Enterprise AI gateways: what H&M's approach means for IAM teams

TL;DR: H&M’s Generative AI Gateway centralised LLM traffic to address fragmented security, compliance, cost, and observability risks created by ad hoc AI integrations, according to Kong. The pattern matters because enterprise AI is quickly becoming an identity and governance problem, not just an application architecture choice.

NHIMG editorial — based on content published by Kong: Building the Nervous System for Enterprise AI, about H&M’s generative AI gateway approach

By the numbers:

• 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.

Questions worth separating out

Q: How should organisations govern AI applications that connect directly to models?

A: They should place a central control layer between applications and model providers so authentication, routing, logging, and policy are enforced consistently.

Q: Why do direct LLM integrations create governance risk?

A: Direct integrations spread credentials, logging, and policy decisions across many teams, which creates inconsistent access control and weak auditability.

Q: What breaks when AI logging is not centralised?

A: Auditors and security teams lose the ability to reconstruct what data was sent to a model, which application initiated the request, and whether the access was approved under the right policy.

Practitioner guidance

• Standardise AI access through a central control plane Require model access, routing, and policy enforcement to pass through a single gateway layer so teams do not create separate trust paths for each integration.
• Inventory every AI credential and callback path Track API keys, service tokens, and downstream data routes used by LLM-enabled applications so you can see where access is granted and where data can leave.
• Tie AI logging to compliance evidence Make request logs, prompt handling records, and access events available for audit review so governance teams can verify what was sent to which model and when.

What's in the full article

Kong's full blog covers the operational detail this post intentionally leaves for the source:

• How H&M structured its generative AI gateway as a central control layer for AI traffic
• The specific governance and routing features used to support authentication, rate limiting, and auditability
• The practical time and cost effects the team expected from consolidating AI access
• The architectural rationale behind treating AI infrastructure as a reusable enterprise platform

👉 Read Kong's analysis of H&M's enterprise AI gateway model →

Enterprise AI gateways: what H&M's approach means for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →