365 Architect

Aegis 365 -- API Design & External Interfaces

Primary API -- OpenAI-Compatible Gateway

Aegis 365 exposes an endpoint fully compatible with OpenAI's Chat Completion API. Enterprises change BASE_URL and their entire AI stack is instantly protected -- zero code modification.

POST /v1/chat/completions

Request (OpenAI-compatible):

{
  "model": "gpt-4",
  "messages": [
    { "role": "system", "content": "You are a financial analyst." },
    { "role": "user", "content": "Analyze account 4111-1111-1111-1111 for John Smith." }
  ],
  "temperature": 0.2,
  "max_tokens": 1024
}

Internal processing pipeline:

  1. L0 intercepts; classifies action into taxonomy (A--H); routes to HITL if high-risk.
  2. L1 runs SLM semantic analysis; detects jailbreaks; applies confidence scoring.
  3. L2 detects PII/PHI; applies Private Semantic Map; outputs sensitivity tile.
  4. L3 tokenizes sensitive data; writes to Secure State Map; outputs anonymized prompt.
  5. L7 checks semantic cache; if hit, skip LLM.
  6. L5 routes to compliant LLM endpoint (OpenAI, Anthropic, Bedrock, Gemini).
  7. LLM response returned to L4.
  8. L4 re-hydrates tokens to real values (subject to user clearance).
  9. L6 generates ZKP audit evidence (async).

Response (OpenAI-compatible + Aegis metadata):

{
  "id": "chatcmpl-aegis-7f3a",
  "object": "chat.completion",
  "choices": [
    { "message": { "role": "assistant", "content": "..." }, "finish_reason": "stop" }
  ],
  "usage": { "prompt_tokens": 84, "completion_tokens": 210, "total_tokens": 294 },
  "aegis_metadata": {
    "session_id": 100237,
    "layers_executed": ["L0","L1","L2","L3","L5","L4","L6"],
    "policy_violations": [],
    "approval_required": false,
    "cache_hit": false
  }
}

Authentication:

  • Bearer Token: OAuth2/OIDC token from enterprise IdP (Azure AD, Okta).
  • Extract user context from JWT claims (sub, preferred_username, groups).
  • L0 validates user is active in Users and has L0 action permissions.

Admin API (Internal, Role-Gated)

Endpoint Purpose Required Role
GET /admin/audit-log Retrieve audit trail SOC Analyst, CISO, Auditor
POST /admin/break-glass Initiate dual-key Break Glass Legal Counsel + CISO
GET /admin/policies List policies AIGO, CISO
POST /admin/policies Create/update policy AIGO (non-immutable), CISO (immutable)
GET /admin/private-semantic-map View codename registry AIGO, Dept Admin
POST /admin/private-semantic-map Upload codename terms AIGO only
GET /admin/sessions/{id} View session state CISO, AIGO (scoped)
POST /admin/sessions/{id}/freeze Emergency session freeze CISO, SOC Analyst
GET /admin/siem-events Export to SIEM SOC Analyst

Third-Party Integration Endpoints

SIEM Push (L0--L6 Real-Time Events)

Syslog CEF format to Splunk, Azure Sentinel, Palo Alto XSOAR. Critical events sent immediately; low-priority batched every 5 min.

SOAR Bidirectional

  • Inbound: POST /soar/command -- Sentinel detects compromised user -- Aegis 365 freezes all sessions within 500ms.
  • Outbound: Anomaly flags (Mosaic patterns, high re-ID risk) sent to SOAR for enrichment.

IdP Sync

Continuous pull via Microsoft Graph / Okta API; runs every 5 min. Hard revocation: deleted user -- all active sessions frozen within 500ms.

LLM Provider Connectors

OpenAI, Anthropic Claude, AWS Bedrock, Google Gemini, Azure OpenAI (BYOK), private LLMs (Ollama, vLLM).

Share on LinkedIn