user partitions
Model Serving
vLLM / TGI / Ollama Ent. · SageMaker / Vertex / Bedrock · Self-host + frontier APIs · Quantized fallbacks
Identity & Security
Workload & Agent IdentitySPIFFE / SPIRE (SVID) · Workload attestation
Human IdentityOIDC / SAML / SCIM · MFA, step-up auth
Delegation TokensMacaroons / Biscuit · Attenuated capability
Secrets & PKIHashiCorp Vault · cert-manager, KMS
Transport SecuritymTLS (Istio / Linkerd) · SPIFFE trust domains
Supply ChainSigstore / cosign · SLSA, in-toto attest.
SBOM & Vuln-MgmtSyft / Trivy / Grype · Model card attestations
Threat IntelMISP / OpenCTI · MITRE ATLAS feed
Provenance LedgerW3C PROV-O DAG · Merkle-chained, WORM
Standards AlignmentOWASP LLM Top 10 · MITRE ATLAS, NIST 600-1
Infrastructure
KubernetesEKS / AKS / GKE / OpenShift · Karpenter, Cluster Autoscaler
Service MeshIstio + Envoy · Ambient mode (sidecarless)
GitOps / DeliveryArgoCD / Flux · Helm, Kustomize
Hot StorageClickHouse (traces, metrics) · Redis (online features)
Warm StorageOpenSearch / Elastic · PostgreSQL (metadata)
Cold / LakeIceberg + S3 (Parquet) · Glacier (archival, WORM)
GPU ComputeNVIDIA H100 / H200, B200 · vLLM / TGI pools, MIG
SandboxingFirecracker / gVisor · WASM (Wasmtime) for tools
Edge / On-PremK3s, MicroK8s · Air-gapped registries
NetworkingCilium (eBPF) · PrivateLink / VPC peering
Build-Time Governance — Catch issues before they reach prod. Promotion gates feed the same trust engine used in runtime.
CI/CD Pipelines
GitHub Actions · GitLab CI / Jenkins · Trust-gate jobs · Required for merge · Signed artefacts · cosign attestations
Eval Datasets
Golden sets (per task) · Adversarial set · PII / regulated set · Versioned (DVC / LakeFS) · Domain-labelled · Human-curated
Eval Harness
Promptfoo · Inspect (UK AISI) · LM Eval Harness · DeepEval / Ragas · Regression tracking · PR comment bot
Red Team Suite
PyRIT (Microsoft) · Garak · Continuous attack runs · ATLAS TTP coverage · OWASP LLM Top 10 · Feeds threat detect
Model Registry
MLflow / Vertex Reg. · Signed model cards · Eval results attached · SBOM per model · Stage gates · Rollback metadata
Prompt Registry
Git-backed · Semantic diffs · A/B harness · Rollout flags · Per-tenant variants · Linked to eval runs
Policy Tests
OPA conf test · Cedar test harness · Synthetic violations · Bundle integrity · Coverage reports · Mandatory in CI
Judge Calibration
Human-labelled set · Cohen's κ, IRR · Bias probes · Position swap test · Verbosity check · Per-domain models
Promotion Pipeline (Shadow → Canary → Prod)
- Eval gates pass on golden + adversarial sets
- Red team baseline maintained
- Policy tests green; bundles signed
- Deploy shadow (logs only, no enforce)
- Canary % w/ trust-SLO budget burn check
- Auto-rollback on SLO breach
Cross-cutting flows↑ Telemetry flows up from Runtime through Observability into Trust; ↓ Enforcement decisions flow down from Trust through Enforcement into Runtime.
Fail-mode policyEach enforcement decision declares fail-open / fail-closed / fail-static. Trust Engine outage triggers the fail-mode controller's cached last-known-good policy.
ProvenanceEvery span is a node in a signed DAG (W3C PROV-O). Spans reference inputs by content hash; the chain is reconstructable end-to-end for audit and replay.
Multi-tenancyKafka partition per tenant · K8s namespace per tenant · OPA policy bundle per tenant · S3 prefix per tenant · SPIFFE trust domain per tenant.
Standards anchorsOWASP LLM Top 10 (2025) · MITRE ATLAS · NIST AI RMF + AI 600-1 (GenAI Profile) · EU AI Act Art. 9–15 · ISO/IEC 42001 + 23894 · SOC 2 · GDPR · UAE PDPL.
Build ↔ Runtime loopRed-team findings, judge calibration, and adversarial set updates flow back into runtime threat detection — closing the offensive/defensive loop.
The shift NST Assure delivers is from asking "Did the LLM say something bad?" to asking "Is every agent action identity-attested, policy-gated, observable, and reversible?"
That's the bar.
Anything less is a demo running in production.
About Author
