Why Post-Hoc Filtering Is the Wrong Architecture
The dominant pattern in first-generation AI governance tooling is post-hoc filtering: the AI model runs, produces an output, and then a secondary system evaluates whether that output violates policy. If it does, the output is suppressed or modified before it reaches the end user.
Post-hoc filtering has two structural problems that make it inadequate for regulated industries.
First, it introduces a commitment gap. In many AI pipelines — batch scoring, event-driven decisioning, streaming output — the model's output is partially or fully committed to downstream systems before the filter evaluates it. A credit decision written to a loan origination system, a medical recommendation logged to an EHR, a legal document generated and cached: these are real-world effects that post-hoc filtering cannot reverse.
Second, it is architecturally insufficient for regulatory purposes. Regulators do not accept "our guardrail is 99.7% accurate" as a compliance defense. They require that policy be enforced, not just observed. A filter that occasionally fails — and all probabilistic filters occasionally fail — does not satisfy SR 11-7, HIPAA, or the EU AI Act's requirement for technical controls at the point of use.
The governing principle: Enforcement happens before the output is committed. A governance system that evaluates policy after the model decides is a monitoring system with a block button — not an enforcement system. The distinction matters to auditors, examiners, and incident response teams.
The Three Deployment Patterns
Pre-execution AI governance can be deployed in three architectural patterns, each with different latency, operational, and security tradeoffs. Understanding these tradeoffs is essential to selecting the right pattern for a given AI workload.
Pattern 1: Inline SDK (In-Process Enforcement)
The enforcement engine runs as a library within the same process as the application or model serving code. Policy evaluation happens in-memory, with no network hop. This pattern achieves the lowest possible enforcement latency — typically under 100 microseconds for a rule set of moderate complexity.
The inline SDK pattern is appropriate when:
- The AI application is a single-process service with a well-defined decision point
- Latency sensitivity is extreme (e.g., high-frequency trading risk models, real-time payment fraud detection)
- The policy set is small and changes infrequently — policy updates require application redeployment in this pattern
The primary limitation of the inline SDK pattern is that it conflates policy logic with application logic. If the application is compromised or misconfigured, the enforcement can be bypassed without a separate system detecting the bypass. For regulated industries where governance independence is required, this is a meaningful architectural weakness.
Pattern 2: Sidecar Proxy (Process-Level Isolation)
The enforcement engine runs as a sidecar container in the same Kubernetes pod as the AI workload, or as a local Unix domain socket proxy. All AI outputs pass through the sidecar before leaving the pod. Policy evaluation happens in a separate process — isolated from the application — but without a network hop, because the communication occurs over localhost or a Unix socket.
The sidecar pattern achieves latency in the 200–500 microsecond range and provides meaningful process isolation: a compromised application cannot easily bypass the sidecar without creating detectable network anomalies. Kubernetes admission controllers can enforce that the sidecar is always present, creating a structural guarantee that outputs cannot leave the pod without passing through enforcement.
The sidecar pattern is the recommended architecture for most regulated AI workloads: it balances latency, isolation, and operational manageability without requiring a separate service to manage and scale.
Pattern 3: API Gateway (Service-Level Enforcement)
The enforcement engine runs as a separate service and is called over the network — typically within the same datacenter or cloud availability zone. The AI application submits proposed decisions to the enforcement API and waits for a disposition before acting. Network round-trip adds latency (typically 500 microseconds to 2 milliseconds for same-region calls), but the separation of concerns is maximal: enforcement is a completely independent service that can be versioned, scaled, and audited independently of any individual AI workload.
The API gateway pattern is the right choice when multiple AI models or services share the same policy set, when governance independence is a hard audit requirement, or when policy changes need to take effect across all consumers instantly — without redeploying individual applications.
Latency Requirements: What Sub-Millisecond Actually Means
Sub-millisecond enforcement overhead is achievable for all three patterns under typical conditions. The key insight is that enforcement latency is dominated by I/O — not computation. A policy rule set of 50 rules, evaluated deterministically, takes under 50 microseconds of CPU time on modern hardware. The overhead you measure in production is the overhead of the transport layer and, critically, the overhead of signing the audit certificate.
| Pattern | Transport | p50 Latency | p99 Latency | Independence Level |
|---|---|---|---|---|
| Inline SDK | In-process | < 80 µs | < 200 µs | Low (same process) |
| Sidecar (Unix socket) | Unix domain socket | 150–300 µs | 500 µs | Medium (same pod) |
| API Gateway (same AZ) | HTTP/2 + TLS | 600 µs–1.2 ms | 2–4 ms | High (separate service) |
HMAC-SHA256 certificate signing adds roughly 15–30 microseconds on a modern x86-64 CPU. This is negligible relative to transport overhead but is worth accounting for in latency budgets. Asymmetric signing (RSA or ECDSA) adds significantly more overhead — 200–800 microseconds depending on key size — and is not recommended for inline enforcement paths. HMAC-SHA256 with a rotating key meets regulatory requirements for tamper-evident certificates at a fraction of the signing cost.
Policy Evaluation Engine Design
The performance of the enforcement layer is determined primarily by the design of the policy evaluation engine — not by the transport. An enforcement engine that does a linear scan of 200 rules in a Python interpreter will be measurably slower than a compiled rule engine evaluating the same rules. For sub-millisecond targets, the following design principles apply.
Compile Policies to Bytecode at Load Time
Policy rules expressed in a high-level DSL should be compiled to a bytecode representation when the policy set is loaded, not interpreted at evaluation time. A rule like action.amount > context.approved_limit AND NOT context.human_reviewed should compile to a sequence of typed comparisons, not a recursive descent parse at each evaluation. CoreGuard's policy engine compiles to a register-based bytecode with a fixed evaluation loop — policy evaluation is a series of typed comparisons with short-circuit evaluation, not general-purpose interpretation.
Rule Indexing and Early Exit
Policy sets for regulated industries typically have a small number of rules that fire frequently and many that fire rarely. An evaluation engine that indexes rules by the primary field they test — and evaluates only the rules whose primary condition could match — is significantly faster than evaluating all rules unconditionally. For a 100-rule policy set, rule indexing typically reduces the number of rules evaluated per request from 100 to 5–15.
Avoid Heap Allocation in the Hot Path
Every heap allocation in the policy evaluation hot path is a potential garbage collection pause. Enforcement engines implemented in garbage-collected languages must pre-allocate evaluation structures and reuse them across requests. A per-request allocation pattern in a high-throughput pipeline will produce latency spikes that violate sub-millisecond SLAs even if the average latency is acceptable. Structure pooling at a fixed pool size, initialized at startup, eliminates this source of tail latency.
See CoreGuard enforce your policies in real time
Sub-millisecond AI governance with signed audit certificates. Deploy as sidecar, SDK, or API in under an hour.
Explore CoreGuardSigned Certificate Generation at Inference Time
A governance enforcement system that does not produce a signed, verifiable record of each enforcement decision is not production-ready for regulated industries. The audit certificate is the evidence that enforcement ran — and that it ran correctly — for a specific AI decision at a specific time. The certificate must be generated synchronously with the enforcement decision, not asynchronously.
An asynchronous certificate written to a log after the fact can be lost, truncated, or replayed. A synchronous certificate returned to the caller in the enforcement response is the only design that guarantees certificate-to-decision integrity. For regulated industries, this is a non-negotiable architectural requirement.
What a Compliant Audit Certificate Contains
A minimal compliant audit certificate for regulated AI enforcement contains the decision identifier linking the certificate to the specific AI output, the policy set version evaluated, the complete list of rules with their disposition, the final enforcement disposition, a UTC timestamp generated by the enforcement engine (not the caller), and an HMAC-SHA256 signature over the canonicalized payload.
# CoreGuard audit certificate — JWT payload structure
{
"iss": "coreguard.eveaicore.com",
"iat": 1746489600,
"jti": "cert-20260505-0000042917",
"sub": "decision-APP-20260505-0042",
"policy_set": "lending_v1",
"policy_version": "1.4.2",
"disposition": "ALLOWED",
"risk_level": "LOW",
"rules_evaluated": [
{"rule_id": "ecoa.adverse_action.reason_codes", "result": "PASS"},
{"rule_id": "ecoa.adverse_action.confidence", "result": "PASS"},
{"rule_id": "sr117.human_review_gate", "result": "PASS"},
{"rule_id": "fair_lending.disparity_gate", "result": "PASS"},
{"rule_id": "sr117.model_boundary_check", "result": "PASS"}
],
"violations": [],
"enforcement_latency_us": 312,
"sig": "sha256=a4c8f2e1b9d7..."
}
# Verify a certificate offline (no CoreGuard dependency):
import hmac, hashlib, json, base64
def verify_certificate(cert_payload: dict, signing_key: bytes) -> bool:
sig_received = cert_payload.pop("sig")
canonical = json.dumps(cert_payload, sort_keys=True, separators=(',', ':'))
expected = "sha256=" + hmac.new(
signing_key,
canonical.encode(),
hashlib.sha256
).hexdigest()
return hmac.compare_digest(sig_received, expected)The certificate payload is canonicalized using RFC 8785 JSON Canonicalization Scheme (JCS) before signing. JCS eliminates ambiguity from key ordering and whitespace normalization, ensuring that the same certificate always produces the same signature regardless of serialization implementation. Without JCS canonicalization, certificates from different enforcement engine versions may produce different signatures for semantically identical payloads — making offline verification unreliable.
Measuring Enforcement Overhead Correctly
Enforcement latency is commonly measured incorrectly in two ways: measuring average latency instead of tail latency, and measuring enforcement in isolation rather than in the context of the full AI pipeline. Neither approach gives you the number you need for SLA compliance planning.
Measure p99, Not Average
Average enforcement latency in a well-designed system is not the problem. GC pauses, network jitter, and cold policy cache misses produce occasional outliers that violate sub-millisecond SLAs even when the average is 200 microseconds. Instrument enforcement latency as a histogram and track p95, p99, and p99.9 separately. A p99 violation that occurs 1% of the time means 10,000 violations per million decisions — unacceptable for regulated workloads where every decision must meet the SLA.
Measure End-to-End Delta, Not Isolation
Enforcement latency measured in a load test without the AI model running will understate real-world latency because CPU cache contention with the model inference code is not present. Measure enforcement overhead as the latency delta between your pipeline with enforcement enabled and disabled, under production-representative load. This is the number that matters for capacity planning and SLA commitment.
import time
import statistics
def benchmark_enforcement_overhead(
decision_payloads: list,
n_warmup: int = 100,
n_measure: int = 1000
) -> dict:
"""
Measure enforcement overhead as the p50/p95/p99 latency delta
between enforcement-enabled and enforcement-disabled pipelines.
Uses monotonic clock. Discards warmup runs to eliminate JIT effects.
"""
latencies_enforced = []
latencies_baseline = []
# Warmup pass — discard results, warm JIT and caches
for payload in decision_payloads[:n_warmup]:
_ = run_pipeline_with_enforcement(payload)
_ = run_pipeline_baseline(payload)
# Measurement pass
for payload in decision_payloads[:n_measure]:
t0 = time.monotonic_ns()
run_pipeline_with_enforcement(payload)
latencies_enforced.append(time.monotonic_ns() - t0)
t0 = time.monotonic_ns()
run_pipeline_baseline(payload)
latencies_baseline.append(time.monotonic_ns() - t0)
def pct(data, p):
return sorted(data)[int(len(data) * p / 100)]
overhead_ns = [e - b for e, b
in zip(latencies_enforced, latencies_baseline)]
return {
"overhead_p50_us": pct(overhead_ns, 50) / 1000,
"overhead_p95_us": pct(overhead_ns, 95) / 1000,
"overhead_p99_us": pct(overhead_ns, 99) / 1000,
"pipeline_p99_enforced_us": pct(latencies_enforced, 99) / 1000,
"pipeline_p99_baseline_us": pct(latencies_baseline, 99) / 1000,
}Policy Hot Reload Without Downtime
In regulated environments, policies change. Regulators issue updated guidance, audit findings require rule adjustments, and new products require new policy coverage. A governance enforcement layer that requires application redeployment to update policies creates operational risk: there is always a window between when a policy change is needed and when it takes effect.
A production-grade enforcement system must support hot policy reload — updating the active policy set without dropping active connections or creating enforcement gaps. The correct implementation uses a reader-writer lock pattern: the current policy set is held in an immutable, reference-counted structure. When a new policy version is loaded, it compiles to bytecode in a staging area, validates against the policy schema, and then atomically replaces the current active set. In-flight requests complete against the old set; new requests use the new set. There is no window where enforcement is suspended.
Policy versioning must be strict: each policy set has an immutable version identifier, and the active version is recorded in every audit certificate. When a policy change is deployed, there is a clean break in the certificate stream — every certificate before version N was evaluated against one policy set, every certificate after version N against the updated set. This property is essential for post-incident forensic analysis and regulatory examination.
Fail-Closed vs. Fail-Open: The Only Acceptable Default
When the enforcement layer is unavailable — network partition, process crash, overload — the AI pipeline must make a choice: allow outputs to pass without enforcement (fail-open) or block all outputs until enforcement is restored (fail-closed). For regulated industries, there is only one acceptable answer: fail-closed.
Fail-open posture means that every enforcement outage, however brief, is a compliance gap. An enforcement system that was unavailable for 30 seconds during which 500 credit decisions were made cannot certify that those 500 decisions were policy-compliant. That gap will appear in an examination and will require explanation.
Fail-closed posture means that enforcement outages surface as application errors, which operations teams notice and escalate. The compliance posture is clean: every committed decision has a certificate. High availability design — multiple enforcement instances, health checks, automatic failover — is the operational solution to the availability concern that fail-open is meant to address. The right answer is to make the enforcement layer highly available, not to accept policy gaps during outages.
Design principle: Configure your enforcement layer with a circuit breaker that fails closed. Set the enforcement API timeout at 5x your p99 latency to allow for transient overload, but when the enforcement service is unreachable after retry, the correct behavior is to return an error to the caller — not to allow the output through unsupervised.
Integration Patterns: Choosing the Right Deployment
Selecting the correct deployment pattern requires considering three factors: the latency budget of your AI pipeline, the operational independence requirement for governance, and the scope of AI workloads that need to be governed.
For a single AI service with tight latency requirements and policy that changes infrequently, the inline SDK pattern minimizes operational complexity. Deploy the CoreGuard SDK, load the policy set at startup, and call evaluate() at the decision point. Latency overhead is under 100 microseconds and the operational footprint is zero additional infrastructure.
For a Kubernetes-deployed AI service in a regulated environment where governance independence is auditable, the sidecar proxy pattern is the right choice. The sidecar intercepts all AI outputs at the network layer, enforces policy, and returns signed certificates. The application cannot bypass enforcement without disabling the sidecar, and disabling the sidecar is detectable by the Kubernetes admission controller.
For an organization with multiple AI products that share a governance policy, the API gateway pattern provides the simplest path to consistent governance across a diverse AI portfolio. A single CoreGuard instance, governed by a single policy set, enforces compliance for every AI workload with a unified certificate stream that auditors can query without touching individual application logs.
Operationalizing Enforcement: Monitoring and Alerting
A production enforcement deployment should expose the following observability signals as first-class metrics: enforcement decision rate broken down by disposition and policy set, enforcement latency histogram at p50/p95/p99/p99.9, policy rule fire rate to detect policy drift and misconfigured rules, certificate generation failure rate as a system integrity signal, and the active policy version across all enforcement instances.
The alert that matters most is not the BLOCKED rate — that is expected to be low — but the certificate generation failure rate. Any failure to produce a signed certificate for a disposed decision is a system integrity event. It means you have a decision with no verifiable governance record. That alert should page immediately, not go to a dashboard that someone checks weekly.