Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Enterprise AI gateways: what H&M's approach means for IAM teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: H&M’s Generative AI Gateway centralised LLM traffic to address fragmented security, compliance, cost, and observability risks created by ad hoc AI integrations, according to Kong. The pattern matters because enterprise AI is quickly becoming an identity and governance problem, not just an application architecture choice.

NHIMG editorial — based on content published by Kong: Building the Nervous System for Enterprise AI, about H&M’s generative AI gateway approach

By the numbers:

  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should organisations govern AI applications that connect directly to models?

A: They should place a central control layer between applications and model providers so authentication, routing, logging, and policy are enforced consistently.

Q: Why do direct LLM integrations create governance risk?

A: Direct integrations spread credentials, logging, and policy decisions across many teams, which creates inconsistent access control and weak auditability.

Q: What breaks when AI logging is not centralised?

A: Auditors and security teams lose the ability to reconstruct what data was sent to a model, which application initiated the request, and whether the access was approved under the right policy.

Practitioner guidance

  • Standardise AI access through a central control plane Require model access, routing, and policy enforcement to pass through a single gateway layer so teams do not create separate trust paths for each integration.
  • Inventory every AI credential and callback path Track API keys, service tokens, and downstream data routes used by LLM-enabled applications so you can see where access is granted and where data can leave.
  • Tie AI logging to compliance evidence Make request logs, prompt handling records, and access events available for audit review so governance teams can verify what was sent to which model and when.

What's in the full article

Kong's full blog covers the operational detail this post intentionally leaves for the source:

  • How H&M structured its generative AI gateway as a central control layer for AI traffic
  • The specific governance and routing features used to support authentication, rate limiting, and auditability
  • The practical time and cost effects the team expected from consolidating AI access
  • The architectural rationale behind treating AI infrastructure as a reusable enterprise platform

👉 Read Kong's analysis of H&M's enterprise AI gateway model →

Enterprise AI gateways: what H&M's approach means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

AI connectivity is becoming an identity governance problem before it becomes an AI architecture problem. The H&M pattern shows that once LLM access is distributed across teams, the organisation inherits the same failure mode seen in unmanaged NHI estates: inconsistent authentication, incomplete logging, and no reliable governance boundary. The practical conclusion is that enterprise AI programmes need a control plane mindset, not a collection of isolated integrations.

A few things that frame the scale:

  • 92% agree governing AI agents is critical to enterprise security, yet only 44% have implemented any policies to do so, according to AI Agents: The New Attack Surface report.
  • Only 52% of companies can track and audit the data their AI agents access, which leaves compliance and investigation teams operating with incomplete evidence.

A question worth separating out:

Q: How do IAM and NHI teams fit into AI gateway governance?

A: They should treat AI connectivity as part of the same control problem as workload identity and secrets management. The gateway becomes the enforcement point for access, audit, and policy, while IAM and NHI teams define the rules for who or what may call the models. Shared governance prevents AI sprawl from creating a second identity estate.

👉 Read our full editorial: H&M's AI gateway shows how enterprise AI governance scales



   
ReplyQuote
Share: