Problem
AI Gateway already has strong routing, translation, rate limiting, and upstream auth, plus general Envoy security integrations (JWT, ext_authz) on the data plane. The MCP side goes further with scoped authorization, CEL expressions, and tool selectors.
What's missing is a first-class, body-aware governance hook in the LLM ExtProc pipeline where translated requests and responses can be evaluated by an external policy engine before dispatch and after completion.
A few existing issues point to this recurring need:
These aren't identical problems, but they all need a governance extension point that doesn't exist in the LLM path today.
Proposal
Add an optional, phased governance hook to the LLM ExtProc pipeline. Starting narrow:
Phase 1: Pre-request governance + decision metadata
A route-level config field pointing to an external governance service (gRPC). The hook runs in upstreamProcessor.ProcessRequestHeaders() (in internal/extproc/processor_impl.go) after translation and header/body mutation are finalized, before upstream auth and dispatch.
The governance service receives:
- Translated request headers and body (or a configurable subset/redaction)
- Backend and route name
- Caller identity from already-authenticated upstream filters, validated JWT claims, or trusted forwarded headers
It returns allow/deny with a reason and optional metadata (matched policy rule, trust level, request classification).
On deny, the ExtProc returns an ImmediateResponse with the policy engine's reason. On allow, governance decision metadata is written to Envoy dynamic metadata so it flows into access logs, OTel traces, and rate limit descriptors.
Phase 2: Async response audit
After the response completes, send response metadata to the governance service asynchronously for audit logging and compliance tracking. Non-blocking; the response is not held.
Phase 3: Buffered response enforcement (later)
For non-streaming responses only, optionally gate the response through the governance service before returning to the client. Streaming responses stay audit-only since tokens already left the proxy.
What this enables
- Model access control: "team-X can only use gpt-4o-mini" enforced at the gateway, not in application code
- Content governance: request scanning delegated to an external engine (prompt injection detection, PII checks)
- Audit trail: every LLM call gets a structured governance decision alongside existing token/latency metrics
- Compliance: operators in regulated industries can prove every AI call went through policy evaluation
Implementation
We maintain Agent Governance Toolkit, an open-source governance framework with a policy engine, agent identity, trust scoring, and compliance auditing. We'd be willing to contribute a reference governance processor and documentation if there's interest.
The integration pattern is an open question. Options:
- ExtProc-native hook in the existing processor pipeline (full body access, most capable)
- ext_authz filter (simpler, headers-only, well-understood pattern)
- Combination: ext_authz for fast allow/deny, ExtProc hook for body-level inspection
I'd lean toward option 1 since body access matters for content governance, but happy to hear what maintainers think fits best with the architecture direction, especially given the dynamic modules work tracked in #90.
Problem
AI Gateway already has strong routing, translation, rate limiting, and upstream auth, plus general Envoy security integrations (JWT, ext_authz) on the data plane. The MCP side goes further with scoped authorization, CEL expressions, and tool selectors.
What's missing is a first-class, body-aware governance hook in the LLM ExtProc pipeline where translated requests and responses can be evaluated by an external policy engine before dispatch and after completion.
A few existing issues point to this recurring need:
These aren't identical problems, but they all need a governance extension point that doesn't exist in the LLM path today.
Proposal
Add an optional, phased governance hook to the LLM ExtProc pipeline. Starting narrow:
Phase 1: Pre-request governance + decision metadata
A route-level config field pointing to an external governance service (gRPC). The hook runs in
upstreamProcessor.ProcessRequestHeaders()(ininternal/extproc/processor_impl.go) after translation and header/body mutation are finalized, before upstream auth and dispatch.The governance service receives:
It returns allow/deny with a reason and optional metadata (matched policy rule, trust level, request classification).
On deny, the ExtProc returns an
ImmediateResponsewith the policy engine's reason. On allow, governance decision metadata is written to Envoy dynamic metadata so it flows into access logs, OTel traces, and rate limit descriptors.Phase 2: Async response audit
After the response completes, send response metadata to the governance service asynchronously for audit logging and compliance tracking. Non-blocking; the response is not held.
Phase 3: Buffered response enforcement (later)
For non-streaming responses only, optionally gate the response through the governance service before returning to the client. Streaming responses stay audit-only since tokens already left the proxy.
What this enables
Implementation
We maintain Agent Governance Toolkit, an open-source governance framework with a policy engine, agent identity, trust scoring, and compliance auditing. We'd be willing to contribute a reference governance processor and documentation if there's interest.
The integration pattern is an open question. Options:
I'd lean toward option 1 since body access matters for content governance, but happy to hear what maintainers think fits best with the architecture direction, especially given the dynamic modules work tracked in #90.