<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: claire nguyen</title>
    <description>The latest articles on DEV Community by claire nguyen (@claire_nguyen).</description>
    <link>https://dev.to/claire_nguyen</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3864932%2F406e92e1-2c8d-4d65-a1f4-a8d4e8c2fd1d.jpg</url>
      <title>DEV Community: claire nguyen</title>
      <link>https://dev.to/claire_nguyen</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/claire_nguyen"/>
    <language>en</language>
    <item>
      <title>Best Tools to Block Sensitive Data From Reaching Public LLMs</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Thu, 09 Jul 2026 10:31:24 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/best-tools-to-block-sensitive-data-from-reaching-public-llms-53gk</link>
      <guid>https://dev.to/claire_nguyen/best-tools-to-block-sensitive-data-from-reaching-public-llms-53gk</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F8ui71wleqzry3w0n4g7v.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F8ui71wleqzry3w0n4g7v.png" alt="Best Tools to Block Sensitive Data From Reaching Public LLMs" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Organizations deploying large language models (LLMs) in production face significant data privacy challenges. This guide explores the leading solutions for sensitive data protection with LLMs, focusing on how tools like &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt; provide robust guardrails, data redaction, and endpoint governance for enterprise-grade security.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The proliferation of large language models (LLMs) across enterprises introduces unprecedented opportunities for innovation, but also new vectors for data leakage. Sensitive information, ranging from personally identifiable information (PII) and protected health information (PHI) to confidential business secrets, can inadvertently reach public LLMs through user prompts or agent interactions. Preventing this data exposure is a critical concern for compliance, security, and maintaining trust. This article examines the various tools and strategies available to safeguard sensitive data from reaching public LLMs, highlighting key features and providing an overview of leading solutions.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Challenge of Sensitive Data in AI Applications
&lt;/h2&gt;

&lt;p&gt;As AI applications become integrated into daily workflows, employees often use LLMs for tasks that involve sensitive data, such as summarizing documents, drafting emails, or analyzing customer interactions. Without proper controls, these prompts can expose proprietary information or regulated data to third-party model providers. This unintentional data sharing poses significant risks:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Compliance Violations:&lt;/strong&gt; Breaching regulations like GDPR, HIPAA, SOC 2, and CCPA can result in severe penalties and reputational damage.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Security Risks:&lt;/strong&gt; Exposure of intellectual property, trade secrets, or access credentials can lead to competitive disadvantages and system vulnerabilities.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Reputational Harm:&lt;/strong&gt; Data breaches erode customer trust and can have long-lasting negative impacts on a company's public image.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Shadow AI:&lt;/strong&gt; Employees often use public LLM tools directly on their machines, bypassing corporate network controls. This "shadow AI" creates a blind spot where sensitive data can flow unregulated.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Mitigating these risks requires specialized tools that can inspect, filter, and redact data before it leaves the organization's control.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fbdan3t8b0qp0rqnc1ea3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fbdan3t8b0qp0rqnc1ea3.png" alt="A chaotic tangle of data streams, some visibly containing sensitive information like redacted text, flowing unchecked in" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Key Features of Sensitive Data Protection Tools for LLMs
&lt;/h2&gt;

&lt;p&gt;Effective tools for blocking sensitive data from public LLMs typically offer a combination of the following features:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Data Redaction and Masking:&lt;/strong&gt; Automatically identifies and replaces sensitive information (e.g., credit card numbers, social security numbers, email addresses) with placeholders or obfuscated values.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;PII/PHI Detection:&lt;/strong&gt; Utilizes predefined patterns and machine learning to detect categories of PII and PHI across various data formats.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Customizable Guardrails:&lt;/strong&gt; Allows organizations to define their own rules and policies for what constitutes sensitive data, enabling the blocking or redaction of specific keywords, regex patterns, or proprietary information.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Access Control and Virtual Keys:&lt;/strong&gt; Implements granular access controls to LLM resources, often through virtual keys, to manage who can access which models and under what data governance policies.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Audit Logging:&lt;/strong&gt; Maintains immutable logs of all requests and responses, providing an audit trail for compliance and forensic analysis.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Real-time Enforcement:&lt;/strong&gt; Processes prompts and responses in real-time to prevent sensitive data from ever reaching the external LLM provider.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Endpoint Governance:&lt;/strong&gt; Extends data protection policies to individual employee machines, governing AI usage in desktop applications, browsers, and coding agents, addressing the shadow AI problem.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Integration with Existing Security Infrastructure:&lt;/strong&gt; Compatibility with existing identity providers (SSO/OIDC) and data loss prevention (DLP) systems.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Top Tools for Protecting Sensitive Data with LLMs
&lt;/h2&gt;

&lt;p&gt;Several solutions are available that offer varying degrees of sensitive data protection for LLM workloads.&lt;/p&gt;

&lt;h3&gt;
  
  
  Bifrost
&lt;/h3&gt;

&lt;p&gt;&lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt; stands out as an open-source AI gateway that provides comprehensive security and governance features designed to prevent sensitive data from reaching public LLMs. It is particularly well-suited for enterprises requiring robust compliance and control over their AI infrastructure. Bifrost, an &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;open-source AI gateway&lt;/a&gt; from Maxim AI, unifies access to over 1000 models via a single API, while integrating advanced data protection mechanisms.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Key sensitive data protection features:&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Guardrails:&lt;/strong&gt; Bifrost offers extensive &lt;a href="https://docs.getbifrost.ai/enterprise/guardrails" rel="noopener noreferrer"&gt;guardrail capabilities&lt;/a&gt;, including native &lt;a href="https://docs.getbifrost.ai/enterprise/guardrails/secrets-detection" rel="noopener noreferrer"&gt;Secrets Detection&lt;/a&gt; (backed by Gitleaks) to catch API keys and credentials, and highly configurable &lt;a href="https://docs.getbifrost.ai/enterprise/guardrails/custom-regex" rel="noopener noreferrer"&gt;Custom Regex&lt;/a&gt; for blocking or redacting organization-specific sensitive patterns (including a built-in PII Detection template). It also integrates with external guardrail providers like AWS Bedrock Guardrails, Azure Content Safety, and Patronus AI.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Virtual Keys and Access Control:&lt;/strong&gt; The platform's &lt;a href="https://docs.getbifrost.ai/features/governance/virtual-keys" rel="noopener noreferrer"&gt;virtual keys&lt;/a&gt; enable fine-grained access control, allowing administrators to enforce policies on what data can be sent, which models can be used, and at what cost.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Audit Logs:&lt;/strong&gt; All prompts and responses are logged in &lt;a href="https://docs.getbifrost.ai/enterprise/audit-logs" rel="noopener noreferrer"&gt;immutable audit trails&lt;/a&gt;, essential for SOC 2, GDPR, and HIPAA compliance.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Bifrost Edge for Endpoint Governance:&lt;/strong&gt; A unique differentiator is &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt;, which extends the gateway's governance and security controls directly to employee machines. This endpoint agent ensures that AI traffic from desktop apps, browser AI, and coding agents is routed through Bifrost, effectively preventing "shadow AI" data leakage with &lt;a href="https://docs.getbifrost.ai/edge/security" rel="noopener noreferrer"&gt;endpoint enforcement&lt;/a&gt; on each device. The same guardrails configured in the Bifrost AI gateway are applied automatically to endpoint AI usage.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Deployment Flexibility:&lt;/strong&gt; Bifrost supports &lt;a href="https://docs.getbifrost.ai/enterprise/invpc-deployments" rel="noopener noreferrer"&gt;in-VPC deployments&lt;/a&gt; and air-gapped environments, ensuring sensitive data never leaves the organization's private cloud infrastructure.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;strong&gt;Best for:&lt;/strong&gt; Enterprises and regulated industries that require a high-performance, open-source, and fully controllable solution for sensitive data protection, comprehensive governance, and endpoint AI security.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fn1eol79s0xfyprtnq20e.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fn1eol79s0xfyprtnq20e.png" alt="A sleek, digital shield or guardrail protecting a structured data flow. Green-glowing, clean data packets pass through, " width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  Cloudflare AI Gateway
&lt;/h3&gt;

&lt;p&gt;Cloudflare offers an AI Gateway designed to provide caching, rate limiting, and observability for LLM APIs. Its focus is primarily on performance and cost optimization at the network edge. For sensitive data, Cloudflare's platform can be configured with &lt;a href="https://developers.cloudflare.com/workers-ai/data-privacy/" rel="noopener noreferrer"&gt;Workers AI and Data Loss Prevention (DLP)&lt;/a&gt; to identify and redact sensitive information using machine learning models and predefined patterns. Its integration with the broader Cloudflare security ecosystem offers additional layers of protection.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Best for:&lt;/strong&gt; Organizations already leveraging Cloudflare for network security and content delivery, looking to extend those capabilities to their LLM API traffic with integrated data protection at the edge.&lt;/p&gt;

&lt;h3&gt;
  
  
  Kong AI Gateway
&lt;/h3&gt;

&lt;p&gt;Kong is an API gateway that has extended its capabilities to support AI workloads. The &lt;a href="https://konghq.com/products/kong-ai-gateway" rel="noopener noreferrer"&gt;Kong AI Gateway&lt;/a&gt; provides a flexible platform for managing, securing, and extending AI APIs. For data protection, Kong's plugin ecosystem allows for the integration of custom policies and third-party DLP solutions. It can be configured to perform data masking or redaction using specific plugins or custom logic applied to API requests and responses. Kong is particularly strong for organizations that already manage their APIs with Kong.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Best for:&lt;/strong&gt; Enterprises with existing Kong API gateway deployments that need to add sensitive data protection and governance layers to their LLM API calls using a flexible plugin architecture.&lt;/p&gt;

&lt;h3&gt;
  
  
  Google Cloud DLP
&lt;/h3&gt;

&lt;p&gt;While not an AI gateway itself, &lt;a href="https://cloud.google.com/dlp" rel="noopener noreferrer"&gt;Google Cloud Data Loss Prevention (DLP)&lt;/a&gt; is a powerful tool that can be integrated with LLM workflows for sensitive data protection. It excels at discovering, classifying, and redacting sensitive data (including over 150 predefined detectors for PII, PHI, and financial data) across various data sources. Teams can use Cloud DLP in conjunction with an LLM gateway or directly within their application logic to inspect and transform prompts and responses before they interact with LLMs.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Best for:&lt;/strong&gt; Organizations heavily invested in Google Cloud, seeking a robust, scalable, and highly accurate data loss prevention service to integrate into their custom LLM applications and infrastructure.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to Choose the Right Solution for Your Organization
&lt;/h2&gt;

&lt;p&gt;Selecting the best tool for blocking sensitive data from public LLMs depends on several factors:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Deployment Environment:&lt;/strong&gt; Consider whether your organization requires on-premises, VPC, or cloud-native deployment options.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Existing Infrastructure:&lt;/strong&gt; Evaluate how well the solution integrates with your current API management, security, and identity systems.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Compliance Requirements:&lt;/strong&gt; Assess the tool's ability to meet specific regulatory standards (e.g., GDPR, HIPAA, SOC 2) through features like audit logging, data redaction, and access control.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Scalability and Performance:&lt;/strong&gt; Ensure the solution can handle your anticipated LLM traffic volume without introducing significant latency.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Endpoint Governance Needs:&lt;/strong&gt; Determine the importance of extending data protection policies to individual user machines to address shadow AI.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Customization and Extensibility:&lt;/strong&gt; Look for platforms that allow custom guardrails, plugin development, or integration with specialized DLP services.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For organizations that prioritize open-source flexibility, high performance, comprehensive governance, and full control over their AI infrastructure, including robust endpoint protection against shadow AI, Bifrost presents a compelling solution. Its combination of advanced guardrails, virtual keys, audit logging, and the unique capabilities of Bifrost Edge provides an end-to-end framework for securing sensitive data in the age of LLMs.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sources
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;  Cloudflare. "Data privacy in Workers AI". Cloudflare Documentation. &lt;a href="https://developers.cloudflare.com/workers-ai/data-privacy/" rel="noopener noreferrer"&gt;https://developers.cloudflare.com/workers-ai/data-privacy/&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  Google Cloud. "Data Loss Prevention". Google Cloud. &lt;a href="https://cloud.google.com/dlp" rel="noopener noreferrer"&gt;https://cloud.google.com/dlp&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>ai</category>
      <category>security</category>
      <category>privacy</category>
      <category>llm</category>
    </item>
    <item>
      <title>Async LLM inference in CI: stop build workers blocking on slow jobs</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Thu, 25 Jun 2026 13:21:46 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/async-llm-inference-in-ci-stop-build-workers-blocking-on-slow-jobs-26ab</link>
      <guid>https://dev.to/claire_nguyen/async-llm-inference-in-ci-stop-build-workers-blocking-on-slow-jobs-26ab</guid>
      <description>&lt;p&gt;&lt;strong&gt;TL;DR:&lt;/strong&gt; Async inference through an AI gateway lets CI build workers submit a long LLM job, get an id back, and poll later, so a 30-second model call stops holding a worker hostage. Here's how I wired it with Bifrost.&lt;/p&gt;

&lt;p&gt;Our build workers at Buildkite were each blocked for up to 35 seconds waiting on a single LLM call that summarised failed test output. With a few hundred concurrent builds running through our compute cluster, that's a pile of expensive compute sitting idle on one synchronous request to a model provider. We moved those jobs behind &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt;, &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;the open-source AI gateway&lt;/a&gt; by Maxim AI, and switched them to async submit-and-poll so the worker could get back to running the actual build while the summary cooked in the background.&lt;/p&gt;

&lt;h2&gt;
  
  
  What async inference actually does
&lt;/h2&gt;

&lt;p&gt;Async inference is a request pattern where the client submits a job, gets an identifier back straight away, and polls for the result later instead of holding the connection open. With Bifrost you set &lt;code&gt;x-bf-async: true&lt;/code&gt; on the request and get an &lt;code&gt;x-bf-async-id&lt;/code&gt; in return, then poll that id once the model has finished. The &lt;a href="https://docs.getbifrost.ai/overview" rel="noopener noreferrer"&gt;docs overview&lt;/a&gt; covers the submit and poll lifecycle.&lt;/p&gt;

&lt;p&gt;The win is mechanical, not magic. A worker that no longer blocks on a slow upstream can pick up the next build step. On a fleet where each agent costs real money per minute, freeing 35 seconds per build adds up fast across a few hundred concurrent runs.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why synchronous LLM calls stall a build fleet
&lt;/h2&gt;

&lt;p&gt;A build agent is a finite resource. When it makes a blocking HTTP call to an LLM and the provider takes 30-plus seconds, that agent is doing nothing but waiting on a socket. Multiply that by every failing build wanting a summary, and you've quietly turned your model provider's latency into your queue depth.&lt;/p&gt;

&lt;p&gt;We saw exactly this. P95 latency on the summariser sat around 28 seconds, and during a flaky-test storm the build queue backed up because agents were parked on those calls. The compute was healthy; the scheduling was wrong. The fix is to decouple "ask for a summary" from "wait for a summary."&lt;/p&gt;

&lt;h2&gt;
  
  
  Wiring async submit and poll
&lt;/h2&gt;

&lt;p&gt;The change was small. We added two headers and split one blocking call into a submit step and a later poll step. The Bifrost endpoint stays OpenAI-compatible, so the request body didn't change at all, which is the point of a &lt;a href="https://docs.getbifrost.ai/features/drop-in-replacement" rel="noopener noreferrer"&gt;drop-in replacement&lt;/a&gt;.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Submit: fire the job, return immediately with an id&lt;/span&gt;
curl &lt;span class="nt"&gt;-s&lt;/span&gt; &lt;span class="nt"&gt;-X&lt;/span&gt; POST http://bifrost:8080/v1/chat/completions &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-H&lt;/span&gt; &lt;span class="s2"&gt;"Content-Type: application/json"&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-H&lt;/span&gt; &lt;span class="s2"&gt;"x-bf-async: true"&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-H&lt;/span&gt; &lt;span class="s2"&gt;"x-bf-dim-team: build-platform"&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-d&lt;/span&gt; &lt;span class="s1"&gt;'{
    "model": "openai/gpt-4o-mini",
    "messages": [{"role": "user", "content": "Summarise this failed test log..."}]
  }'&lt;/span&gt;
&lt;span class="c"&gt;# response carries x-bf-async-id: job-8f21&lt;/span&gt;

&lt;span class="c"&gt;# Poll later, from a separate build step, once the agent has moved on&lt;/span&gt;
curl &lt;span class="nt"&gt;-s&lt;/span&gt; http://bifrost:8080/v1/chat/completions &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;-H&lt;/span&gt; &lt;span class="s2"&gt;"x-bf-async-id: job-8f21"&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;We submit at the start of the post-build hook, run the rest of the cleanup, then poll near the end. By the time we poll, the summary is usually ready, so the agent almost never waits. The &lt;code&gt;x-bf-dim-team&lt;/code&gt; header tags the request with our team name, which Bifrost auto-forwards to logs, traces, and Prometheus so we can see which team's jobs are driving spend.&lt;/p&gt;

&lt;h2&gt;
  
  
  Keeping costs and failures visible
&lt;/h2&gt;

&lt;p&gt;Async jobs are easy to lose track of, so observability matters more, not less. With &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt; the custom &lt;code&gt;x-bf-dim-*&lt;/code&gt; dimension headers flow straight into the &lt;a href="https://docs.getbifrost.ai/features/observability" rel="noopener noreferrer"&gt;observability&lt;/a&gt; layer, which writes asynchronously and adds under 0.1ms of overhead per the &lt;a href="https://docs.getbifrost.ai/benchmarking/getting-started" rel="noopener noreferrer"&gt;benchmarking docs&lt;/a&gt;. That let us build a Grafana panel keyed on team and job type without instrumenting our own code.&lt;/p&gt;

&lt;p&gt;Failover still applies to async jobs. We kept &lt;a href="https://docs.getbifrost.ai/features/fallbacks" rel="noopener noreferrer"&gt;automatic fallbacks&lt;/a&gt; configured so that if our primary provider returns 502s, the gateway retries against a secondary before the job id ever comes back failed. On the throughput side, a single instance sustains 5,000 RPS at 100% success with roughly 11µs of gateway overhead on a t3.xlarge, per the &lt;a href="https://www.getmaxim.ai/bifrost/resources/benchmarks" rel="noopener noreferrer"&gt;published benchmarks&lt;/a&gt;, so the gateway itself was never the bottleneck in our queue.&lt;/p&gt;

&lt;h2&gt;
  
  
  Trade-offs and limitations
&lt;/h2&gt;

&lt;p&gt;Async is not free. You now own a polling loop and the job ids it depends on. If a build agent dies between submit and poll, you need those ids in durable storage or the result is orphaned. We push ids into the build's metadata so a retried step can recover them.&lt;/p&gt;

&lt;p&gt;On the Bifrost side, self-hosting carries real operational weight. A production deployment needs Postgres backing it, which is one more stateful service for my team to run and patch. Clustering for high availability is an enterprise feature, not part of the open-source core, so a single-node deploy is a single point of failure you have to plan around. The ecosystem is also younger than LiteLLM, so there's less community Q and A when you hit an edge case. None of that was a dealbreaker for us, but plan the operational side before you commit.&lt;/p&gt;

&lt;h2&gt;
  
  
  Wrapping up
&lt;/h2&gt;

&lt;p&gt;Switching CI summarisation to async inference through Bifrost took the blocking time off our build agents and stopped a slow model provider from setting our queue depth. The headers are simple, the endpoint stays OpenAI-compatible, and the spend stays visible per team. If you run LLM calls inside a build fleet and your agents are parked waiting on them, async submit-and-poll is worth a look: &lt;a href="https://getmaxim.ai/bifrost/book-a-demo" rel="noopener noreferrer"&gt;https://getmaxim.ai/bifrost/book-a-demo&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Further reading
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/overview" rel="noopener noreferrer"&gt;Bifrost docs overview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.getmaxim.ai/bifrost/resources/benchmarks" rel="noopener noreferrer"&gt;Bifrost benchmarks&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html" rel="noopener noreferrer"&gt;AWS Lambda asynchronous invocation&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://sre.google/sre-book/handling-overload/" rel="noopener noreferrer"&gt;Google SRE Book: handling overload&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>devops</category>
      <category>infrastructure</category>
      <category>llm</category>
      <category>sre</category>
    </item>
    <item>
      <title>How to See Every MCP Server Developers Have Configured</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Wed, 24 Jun 2026 18:26:39 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/how-to-see-every-mcp-server-developers-have-configured-1mdk</link>
      <guid>https://dev.to/claire_nguyen/how-to-see-every-mcp-server-developers-have-configured-1mdk</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fdlh3eh4hoeyrhj78u9co.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fdlh3eh4hoeyrhj78u9co.png" alt="How to See Every MCP Server Developers Have Configured" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Developers frequently configure Model Context Protocol (MCP) servers with AI agents, yet many organizations lack visibility into these connections. This article explores the challenges of shadow AI in the context of MCP servers and how &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt; and &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt; provide a solution for comprehensive visibility and governance.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The rapid adoption of AI agents has introduced new complexities for enterprise security and governance. As developers integrate powerful AI tools into their workflows, they often connect these tools to external services and internal systems through Model Context Protocol (MCP) servers. Without a centralized way to track and control these connections, organizations face a significant "shadow AI" problem, where critical data pathways operate outside of IT and security oversight. Gaining visibility into every MCP server configured across an organization's endpoints is essential for maintaining security and compliance. &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt;, an &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;open-source AI gateway&lt;/a&gt;, with its endpoint component Bifrost Edge, offers a robust framework for addressing this challenge.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Challenge of Ungoverned MCP Servers and Shadow AI
&lt;/h2&gt;

&lt;p&gt;AI agents are no longer passive tools; they actively plan, call external tools, and execute actions, often with delegated authority. The Model Context Protocol (MCP), introduced in November 2024, enables this by providing a standardized way for AI systems to interact with external data sources, applications, and services. It acts like a universal adapter, allowing AI assistants to query databases, read files, call APIs, and even run shell commands. This capability, while powerful for developers, creates a new security risk: shadow MCP.&lt;/p&gt;

&lt;p&gt;Shadow MCP refers to the MCP servers that employees configure for their AI applications without formal security review or central governance. These servers can be wired directly into developer tools like Claude Code, Cursor, or VS Code Copilot Chat, often with little to no visibility for IT or security teams. The risks are substantial:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Data exfiltration:&lt;/strong&gt; Ungoverned MCP servers can inadvertently expose sensitive data to unauthorized external systems.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Privilege escalation:&lt;/strong&gt; An agent using an MCP server might inherit the broad access of the developer who installed it, potentially accessing privileged systems without explicit authorization.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Compliance gaps:&lt;/strong&gt; Without an audit trail of MCP server usage and data flows, organizations struggle to meet regulatory requirements like SOC 2, GDPR, HIPAA, and ISO 27001.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Misconfiguration and vulnerabilities:&lt;/strong&gt; Misconfigured MCP servers can create new attack surfaces, acting as backdoors into internal systems.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;A 2026 Verizon Data Breach Investigations Report noted a fourfold increase in shadow AI detections, highlighting it as a common insider action in enterprise environments. This growing challenge underscores the need for comprehensive visibility into endpoint AI.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is an MCP Server?
&lt;/h2&gt;

&lt;p&gt;The Model Context Protocol (MCP) is an open standard designed to enable AI applications to connect with external data and services seamlessly. It standardizes how AI agents discover and interact with external "tools" at runtime. These tools can include anything from internal databases and file systems to web search engines and custom APIs.&lt;/p&gt;

&lt;p&gt;An MCP ecosystem involves three primary components:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;MCP Host:&lt;/strong&gt; The AI application or environment (e.g., an AI-powered IDE or conversational AI) that contains the LLM.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;MCP Client:&lt;/strong&gt; A component within the MCP host that facilitates communication between the LLM and the MCP server.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;MCP Server:&lt;/strong&gt; The external service that provides context, data, or capabilities to the LLM. It exposes specific "tools" that the AI agent can invoke to perform actions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;For example, an AI coding assistant might use an MCP server to access a company's codebase, an issue tracker, or internal documentation. This allows the AI to provide real-time, context-aware assistance beyond its initial training data. The protocol leverages JSON-RPC 2.0 messages for communication between client and server.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F03c626dgp3o7stj21x8g.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F03c626dgp3o7stj21x8g.png" alt="A visual metaphor for the Model Context Protocol (MCP) as a universal adapter or USB-C port for AI, with various AI agen" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Bifrost Edge: Gaining Visibility into Endpoint MCP Usage
&lt;/h2&gt;

&lt;p&gt;Traditional security tools often fail to close the visibility gap around shadow AI because they focus on network perimeters, which endpoint AI frequently bypasses through direct, encrypted connections. Effectively governing MCP servers requires controls at the point where AI actually runs: the endpoint itself.&lt;/p&gt;

&lt;p&gt;Bifrost addresses this by combining the Bifrost AI gateway, as the control plane and policy engine, with &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt;, which extends that same governance to every machine. Bifrost Edge is a lightweight agent that runs natively on macOS, Windows, and Linux devices. Its primary function is to route all AI traffic from the endpoint through the organization's Bifrost gateway automatically. This brings desktop applications, browser AI, coding agents, and, crucially, the MCP servers those tools connect to, under a single, unified governance framework.&lt;/p&gt;

&lt;p&gt;Bifrost Edge tackles shadow MCP by providing essential visibility:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Fleet-wide MCP Server Inventory:&lt;/strong&gt; Bifrost Edge discovers and inventories the MCP servers configured within each AI application across the entire fleet of devices. This creates a live, deduplicated catalog of every MCP server in use, allowing security teams to answer "what MCP servers are running on our fleet?" with real data.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Real-time Discovery:&lt;/strong&gt; New MCP servers are detected as they appear, rather than during periodic audits. This continuous monitoring ensures that administrators have an up-to-date view of their AI ecosystem.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Supported Applications:&lt;/strong&gt; Bifrost Edge supports discovery for a growing list of popular AI applications, including Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor. This ensures comprehensive coverage for the tools developers commonly use.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This visibility provides the foundation for effective governance, transforming an invisible threat into an observable, manageable aspect of the enterprise AI landscape.&lt;/p&gt;

&lt;h2&gt;
  
  
  From Visibility to Control: Approving and Denying MCP Servers
&lt;/h2&gt;

&lt;p&gt;Once Bifrost Edge provides visibility into configured MCP servers, the Bifrost AI gateway enables administrators to apply granular policy controls. The governance configured at the gateway level automatically applies to endpoint AI traffic routed by Edge.&lt;/p&gt;

&lt;p&gt;Administrators can manage detected MCP servers through a centralized dashboard:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Per-Server Allow/Deny Decisions:&lt;/strong&gt; The system allows admins to make explicit allow or deny decisions for each discovered MCP server. This policy is then enforced directly on the device. A denied server cannot be used, even if an application had it configured before the policy was established.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Approval Workflows:&lt;/strong&gt; When Edge detects a new MCP server, it can automatically request approval in the admin console. Administrators can configure whether pending servers are allowed or blocked while awaiting review, ensuring control from the moment of discovery.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Unified Governance Policies:&lt;/strong&gt; Existing Bifrost features like &lt;a href="https://docs.getbifrost.ai/features/governance/virtual-keys" rel="noopener noreferrer"&gt;virtual keys&lt;/a&gt;, budgets, rate limits, and &lt;a href="https://docs.getbifrost.ai/enterprise/guardrails" rel="noopener noreferrer"&gt;guardrails&lt;/a&gt; extend to MCP server traffic. This means the same content safety and data loss prevention policies that apply to API calls at the gateway also protect prompts and responses from endpoint AI, preventing sensitive content like secrets or PII from leaving the machine.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Audit Logs:&lt;/strong&gt; Every MCP tool call is recorded in immutable audit logs, providing a critical trail for compliance with standards such as SOC 2, GDPR, and HIPAA.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F66hkz10g507tw0p93fs8.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F66hkz10g507tw0p93fs8.png" alt="A centralized control panel with a glowing, interactive map showing numerous endpoints (laptops, desktops) and detected " width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Deployment and Integration for Comprehensive Governance
&lt;/h2&gt;

&lt;p&gt;Bifrost Edge is designed for fleet-wide deployment, rather than relying on manual per-machine setup. Organizations can push Edge to every device using existing device management (MDM) platforms, delivering a managed configuration that points each machine to the organization's Bifrost gateway. This ensures that governance applies across the entire fleet without requiring individual users to reconfigure their AI tools.&lt;/p&gt;

&lt;p&gt;Supported MDM platforms include Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud, covering macOS, Windows, and Linux endpoints. This integration with existing IT infrastructure streamlines the rollout process, making it feasible to achieve comprehensive endpoint AI governance at scale.&lt;/p&gt;

&lt;p&gt;Bifrost Edge is currently in alpha and available to enterprise customers of the Bifrost gateway. Teams interested in gaining this level of visibility and control can &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;request early access&lt;/a&gt; to evaluate its capabilities.&lt;/p&gt;

&lt;p&gt;By pairing the powerful Bifrost AI gateway as a policy engine with Bifrost Edge for endpoint enforcement, organizations can transform their approach to AI agent governance. This combined strategy ensures that every MCP server, whether sanctioned or not, becomes visible and governable, helping to secure sensitive data and maintain compliance in an evolving AI landscape.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sources
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEbzW1A4aUr9Tcxgt8HriaJJ4cSfHPc_8AplI3xHuFxX3xJTLTUXujQR0sdxkNfosEbQtp1hQQ5DXf6snQ0MgjabrlcZZNrZxZ4hqAfM1iKAOCzgRjOGLKsFJ1S0iSLJVObgeU7bPzXbhvrZOydGbT3qFjJT6X-1zjxOWI=" rel="noopener noreferrer"&gt;What is Model Context Protocol (MCP)? A guide&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG6Gd342E6g6Yx2KQU5OVA2DcngKkud9si2itjfFDDpY1rsZQznrlp38qGQjPenAInedsGuPivRiIaZlZrEt-8dCOrD6_HtEAyamXzQGWqN_ok8J9vRxTCqO93-Y6LL8f956755Vh_mNQwSvr2EVpVdx_-9R4oxBJ15" rel="noopener noreferrer"&gt;What is the Model Context Protocol (MCP)? - Databricks&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGXpNPwjCnz092rShPD6YK3DovJZHnOemVQdgVi3Nbwx7Dq_m9cQhW7_RDd-KbxysVd2vviHMZuc7uPg_tGlbaFNk3lcczDs0pXio2Xltdgctp5T_wn74c3D1luU1MHrxa79EGra9ajB55mqJigN5jBUDD4b1Y=" rel="noopener noreferrer"&gt;Model Context Protocol&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGXpNPwjCnz092rShPD6YK3DovJZHnOemVQdgVi3Nbwx7Dq_m9cQhW7_RDd-KbxysVd2vviHMZuc7uPg_tGlbaFNk3lcczDs0pXio2Xltdgctp5T_wn74c3D1luU1MHrxa79EGra9ajB55mqJigN5jBUDD4b1Y=" rel="noopener noreferrer"&gt;Model Context Protocol - Wikipedia&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG0vWGkE562KdKfwYhfy65loMK2Owyg7d1BY61Lr-FhHEus8QItq9UaOFpF4qLX81X68yO-gjWrBU2ik-zW5ItrELXeGleXHRz7PIq1l3BKDBBdHTadISeMZT0U9CvAOjkePeCPZ7TRrzQmKq1oyz1oqWF32IwbrBw==" rel="noopener noreferrer"&gt;Model Context Protocol (MCP): A comprehensive introduction for developers - Stytch&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE2kQCNCEaVvDo7FFYGPPl4MhzywcwmtDJK3JqOggfF86sw3FCgC6vlUTfpsaUiAoWwy01YRi_HV0QTKk5ukeOWr3hgYUCbaAaJiBFNR0tl8cqm-nec81cFxmp3auI7hsAadYe2-PL4H0Wyf9i2xcoR1GSTH6uNWt8CJy-Xz7tmwIP0Ji5gipQDxTalPC-sSvHK" rel="noopener noreferrer"&gt;Shadow MCP: The Ungoverned AI Tools Risking Your Data - Maxim AI&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHYwVC0istJyKSmaYz_JvElOv2QDMRnF2CGiiuNHbZJAoUxMxvP86nmMlphyWCFwwSGCry3-2KqYf_8MrGUVVfBNx7EAo4IcGu3CPCGEc5kGJr0WcF101nByIC067hA4kBitw369vy8_Jfrqs89C2btxFpXygdratMj2SJq0VOQktbCn5NtV6ERyHxSwZCFKQ==" rel="noopener noreferrer"&gt;Roll Out AI Governance With MDM: Jamf, Intune, Kandji - Maxim AI&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEz5daVCp6DY4nRMEnTP5ycexK-qkj0ynzsmirGyikbjcYjVA28OL-kSIfdRaGU_F4nsPZu0Df5PTMVh2jM2n_rW5rtHBUxQoX3ffR0Qt_VIHboM6aJR3ALfO91QydDkDdb74PZf3DXggMctFfy" rel="noopener noreferrer"&gt;AI Agent Governance: Best Practices for Enterprise - MindStudio&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQElqDNU-tcKq4pAw0F1qVkw36keF1wzsFbZGdGvHt_CABXIyNYGj1DAXXcH3WcNy1D5L5RB3sNgUhaJBz6mr2fp8OMXrNAUGQVmA_DANX14SU4Xf3oYl-ulbSrRCdcigAx73TPD4yP-RuuU47WZhPO2hlqik9Ddq1t1doMkwLCR1gupSPXWw_TSyGyiFw==" rel="noopener noreferrer"&gt;Understanding shadow AI in your endpoint environment - Tanium&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGZGhLe24pHmIuB17AB-lun94tky56CZ7mCnbdKw1frEdST0uCh8-lGIVYfjaTOqlAb_-pADmxP-5Sqf-tH4_AZ7DQDlMflbh4K3AxIXBsJPFPQK8Gz6CMcwPDnpsUmzpDI864yf_KFDGeg1yyIGaavi8U_sb689yA6usD-6A39kIOBe9bSkhkxzibtP2A==" rel="noopener noreferrer"&gt;Shadow MCP: The Hidden AI Risk in Your Codebase - Mend.io&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFS2Z5USbFBql_rsk12iMt-PAHuAV0QoanFLiXc75_YYxpgHI1vK2UTqQeq8AHJd8FYNogvkJanRkKktxkrQCbY4iKDauLpUNDgehZKuvsVziFBnSQ82j4RMBZzES5E_PhBAnqbjzsnY6D8xz31oAExrBDgPxzl12TQFmYzKMKdqrnACeHITjJHQWkas9IXeoMsZe_wvtwrs95ajVvBrkyUsqTcyn0XOg46DR5pw2_7_Z4tSAdnMqNwIPCiW3cqDUE-CcyAe9pHq_UNjzWGgwgE3aw==" rel="noopener noreferrer"&gt;Shadow AI and the evolution of Shadow IT Security - Blog Detectify&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHDwUvYTCUg_cHOeH87Hafj2Bvd6LGGjcRAlKt5ee_EcBbgVW8FZbv9voHW8ojxUzIsetSlPUZzfVUCO7-lomHC_OktBArOMxJc2eA29qR-0stj_XXMnhUnzZDuftD5PvVYzM_QRIkycqYsofDKv1Q==" rel="noopener noreferrer"&gt;AI Agent Governance Checklist for Enterprise CISOs - Zenity&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFXeZ1eU1F6BVdfNzcURBkaupV6MmxgSWNlFfHr_Qn-kxf0GyeaKbDXe7tYddDt7TwBczn6vZGC4kmBuE0HlXfHN0ejHdO3Q3RbcjOKOlwQaWPK1SSnig1BMx1Kgw3AnFpoKfzKk1GV0zdM91WIjZqN7UWEM_hereTwlJ2Vq9SFEFLqlN1ELOt20sANDyNc9RCKZ_ONNpWtzmyFslowYkP29IzSnU6RWFBORku1fmMZ35FbUHv4xhMgDiMcNaerOlvF_ljl0aoWXiWLWhNuqorfNbMEH2Ka09K0NEd" rel="noopener noreferrer"&gt;The AI Governance blind spot: why your Corporate accounts are not enough (and how Bifrost Edge closes the loop) - Medium&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQGcMmcVYwBbu62mWCQkZS1ia_MSi7L_Ajfb4EKktYFDVwMs4kuQawAN2vPng5Pw2L3EZpB8ev54MNQL3oSHmfDPnwi2VG-f_2fqKSvIa1Vq3CE8ROHyb4-FSNN_FOTnqElYgGQc4_TCqSFEeq-yVZoRsGPmMI1GqJw==" rel="noopener noreferrer"&gt;Governing AI usage across your engineering team: the problem and our approach - Aptible&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQFubIJSX-Z0Uum_HHB-tZResZp2FrchhMmsMa8ccc8VjlG3kQ4EG-KUE7YAOIDztaRRsOgWW7D9wqw417qLQarIUQQdBABJeeHsToYZtT0yOZvrJzD6B_WrDAsj6q0_G1iJKvOO-CZJk2wSI9264hvZN5myGqvRxb7BIqirpZUr9cURh2l2hV-DXAyxutVOuJ4V3MF05C5ib0J8A-m0t88YRETOK1h_C5ZFrgM=" rel="noopener noreferrer"&gt;AI agent governance across SaaS, endpoint, and cloud: what changes?&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHQMm4t2Tk19F1PzqT1aEUzPHKfBgdhWQtLmnU3U7o1dbTAQFTkGchjVi4F-tFQ4KCpJaR6nHVGoi_HIVpLC0_tBkViCV6C16c4evh6pMO-uk5VArmXHD8-A_nRYjSaqEdmVtdaY2K0EKm_mjer04ju6AYj8HMr2B6oYmPoZOdUKVbFx8-ymofmffOtACC2f6-3OeCI4xBQV4IWUT_VvTQZw8VkDaLUCQA1NZM=" rel="noopener noreferrer"&gt;CIS MCP Security Guide: How to Govern AI Agent Access in Enterprise Environments&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQF8hJuy0VJCAMEYByeTmYA2mlNw2ugWmjOtwJE2r4AuRISJOpMZuEKruztJhAA2DRwUwb3jfN737BVD1VWeAOZ1TjClawkbFMjdDaISSPAzUxIPcar6VDQ8iSAE3o6Apeqd5oj2knlplvDDtR32VYs6hkQ_laRuNt4cutFA3ah-JaDfbifozJO0faM7osnXneDEr68NCMCv4Q==" rel="noopener noreferrer"&gt;AI Governance for Regulated Industries: The Endpoint Problem - Maxim AI&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE49-oyUzKTFYCD6GwgIo5PS7duGoFUyAV67Y1O0aiYDukKtHF66N7TedeOyDqMq7T5ojZ770uNaqp6-pX2zUg4FpV_C2A5ifdqvVwwinqYvTH_tK6T_uSVd0VE_cL6H7FRQ0hQOZiFCq5UgTdRvkIUwV__OtVrYbm7Hbgvppbl9GXo9aIT4nEl2-7GUAxOEjTd7A==" rel="noopener noreferrer"&gt;Best Endpoint AI Governance Tools: A 2026 Buyer's Guide - Maxim AI&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG_sKR8cxAXiI1L1JTCDA2CE3z06_JvRDa-Iy7zP3Rks8VBzheFcaiJ7Qix-_f96QffyRiOAfRuA2au_olFhEqnk58o7_Q3ludrFbqyEvxBcfgRi3uyYHhCCtVqhCzQiV9mwJBK0i-p8TXvs9Ap0WNBg6BHkymwUkHcLY02ftlT" rel="noopener noreferrer"&gt;Tyk.io - MCP Server Governance: Best Practices for AI Security&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQHGtEIBVsYxwcKTAM0qkHTsZc1Rf5Qp5X0kR4fVaSs70Z5-5tnQscDADzoXXXPaDjplZA0Omtf9XqqxcmoBvP-rPrU_RiVTmQlcHLY-SbU_N1MoLbp5rxFA1tajPo8dH8wsXFsghnjrl3txRb7j229rg903tborOsKs9gcK4j-N" rel="noopener noreferrer"&gt;You Can't Govern the AI You Can't See - DEV Community&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge + Gateway | Route, Govern, and Secure AI Traffic - Maxim AI&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQEQRfsDO4rhdHHYSwYNz0WT9IE5xESd6-cWj44-8QRARX507gnyPR5NOUv5PVZhZ2x0JinXuWE2fCDGcIC6OGv3Cds5b6g27ztmOyu-vm3v6GZPcbaOJFlpe0GzcsLxOnhBUDTCWvC9QNgGmiFV_SVQs4KvqeKWRzXagTROzFhCnu0NdgPXpKuyTARoncsqC367_golneLf71JGD4XAjhgarg==" rel="noopener noreferrer"&gt;new) Bifrost Edge: MCP Visibility and Control for Enterprise Teams and Beyond&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;GitHub - maximhq/bifrost: Fastest enterprise AI gateway&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://docs.getbifrost.ai/enterprise/invpc-deployments" rel="noopener noreferrer"&gt;In-VPC Deployments - Bifrost AI Gateway&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://docs.getbifrost.ai/enterprise/user-provisioning" rel="noopener noreferrer"&gt;User Provisioning - Bifrost AI Gateway&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>ai</category>
      <category>aiapps</category>
      <category>governance</category>
      <category>security</category>
    </item>
    <item>
      <title>Governing MCP Servers on Employee Devices: A Critical Step for Enterprise AI</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Wed, 24 Jun 2026 18:26:36 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/governing-mcp-servers-on-employee-devices-a-critical-step-for-enterprise-ai-3p1m</link>
      <guid>https://dev.to/claire_nguyen/governing-mcp-servers-on-employee-devices-a-critical-step-for-enterprise-ai-3p1m</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fvdb7ma200fvtu3mnzwp3.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fvdb7ma200fvtu3mnzwp3.png" alt="Governing MCP Servers on Employee Devices: A Critical Step for Enterprise AI" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;As AI agents become integral to enterprise operations, their ability to interact with external tools and data sources via Model Context Protocol (MCP) servers introduces powerful new capabilities. However, this extensibility also creates a significant security and governance challenge: managing which MCP servers employees connect to from their company machines. Without proper controls, this can lead to "shadow AI" — ungoverned AI usage that bypasses security policies and exposes sensitive data.&lt;/p&gt;

&lt;p&gt;This article examines why governing MCP server usage on endpoint devices is crucial and how a comprehensive AI gateway, paired with endpoint AI governance, provides the necessary controls. &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt;, an &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;open-source AI gateway&lt;/a&gt; from Maxim AI, offers a solution that extends centralized policy enforcement directly to employee machines, ensuring that all AI interactions align with enterprise security and compliance standards.&lt;/p&gt;

&lt;h2&gt;
  
  
  What are MCP Servers and Why Do They Matter?
&lt;/h2&gt;

&lt;p&gt;Model Context Protocol (MCP) is an open standard designed to enable AI models, particularly large language models (LLMs), to interact with external tools and data sources in a consistent and secure manner. Think of MCP as a standardized communication layer allowing AI clients (like Claude, ChatGPT, or coding agents) to discover and invoke tools without requiring custom, one-off integrations for every service. An MCP server is the implementation of this protocol, acting as a bridge between an AI agent and external systems like APIs, databases, file systems, or SaaS applications.&lt;/p&gt;

&lt;p&gt;These servers allow AI agents to move beyond mere reasoning to taking actions—reading files, calling APIs, querying databases, and sending messages. This capability is what makes AI agents so powerful in a business context, enabling automation and complex workflows.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Rise of Ungoverned AI Tool Usage (Shadow AI)
&lt;/h2&gt;

&lt;p&gt;While MCP servers offer immense utility, their ease of creation and deployment has inadvertently led to a proliferation of unmanaged tools within organizations. Developers can spin up an MCP server in minutes, making it simple to expose functionality and experiment. However, this agility often means that IT and security teams lose visibility into what tools are running, what data they access, and what actions they can perform. This phenomenon, often termed "shadow AI," presents several critical risks:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Data Exfiltration:&lt;/strong&gt; MCP servers, when connected to filesystems or APIs, can be manipulated by malicious prompts to extract sensitive company data without detection.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Unauthorized Command Execution:&lt;/strong&gt; A compromised or malicious MCP server could execute arbitrary commands or access systems with elevated privileges, bypassing intended access controls.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Absence of Audit and Policy:&lt;/strong&gt; Without centralized governance, there is no unified audit trail, budget control, or guardrails applied to these interactions, making compliance (e.g., SOC 2, GDPR, HIPAA) extremely difficult.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Supply Chain Risks:&lt;/strong&gt; MCP servers often rely on various software components, making them vulnerable to supply chain attacks, where malicious code could be introduced.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Tool Poisoning and Tool Shadowing:&lt;/strong&gt; Attackers can craft malicious tools with names similar to legitimate ones, or embed hidden directives in tool metadata, leading AI agents to invoke unintended or harmful actions.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The problem is that traditional network controls and endpoint detection tools were not designed to manage this new class of AI-driven, tool-calling traffic. A gateway can only govern traffic configured to flow through it. When employees install desktop apps, browse AI in the browser, or paste MCP server configurations directly into their coding agents, that traffic often bypasses central controls entirely. This creates a significant governance gap where critical enterprise data and systems are exposed.&lt;/p&gt;

&lt;h2&gt;
  
  
  How Bifrost Edge Addresses MCP Server Governance
&lt;/h2&gt;

&lt;p&gt;Bifrost, the AI gateway, functions as the central policy engine for AI traffic. To address the challenge of ungoverned MCP server usage, &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt; extends this same governance directly to the endpoint. Bifrost Edge runs on every machine in an organization, ensuring that all AI traffic, including connections to MCP servers, is routed through the central Bifrost AI gateway where policies are enforced. This approach provides critical visibility and control over what has historically been a significant blind spot.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ff5xg8b2305ne7irmva72.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ff5xg8b2305ne7irmva72.png" alt="A visual metaphor of discovery and inventory: a magnifying glass hovering over a network of interconnected nodes (repres" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Bifrost Edge brings several core capabilities to bear on MCP server governance:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Fleet-Wide Inventory and Discovery:&lt;/strong&gt; Edge actively inventories the MCP servers configured within AI applications across the entire device fleet. Administrators gain a live, deduplicated catalog of every discovered MCP server, along with details on where it's configured and across how many devices. This provides the much-needed visibility to answer questions like "what MCP servers are running on our fleet?".&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Granular Allow/Deny Decisions:&lt;/strong&gt; With a clear inventory, administrators can make explicit allow or deny decisions for each discovered MCP server. A denied server is blocked at the device level, preventing any data from leaving the machine for that server, even if a user had it previously configured. This shifts from reactive responses to proactive policy enforcement.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Approval Workflows:&lt;/strong&gt; When Edge detects a new MCP server, it can automatically request approval in the Bifrost admin console. Administrators configure whether pending servers are allowed or blocked while awaiting review, providing a controlled path for new tools [cite: Edge admin approvals docs].&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Existing Governance Applies:&lt;/strong&gt; The same virtual keys, budgets, rate limits, and guardrails configured in the Bifrost AI gateway automatically apply to endpoint AI traffic, including MCP server interactions [cite: Edge security docs]. This ensures consistency of policy across all AI workloads. For instance, &lt;a href="https://docs.getbifrost.ai/features/governance/mcp-tools" rel="noopener noreferrer"&gt;MCP tool filtering&lt;/a&gt; controls which specific tools an approved MCP server can call based on the virtual key in use.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Granular Control with Centralized Policy
&lt;/h2&gt;

&lt;p&gt;Administrators manage MCP server approvals and denials through the Bifrost admin console. This provides a centralized dashboard to review discovered AI apps and MCP servers, making allow/deny decisions that are then enforced on devices across the fleet [cite: Edge admin approvals docs]. This centralized approach streamlines management, ensuring that policy changes take effect rapidly across all connected machines without requiring manual intervention on individual devices.&lt;/p&gt;

&lt;p&gt;The underlying policy mechanisms, such as &lt;a href="https://docs.getbifrost.ai/enterprise/guardrails" rel="noopener noreferrer"&gt;guardrails&lt;/a&gt; and &lt;a href="https://docs.getbifrost.ai/enterprise/audit-logs" rel="noopener noreferrer"&gt;audit logs&lt;/a&gt;, protect the entire AI data flow. Guardrails, including native &lt;a href="https://docs.getbifrost.ai/enterprise/guardrails/secrets-detection" rel="noopener noreferrer"&gt;Secrets Detection&lt;/a&gt; and &lt;a href="https://docs.getbifrost.ai/enterprise/guardrails/custom-regex" rel="noopener noreferrer"&gt;Custom Regex&lt;/a&gt; (e.g., for PII), inspect prompts and responses, catching sensitive content before it leaves the company boundary. Audit logs maintain an immutable record of every AI request, providing the necessary evidence for compliance reporting (SOC 2, GDPR, HIPAA, ISO 27001).&lt;/p&gt;

&lt;h2&gt;
  
  
  Streamlined Deployment for Endpoint AI Governance
&lt;/h2&gt;

&lt;p&gt;Deploying endpoint AI governance across an entire organization requires seamless rollout. Bifrost Edge is built for fleet-wide deployment using existing device management (MDM) platforms [cite: Edge deployment MDM docs]. Organizations can push the Edge agent to every machine via tools like Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud [cite: Edge deployment MDM docs].&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fnpgk5w1tvgv9nl3lsjcf.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fnpgk5w1tvgv9nl3lsjcf.png" alt="A unified deployment illustration: a central server or cloud icon distributing uniform security policies and a software " width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This managed deployment means that machines arrive pre-configured to point at the organization's Bifrost. After a single sign-in via the organization's SSO, the Edge agent seamlessly applies governance to all supported AI traffic [cite: Edge how it works docs]. This approach eliminates the burden of per-app setup for users and ensures that comprehensive governance is in place from the moment a device is provisioned.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Broader Context: Comprehensive AI Governance
&lt;/h2&gt;

&lt;p&gt;Governing MCP servers on employee devices is a critical component of a larger strategy for enterprise AI governance. By combining the powerful policy engine of the Bifrost AI gateway with the endpoint reach of Bifrost Edge, organizations gain full visibility and control over their AI footprint. This &lt;strong&gt;AI Gateway + Bifrost Edge&lt;/strong&gt; narrative ensures that all AI interactions—whether directly integrated via the gateway or used on employee laptops—adhere to the same security, compliance, and cost management policies.&lt;/p&gt;

&lt;p&gt;Bifrost Edge is currently in alpha, with teams registering for onboarding to implement this critical layer of enterprise AI security. The ability to automatically discover, approve, and deny specific MCP servers across a fleet of devices completes the governance story, transforming shadow AI into governed AI.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sources
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;a href="https://socprime.com/blog/model-context-protocol-security-risks-mitigations/" rel="noopener noreferrer"&gt;Model Context Protocol: Security Risks &amp;amp; Mitigations - SOC Prime&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.darkreading.com/cyberattacks-vulnerabilities/plug-play-and-prey-security-risks-model-context-protocol" rel="noopener noreferrer"&gt;Plug, Play, and Prey: The security risks of the Model Context Protocol&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.truefoundry.com/blog/what-is-an-mcp-server" rel="noopener noreferrer"&gt;What Is An MCP Server? Key Features &amp;amp; Benefits - Truefoundry&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.cycognito.com/blog/mcp-security-risks/" rel="noopener noreferrer"&gt;Top MCP Security Risks &amp;amp; 10 Critical Best Practices - CyCognito&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://mindstudio.ai/blog/what-is-an-mcp-server/" rel="noopener noreferrer"&gt;MCP Servers Explained: What They Are and Why Every AI Agent Needs Them | MindStudio&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://k2view.com/blog/what-is-an-mcp-server/" rel="noopener noreferrer"&gt;What is an MCP server? - K2view&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.databricks.com/glossary/model-context-protocol" rel="noopener noreferrer"&gt;What is the Model Context Protocol (MCP)? - Databricks&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.redhat.com/en/blog/model-context-protocol-mcp-understanding-security-risks-and-controls" rel="noopener noreferrer"&gt;Model Context Protocol (MCP): Understanding security risks and controls - Red Hat&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://checkmarx.com/blog/11-emerging-ai-security-risks-with-mcp-model-context-protocol/" rel="noopener noreferrer"&gt;11 Emerging AI Security Risks with MCP (Model Context Protocol) - Checkmarx&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://mcp.dev/docs/understanding-mcp-servers" rel="noopener noreferrer"&gt;Understanding MCP servers - Model Context Protocol&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.atol.io/blog/enterprise-mcp-limitations-security-risks-and-scale-considerations" rel="noopener noreferrer"&gt;Enterprise MCP: Limitations, Security Risks, and Scale Considerations - Atolio&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.zwillgen.com/law-firm-news/mcp-servers-raise-the-stakes-for-ai-governance/" rel="noopener noreferrer"&gt;MCP Servers Raise the Stakes for AI Governance - ZwillGen&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://medium.com/@davepatten/who-authorized-that-agent-mcp-ema-id-jag-and-governing-ai-agents-at-scale-c46b5a34e00b" rel="noopener noreferrer"&gt;Who Authorized That Agent? MCP, EMA, ID-JAG, and Governing AI Agents at Scale | by Dave Patten | Jun, 2026 | Medium&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.giskard.ai/resources/mcp-governance-gap" rel="noopener noreferrer"&gt;The MCP Governance Gap: How to Secure AI Data Flows at Scale&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.getmaxim.ai/bifrost/blog/shadow-mcp-ungoverned-ai-tools-risking-your-data" rel="noopener noreferrer"&gt;Shadow MCP: The Ungoverned AI Tools Risking Your Data - Maxim AI&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://portkey.ai/blog/mcp-adoption-challenge" rel="noopener noreferrer"&gt;The hidden challenge of MCP adoption in enterprises in 2025 - Portkey&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.defense.gov/Portals/1/Documents/ai/AI-Driven-Automation-MCP-Security-Design-Considerations.pdf" rel="noopener noreferrer"&gt;Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation - Department of War&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://medium.com/@toni_ramchandani/why-the-mcp-protocol-needs-a-security-wake-up-call-51a84f509e1e" rel="noopener noreferrer"&gt;Why the MCP Protocol Needs a Security Wake-Up Call | by TONI RAMCHANDANI - Medium&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://www.trendmicro.com/en_us/research/25/f/anthropic-sqlite-mcp-server-vulnerability.html" rel="noopener noreferrer"&gt;Why a Classic MCP Server Vulnerability Can Undermine Your Entire AI Agent - Trend Micro&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://docs.getbifrost.ai/edge/admin-approvals" rel="noopener noreferrer"&gt;Bifrost Edge Admin: Approvals&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://docs.getbifrost.ai/edge/how-it-works" rel="noopener noreferrer"&gt;Bifrost Edge How It Works&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://docs.getbifrost.ai/edge/security" rel="noopener noreferrer"&gt;Bifrost Edge Security &amp;amp; Guardrails&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;  &lt;a href="https://docs.getbifrost.ai/edge/deployment-mdm" rel="noopener noreferrer"&gt;Bifrost Edge Deployment: MDM&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>ai</category>
      <category>enterpriseai</category>
      <category>security</category>
      <category>governance</category>
    </item>
    <item>
      <title>Securing MCP Servers Across a Company: A Practical Guide</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Wed, 24 Jun 2026 18:25:46 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/securing-mcp-servers-across-a-company-a-practical-guide-2apj</link>
      <guid>https://dev.to/claire_nguyen/securing-mcp-servers-across-a-company-a-practical-guide-2apj</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9py0339vgr63zpy48yva.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F9py0339vgr63zpy48yva.png" alt="Securing MCP Servers Across a Company: A Practical Guide" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Securing Model Context Protocol (MCP) servers is crucial for enterprise AI governance. This guide explores the risks of ungoverned MCP server use and how &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt; with Bifrost Edge provides a comprehensive solution for visibility and control.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;AI agents and advanced LLMs increasingly rely on Model Context Protocol (MCP) servers to extend their capabilities, enabling them to read files, call APIs, and interact with external tools. While this tool-use functionality enhances AI utility, it also introduces significant security and compliance risks if not properly governed. For many organizations, the proliferation of MCP servers across employee machines, often outside IT visibility, constitutes a critical security blind spot.&lt;/p&gt;

&lt;h2&gt;
  
  
  Understanding the MCP Server Security Challenge
&lt;/h2&gt;

&lt;p&gt;The Model Context Protocol allows AI agents to discover and execute external tools, fundamentally changing how AI applications interact with company data and systems. This capability is powerful, but it bypasses traditional security perimeters.&lt;/p&gt;

&lt;p&gt;A primary challenge is the "shadow AI" problem. Employees may configure MCP servers within their coding agents (e.g., Claude Code, Cursor) or desktop AI applications without centralized oversight. This leads to:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;  &lt;strong&gt;Data Leakage Risks:&lt;/strong&gt; Ungoverned MCP servers can facilitate the exfiltration of sensitive company data to unauthorized external services or models.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Compliance Violations:&lt;/strong&gt; Without an audit trail or control over tool execution, organizations face difficulty adhering to regulatory requirements like GDPR, HIPAA, or SOC 2.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Malicious Tool Execution:&lt;/strong&gt; An agent might be instructed to use a compromised or unapproved MCP server, potentially leading to unauthorized access or system manipulation.&lt;/li&gt;
&lt;li&gt;  &lt;strong&gt;Lack of Visibility:&lt;/strong&gt; Security teams often have no clear inventory of which MCP servers are being used, by whom, or for what purpose, making risk assessment impossible.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This lack of visibility and control at the endpoint creates a significant gap in an organization's AI security posture, making it imperative to implement robust governance strategies.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F3xnchcs380ia2ra0fw77.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F3xnchcs380ia2ra0fw77.png" alt="Silhouettes of workers at computers, with lines of data flowing from their screens into a hidden, uncontrolled cloud, de" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  How Bifrost Addresses MCP Server Security
&lt;/h2&gt;

&lt;p&gt;Securing MCP servers requires a comprehensive approach that combines centralized policy enforcement with endpoint governance. &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt;, an &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;open-source AI gateway&lt;/a&gt; from Maxim AI, provides this unified solution, ensuring that AI traffic—including MCP server interactions—is visible, controlled, and compliant.&lt;/p&gt;

&lt;p&gt;Bifrost functions as an MCP gateway, centralizing AI model and tool access. It can expose a curated set of tools and also manage connections to external MCP servers. The same virtual keys, budgets, rate limits, and guardrails configured in Bifrost apply to MCP interactions, providing a foundational layer of security.&lt;/p&gt;

&lt;p&gt;The crucial component for extending this governance to every machine is &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt;. Bifrost Edge is an endpoint agent that runs on macOS, Windows, and Linux devices, routing all AI traffic—including requests to MCP servers—through the organization's Bifrost gateway. This ensures that every AI interaction, regardless of the application or its location, is subjected to the same security policies.&lt;/p&gt;

&lt;h3&gt;
  
  
  Comprehensive MCP Server Governance with Bifrost Edge
&lt;/h3&gt;

&lt;p&gt;Bifrost Edge extends the governance capabilities of the Bifrost AI gateway directly to the endpoint, offering unparalleled control over MCP server usage. This includes:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Automated Discovery and Inventory:&lt;/strong&gt; Bifrost Edge automatically inventories MCP servers configured within AI applications on employee machines. This capability builds a live, fleet-wide catalog of all discovered MCP servers, finally giving administrators visibility into what tools agents are using in production. This eliminates the blind spot of "shadow AI" where MCP servers operate unnoticed.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Centralized Approval Workflow:&lt;/strong&gt; Once MCP servers are discovered, administrators can review them within the Bifrost console. They can then make explicit per-server allow or deny decisions. This means a denied server cannot be used by any AI application on any governed device, even if a user previously configured it.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Enforced Security and Guardrails:&lt;/strong&gt; Because all MCP server traffic routes through Bifrost, every guardrail already configured at the gateway applies automatically. This includes native secrets detection, custom regex patterns (for PII, compliance, or internal data), and integrations with third-party content safety solutions like AWS Bedrock Guardrails, Azure Content Safety, and Patronus AI. These guardrails protect sensitive information from leaving the organization via agent tool calls.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Audit Logs for Compliance:&lt;/strong&gt; Every interaction involving an MCP server, whether approved or blocked, is recorded in immutable audit logs. This provides a comprehensive trail for compliance, forensic analysis, and ensuring adherence to internal security policies and external regulations (SOC 2, GDPR, HIPAA, ISO 27001).&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Per-Virtual Key MCP Tool Filtering:&lt;/strong&gt; Bifrost's virtual keys provide granular control over which MCP tools (and by extension, which MCP servers) are accessible to specific users, teams, or projects. This allows organizations to segment access based on roles and requirements, ensuring that only authorized agents can interact with approved tools.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzgjc05rdtekt0wnsbiz9.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzgjc05rdtekt0wnsbiz9.png" alt="A unified network of endpoints (laptops, desktops) glowing with green light, all connected to a central, secure gateway," width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Deploying Bifrost Edge for Fleet-Wide Governance
&lt;/h2&gt;

&lt;p&gt;For organizations with large fleets of employee machines, manual deployment and configuration of endpoint agents are impractical. Bifrost Edge is designed for mass deployment through existing Mobile Device Management (MDM) platforms.&lt;/p&gt;

&lt;p&gt;Supported MDM solutions include Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud. This enables silent, fleet-wide rollout of the Edge agent, pre-configured with the necessary connection settings to point devices to the organization's Bifrost gateway.&lt;/p&gt;

&lt;p&gt;The typical first-launch flow for an end-user involves:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; Bifrost Edge installs silently via MDM.&lt;/li&gt;
&lt;li&gt; A one-time setup approval on first run.&lt;/li&gt;
&lt;li&gt; The user signs in through their browser using existing single sign-on (SSO), linking the device to their identity and syncing policies.&lt;/li&gt;
&lt;li&gt; Governance automatically applies to all supported AI traffic, including MCP server interactions.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;This streamlined deployment and user-onboarding process ensures that organizations can quickly bring all endpoint AI traffic under governance, closing shadow AI gaps without disrupting user workflows or requiring extensive manual configuration.&lt;/p&gt;

&lt;h2&gt;
  
  
  Conclusion
&lt;/h2&gt;

&lt;p&gt;The rise of AI agents and MCP servers introduces new vectors for data exfiltration and compliance risks. Securing these interactions is not merely a technical challenge; it is a critical requirement for maintaining enterprise security and regulatory adherence. By combining the powerful policy engine of the Bifrost AI gateway with the endpoint enforcement capabilities of &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt;, organizations gain comprehensive visibility and control over all AI traffic, including the often-overlooked realm of MCP server usage. This integrated approach ensures that AI innovations can be adopted safely and compliantly across the entire company.&lt;/p&gt;

&lt;p&gt;Teams evaluating AI gateway and endpoint governance solutions can &lt;a href="https://getmaxim.ai/bifrost/book-a-demo" rel="noopener noreferrer"&gt;request a Bifrost demo&lt;/a&gt; to see how it can secure their MCP server landscape or review the &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;open-source repository&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sources
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt; "The Model Context Protocol: Bridging the Gap Between LLMs and Tools." &lt;em&gt;Maxim AI Blog&lt;/em&gt;. &lt;a href="https://www.getmaxim.ai/blog/mcp-protocol/" rel="noopener noreferrer"&gt;https://www.getmaxim.ai/blog/mcp-protocol/&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt; "What is MCP and how does it secure code models?" &lt;em&gt;Hugging Face Blog&lt;/em&gt;. &lt;a href="https://huggingface.co/blog/what-is-mcp-and-how-does-it-secure-code-models" rel="noopener noreferrer"&gt;https://huggingface.co/blog/what-is-mcp-and-how-does-it-secure-code-models&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt; "MCP Overview." &lt;em&gt;Bifrost Documentation&lt;/em&gt;. &lt;a href="https://docs.getbifrost.ai/mcp/overview" rel="noopener noreferrer"&gt;https://docs.getbifrost.ai/mcp/overview&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt; "Govern MCP servers." &lt;em&gt;Bifrost Edge Documentation&lt;/em&gt;. &lt;a href="https://docs.getbifrost.ai/edge/mcp-governance" rel="noopener noreferrer"&gt;https://docs.getbifrost.ai/edge/mcp-governance&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt; "Admin: Approvals." &lt;em&gt;Bifrost Edge Documentation&lt;/em&gt;. &lt;a href="https://docs.getbifrost.ai/edge/admin-approvals" rel="noopener noreferrer"&gt;https://docs.getbifrost.ai/edge/admin-approvals&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt; "Security &amp;amp; guardrails." &lt;em&gt;Bifrost Edge Documentation&lt;/em&gt;. &lt;a href="https://docs.getbifrost.ai/edge/security" rel="noopener noreferrer"&gt;https://docs.getbifrost.ai/edge/security&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt; "Audit logs." &lt;em&gt;Bifrost Documentation&lt;/em&gt;. &lt;a href="https://docs.getbifrost.ai/enterprise/audit-logs" rel="noopener noreferrer"&gt;https://docs.getbifrost.ai/enterprise/audit-logs&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt; "MCP tool filtering (per virtual key)." &lt;em&gt;Bifrost Documentation&lt;/em&gt;. &lt;a href="https://docs.getbifrost.ai/features/governance/mcp-tools" rel="noopener noreferrer"&gt;https://docs.getbifrost.ai/features/governance/mcp-tools&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt; "Deploy with MDM." &lt;em&gt;Bifrost Edge Documentation&lt;/em&gt;. &lt;a href="https://docs.getbifrost.ai/edge/deployment-mdm" rel="noopener noreferrer"&gt;https://docs.getbifrost.ai/edge/deployment-mdm&lt;/a&gt;
&lt;/li&gt;
&lt;/ol&gt;

</description>
      <category>ai</category>
      <category>security</category>
      <category>enterpriseai</category>
      <category>aibox</category>
    </item>
    <item>
      <title>What Shadow MCP Is and How to Detect It</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Wed, 24 Jun 2026 18:24:19 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/what-shadow-mcp-is-and-how-to-detect-it-2p3k</link>
      <guid>https://dev.to/claire_nguyen/what-shadow-mcp-is-and-how-to-detect-it-2p3k</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fvi417vs6ddnmueafbfu2.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fvi417vs6ddnmueafbfu2.png" alt="What Shadow MCP Is and How to Detect It" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;em&gt;Shadow MCP refers to the unauthorized use of Model Context Protocol servers on organization devices. &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt; provides the visibility and governance tools needed to identify and secure these connections.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The &lt;a href="https://modelcontextprotocol.io/introduction" rel="noopener noreferrer"&gt;Model Context Protocol (MCP)&lt;/a&gt; is an open standard that allows large language models (LLMs) to access local data, execute code, and query external databases. While this protocol enables highly capable AI agents, it also introduces a new category of security risk known as Shadow MCP. &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt;, an &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;open-source AI gateway&lt;/a&gt; developed by Maxim AI, provides the infrastructure to bridge this visibility gap by centralizing how AI tools interact with local and remote resources.&lt;/p&gt;

&lt;h2&gt;
  
  
  What is Shadow MCP
&lt;/h2&gt;

&lt;p&gt;Shadow MCP is the usage of MCP servers and tool configurations by employees without the knowledge or authorization of the organization's security and IT teams. It is a subset of "Shadow AI" where users connect their AI chat applications, such as Claude Desktop or ChatGPT, to local tool servers that can read files, access internal APIs, or interact with system processes.&lt;/p&gt;

&lt;p&gt;Because &lt;a href="https://docs.getbifrost.ai/mcp/overview" rel="noopener noreferrer"&gt;MCP servers&lt;/a&gt; are often lightweight and easy to run locally, users frequently install them to automate repetitive tasks. However, these servers operate outside the typical enterprise security perimeter. Without a centralized &lt;a href="https://www.getmaxim.ai/bifrost/resources/governance" rel="noopener noreferrer"&gt;governance&lt;/a&gt; layer, security teams cannot see which tools the AI is using, what data is being accessed, or whether those tools are being used to exfiltrate sensitive information.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fds76i9oyqp29hjjudcwp.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fds76i9oyqp29hjjudcwp.png" alt="A translucent digital shield appearing over a complex circuit board, with faint red sparks representing unauthorized con" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  The Security Risks of Ungoverned MCP Servers
&lt;/h2&gt;

&lt;p&gt;When an employee runs an ungoverned MCP server, they create a direct conduit between a third-party LLM and their company machine. Several technical risks emerge from this architecture:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt; &lt;strong&gt;Data Exfiltration:&lt;/strong&gt; An MCP server designed to read files could be used by an AI model to summarize and then upload sensitive company documents to an external provider.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Unvetted Tool Execution:&lt;/strong&gt; Many open-source MCP servers found in public repositories lack rigorous security audits. These servers might contain vulnerabilities or malicious code that can execute commands on the host machine.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Lack of Audit Trails:&lt;/strong&gt; Most AI desktop applications do not provide detailed logs of which tools were called, what arguments were passed, or what data was returned. This makes incident response nearly impossible.&lt;/li&gt;
&lt;li&gt; &lt;strong&gt;Credential Exposure:&lt;/strong&gt; MCP servers often require API keys or environment variables to connect to other services. In a shadow environment, these credentials are stored locally and are often unencrypted.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;To mitigate these risks, organizations must move from individual, localized tool configurations to a centralized &lt;a href="https://www.getmaxim.ai/bifrost/resources/mcp-gateway" rel="noopener noreferrer"&gt;MCP gateway&lt;/a&gt; that provides a single point of enforcement for all AI tool traffic.&lt;/p&gt;

&lt;h2&gt;
  
  
  How to Detect Shadow MCP on the Endpoint
&lt;/h2&gt;

&lt;p&gt;Detecting Shadow MCP requires visibility into the AI applications running on employee machines. Most organizations have no visibility into the internal configuration files where MCP servers are defined. Detection typically involves three primary methods:&lt;/p&gt;

&lt;h3&gt;
  
  
  Scanning Local Configuration Files
&lt;/h3&gt;

&lt;p&gt;Many AI applications store their MCP configurations in standard locations. For example, Claude Desktop stores its configuration in a &lt;code&gt;claude_desktop_config.json&lt;/code&gt; file. Security teams can use scripts to scan for these files, but this method is often reactive and can be bypassed by users moving files or using different applications.&lt;/p&gt;

&lt;h3&gt;
  
  
  Network Traffic Analysis
&lt;/h3&gt;

&lt;p&gt;Organizations can monitor for traffic patterns associated with known MCP providers or unexpected outbound API calls. However, because MCP traffic is often encrypted and looks like standard HTTPS traffic to an LLM provider, this method frequently results in false negatives.&lt;/p&gt;

&lt;h3&gt;
  
  
  Endpoint AI Governance
&lt;/h3&gt;

&lt;p&gt;The most effective way to detect Shadow MCP is through dedicated endpoint agents. &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt; runs as an &lt;a href="https://docs.getbifrost.ai/edge/how-it-works" rel="noopener noreferrer"&gt;always-on agent&lt;/a&gt; on macOS, Windows, and Linux devices. It automatically inventories the MCP servers configured inside applications like Claude Desktop, Cursor, and Gemini CLI. This provides a live, fleet-wide inventory of every MCP server running on every machine in the organization.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Frn2zbvl57na1fjn14os7.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Frn2zbvl57na1fjn14os7.png" alt="A magnifying glass hovering over a dense field of glowing blue data cubes, highlighting a single cube that is pulsing wi" width="800" height="457"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Governing the Last Mile with Bifrost Edge
&lt;/h2&gt;

&lt;p&gt;Bifrost applies &lt;a href="https://www.getmaxim.ai/bifrost/resources/governance" rel="noopener noreferrer"&gt;governance&lt;/a&gt; and security controls such as virtual keys, budgets, and guardrails centrally, and &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt; extends that same governance and security to AI traffic on employee machines with &lt;a href="https://docs.getbifrost.ai/edge/security" rel="noopener noreferrer"&gt;endpoint enforcement&lt;/a&gt; on each device.&lt;/p&gt;

&lt;p&gt;By using the combination of the AI gateway as a control plane and &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt; as the endpoint layer, administrators can transition from detection to active prevention. The &lt;a href="https://docs.getbifrost.ai/edge/admin-approvals" rel="noopener noreferrer"&gt;approvals dashboard&lt;/a&gt; in Bifrost allows teams to review discovered MCP servers and mark them as approved or denied. Once a server is denied, &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt; blocks its execution on the device, ensuring that only &lt;a href="https://docs.getbifrost.ai/edge/app-governance" rel="noopener noreferrer"&gt;vetted applications&lt;/a&gt; can interact with company data.&lt;/p&gt;

&lt;h2&gt;
  
  
  Implementation: Fleet-Wide MCP Visibility
&lt;/h2&gt;

&lt;p&gt;For enterprise teams, manual detection is not scalable. Organizations can deploy &lt;a href="https://www.getmaxim.ai/bifrost/edge" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt; using Mobile Device Management (MDM) platforms such as Jamf, Microsoft Intune, or Kandji. A &lt;a href="https://docs.getbifrost.ai/edge/deployment-mdm" rel="noopener noreferrer"&gt;managed MDM deployment&lt;/a&gt; ensures that every computer in the organization is automatically brought under the centralized governance policy.&lt;/p&gt;

&lt;p&gt;Once deployed, &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt; populates the &lt;a href="https://docs.getbifrost.ai/edge/admin-devices" rel="noopener noreferrer"&gt;devices dashboard&lt;/a&gt;, which lists every host, its owner, and the specific AI applications and MCP servers detected on the machine. This allows security teams to answer critical questions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Which employees are using experimental MCP servers?&lt;/li&gt;
&lt;li&gt;Are there unauthorized coding agents accessing internal source code?&lt;/li&gt;
&lt;li&gt;Is there a specific version of a server running that contains a known vulnerability?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Beyond simple blocking, the gateway allows for &lt;a href="https://docs.getbifrost.ai/mcp/filtering" rel="noopener noreferrer"&gt;tool filtering&lt;/a&gt;. This means an organization can allow an MCP server but restrict it to specific tools or functions, providing a more granular level of &lt;a href="https://docs.getbifrost.ai/enterprise/data-access-control" rel="noopener noreferrer"&gt;access control&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Building a Secure AI Workflow
&lt;/h2&gt;

&lt;p&gt;Securing the Model Context Protocol requires a shift in how infrastructure is managed. Relying on users to self-report their tool usage is insufficient for modern security standards. By implementing a centralized &lt;a href="https://www.getmaxim.ai/bifrost/resources" rel="noopener noreferrer"&gt;governance hub&lt;/a&gt; and extending it to the endpoint, organizations can enable their teams to use AI tools productively without compromising the security of the corporate environment.&lt;/p&gt;

&lt;p&gt;Teams evaluating their AI security posture can &lt;a href="https://getmaxim.ai/bifrost/book-a-demo" rel="noopener noreferrer"&gt;request a Bifrost demo&lt;/a&gt; to see these governance tools in action or explore the &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;open-source repository&lt;/a&gt; to understand the underlying architecture.&lt;/p&gt;

&lt;h2&gt;
  
  
  Sources
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://modelcontextprotocol.io/introduction" rel="noopener noreferrer"&gt;Model Context Protocol Introduction&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/mcp/overview" rel="noopener noreferrer"&gt;Bifrost MCP Overview&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/edge/overview" rel="noopener noreferrer"&gt;Bifrost Edge Governance&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.anthropic.com/en/docs/agents-and-tools/mcp#mcp-server-configuration" rel="noopener noreferrer"&gt;Anthropic: Claude Desktop Configuration&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final" rel="noopener noreferrer"&gt;NIST: Managing Shadow IT and Shadow AI Risks&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>mcp</category>
      <category>devops</category>
    </item>
    <item>
      <title>Zero-downtime deploys for our self-hosted LLM gateway</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Wed, 24 Jun 2026 13:22:33 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/zero-downtime-deploys-for-our-self-hosted-llm-gateway-4g2e</link>
      <guid>https://dev.to/claire_nguyen/zero-downtime-deploys-for-our-self-hosted-llm-gateway-4g2e</guid>
      <description>&lt;p&gt;&lt;strong&gt;TL;DR:&lt;/strong&gt; Getting zero-downtime deploys on a self-hosted LLM gateway comes down to readiness probes that gate traffic, connection draining on shutdown, and running more than one instance behind a load balancer. We did it with Bifrost on EKS.&lt;/p&gt;

&lt;p&gt;A rolling upgrade of our self-hosted LLM gateway dropped roughly 0.4% of in-flight requests one afternoon because old pods stopped accepting connections before the replacements passed their readiness checks. We run &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt;, &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;the open-source AI gateway&lt;/a&gt; from Maxim AI, in front of every internal service at Buildkite that calls an LLM, so a botched upgrade hits more than one team at once. This post covers how we got to actual zero-downtime deploys on a self-hosted LLM gateway, the health-check wiring that made it work, and what still bites us.&lt;/p&gt;

&lt;h2&gt;
  
  
  What zero-downtime means for a self-hosted LLM gateway
&lt;/h2&gt;

&lt;p&gt;Zero-downtime deploys for a self-hosted LLM gateway mean no in-flight request fails while you swap versions. You need readiness probes that gate traffic before a pod joins the pool, connection draining so terminating pods finish their work, and at least two instances behind a load balancer so the pool keeps serving while one node restarts. Miss any of those and you drop requests.&lt;/p&gt;

&lt;p&gt;We had the load balancer part sorted from day one. The draining and probe wiring is where we got it wrong, and the failure mode was quiet: a handful of 502s during each deploy that nobody noticed until a downstream team's retry budget started complaining.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why our first rolling upgrade dropped requests
&lt;/h2&gt;

&lt;p&gt;The bug was the classic Kubernetes shutdown race. When a pod is deleted, kubelet sends SIGTERM and removes the pod from Service endpoints at the same time, but those two events are not ordered against in-flight load balancer routing. The &lt;a href="https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination" rel="noopener noreferrer"&gt;Kubernetes pod termination docs&lt;/a&gt; spell out that endpoint removal and SIGTERM happen concurrently, so a request already in flight can still land on a pod that has begun shutting down.&lt;/p&gt;

&lt;p&gt;Because &lt;a href="https://www.getmaxim.ai/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt; is a Go binary, it exits fast on SIGTERM, which made the race worse. The process was gone before the load balancer stopped sending it traffic. The fix was a &lt;code&gt;preStop&lt;/code&gt; hook to hold the pod open long enough for endpoint propagation, plus a readiness probe so new pods only take traffic once they can actually serve. Running it as a &lt;a href="https://docs.getbifrost.ai/features/drop-in-replacement" rel="noopener noreferrer"&gt;drop-in replacement&lt;/a&gt; for the OpenAI base URL meant none of our services needed code changes while we sorted the deploy mechanics.&lt;/p&gt;

&lt;h2&gt;
  
  
  Rolling upgrades with clustering and load balancing
&lt;/h2&gt;

&lt;p&gt;Here is the deployment shape that stopped the drops. The &lt;code&gt;preStop&lt;/code&gt; sleep covers endpoint propagation, and &lt;code&gt;terminationGracePeriodSeconds&lt;/code&gt; gives in-flight LLM calls time to finish, since a streaming completion can run for tens of seconds.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;replicas&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;3&lt;/span&gt;
  &lt;span class="na"&gt;strategy&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;rollingUpdate&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;maxUnavailable&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;
      &lt;span class="na"&gt;maxSurge&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;1&lt;/span&gt;
  &lt;span class="na"&gt;template&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;terminationGracePeriodSeconds&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;60&lt;/span&gt;
      &lt;span class="na"&gt;containers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;bifrost&lt;/span&gt;
          &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;maximhq/bifrost:latest&lt;/span&gt;
          &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;containerPort&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;8080&lt;/span&gt;
          &lt;span class="na"&gt;readinessProbe&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;httpGet&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
              &lt;span class="na"&gt;path&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;/&lt;/span&gt;
              &lt;span class="na"&gt;port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;8080&lt;/span&gt;
            &lt;span class="na"&gt;periodSeconds&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;5&lt;/span&gt;
          &lt;span class="na"&gt;lifecycle&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;preStop&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
              &lt;span class="na"&gt;exec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
                &lt;span class="na"&gt;command&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;sleep"&lt;/span&gt;&lt;span class="pi"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;15"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;With &lt;code&gt;maxUnavailable: 0&lt;/code&gt; and &lt;code&gt;maxSurge: 1&lt;/code&gt;, the new pod has to pass its readiness probe before an old one leaves. Across three replicas, the request pool never drops below full capacity. Bifrost's &lt;a href="https://docs.getbifrost.ai/features/fallbacks" rel="noopener noreferrer"&gt;automatic fallbacks and load balancing&lt;/a&gt; handle provider-side weighting, but the deploy-side availability is plain Kubernetes mechanics that you have to get right yourself.&lt;/p&gt;

&lt;p&gt;For multi-node coordination we use Bifrost &lt;a href="https://docs.getbifrost.ai/enterprise/clustering" rel="noopener noreferrer"&gt;clustering&lt;/a&gt; so config and rate-limit state stay consistent across instances during a rolling swap. On the throughput side, a single instance sustains 5,000 RPS with about 11µs of added latency per request per the &lt;a href="https://www.getmaxim.ai/bifrost/resources/benchmarks" rel="noopener noreferrer"&gt;published benchmarks&lt;/a&gt;, so three replicas gave us plenty of headroom to lose one mid-deploy without backing up the queue.&lt;/p&gt;

&lt;h2&gt;
  
  
  Observability so we trust the deploy
&lt;/h2&gt;

&lt;p&gt;A deploy you cannot watch is a deploy you cannot trust. We wired Bifrost &lt;a href="https://docs.getbifrost.ai/features/observability" rel="noopener noreferrer"&gt;observability&lt;/a&gt; into our existing Prometheus stack and tag every request with a deploy-version label using the &lt;code&gt;x-bf-lh-*&lt;/code&gt; metadata headers. The metrics path uses async writes with under 0.1ms overhead, so the logging itself does not skew the latency we are trying to protect during a rollout.&lt;/p&gt;

&lt;p&gt;Now each rolling upgrade shows up as a clean version cutover on the dashboard, with the 5xx rate flat through the transition. When something does regress, the per-version labels tell us within one scrape interval whether the new image is the cause. The &lt;a href="https://www.getmaxim.ai/bifrost/resources/governance" rel="noopener noreferrer"&gt;governance and metrics resources&lt;/a&gt; cover the label model in more detail than I will here.&lt;/p&gt;

&lt;h2&gt;
  
  
  Trade-offs and limitations
&lt;/h2&gt;

&lt;p&gt;Clustering is an enterprise feature, not part of the open-source core, so a single-instance hobby setup will not give you the cross-node state coordination described above. Be honest about that before you plan a multi-node topology.&lt;/p&gt;

&lt;p&gt;Self-hosting also means you own the deploy. Bifrost gives you the gateway, but the readiness probes, &lt;code&gt;preStop&lt;/code&gt; timing, and grace periods are yours to tune, and the right &lt;code&gt;terminationGracePeriodSeconds&lt;/code&gt; depends on your longest streaming completion. The ecosystem is younger than LiteLLM, so you will find fewer random blog posts when you hit an edge case, though the docs covered what we needed. If you want a fully managed control plane instead of running pods, this self-hosted path is more work than it is worth.&lt;/p&gt;

&lt;h2&gt;
  
  
  Wrapping up
&lt;/h2&gt;

&lt;p&gt;Zero-downtime deploys for a self-hosted LLM gateway are mostly about ordering: readiness before traffic, drain before exit, surplus capacity before you remove a node. Bifrost made the gateway layer fast and boring enough that the only thing left to get right was our Kubernetes wiring. If you want to see the clustering and governance pieces in action, you can &lt;a href="https://getmaxim.ai/bifrost/book-a-demo" rel="noopener noreferrer"&gt;book a demo&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  Further reading
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/enterprise/clustering" rel="noopener noreferrer"&gt;Bifrost clustering docs&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/features/observability" rel="noopener noreferrer"&gt;Bifrost observability docs&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination" rel="noopener noreferrer"&gt;Kubernetes pod lifecycle and termination&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://www.getmaxim.ai/bifrost/resources/benchmarks" rel="noopener noreferrer"&gt;Bifrost benchmarks&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/" rel="noopener noreferrer"&gt;Configuring readiness and liveness probes&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>infrastructure</category>
      <category>llm</category>
      <category>devops</category>
      <category>sre</category>
    </item>
    <item>
      <title>Why graceful pod shutdown on EKS kept throwing 502s on deploy</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Wed, 24 Jun 2026 04:21:15 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/why-graceful-pod-shutdown-on-eks-kept-throwing-502s-on-deploy-2f1h</link>
      <guid>https://dev.to/claire_nguyen/why-graceful-pod-shutdown-on-eks-kept-throwing-502s-on-deploy-2f1h</guid>
      <description>&lt;p&gt;&lt;strong&gt;TL;DR:&lt;/strong&gt; Graceful pod shutdown on EKS needs a preStop delay plus tuned ALB deregistration, otherwise the load balancer keeps routing to terminating pods and returns 502s mid-rollout. Here's the fix we shipped and how we tested it.&lt;/p&gt;

&lt;p&gt;During a routine deploy of our build orchestration API on EKS last month, the ALB logged roughly 1,400 HTTP 502s across the 90 seconds it took to roll three replicas. Nobody got paged, but our availability SLO dashboard showed a clear dip on every deploy, and we deploy a fair few times a day. We run EKS 1.29 with the AWS Load Balancer Controller in IP target mode, and the root cause was a race in graceful pod shutdown that nobody had tuned for. No worries if you've hit this; it's common and the fix is small once you see it.&lt;/p&gt;

&lt;h2&gt;
  
  
  What graceful pod shutdown actually means on EKS
&lt;/h2&gt;

&lt;p&gt;Graceful pod shutdown is the sequence Kubernetes runs when terminating a pod: it removes the pod from Service endpoints, executes any preStop hook, sends SIGTERM to the container, then SIGKILL once the grace period expires. The &lt;a href="https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination" rel="noopener noreferrer"&gt;pod termination lifecycle&lt;/a&gt; is well documented, but the catch on EKS is that endpoint removal inside the cluster and target deregistration at the ALB happen on different clocks.&lt;/p&gt;

&lt;p&gt;When the controller runs in IP mode, the ALB sends traffic straight to pod IPs, not through kube-proxy. So the in-cluster endpoint can vanish while the ALB still has that pod IP registered as a healthy target. For a few seconds, the load balancer routes requests at a pod that's already mid-shutdown, and you get 502s.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why the load balancer keeps sending traffic to terminating pods
&lt;/h2&gt;

&lt;p&gt;The timing gap is the whole problem. The moment a pod enters Terminating, kubelet starts the shutdown clock and the container can begin refusing connections. Meanwhile the ALB only stops sending new requests after it processes the deregistration, and connection draining respects the &lt;a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#deregistration-delay" rel="noopener noreferrer"&gt;deregistration delay&lt;/a&gt;, which defaults to 300 seconds.&lt;/p&gt;

&lt;p&gt;So you have two failure shapes. Either the app stops accepting connections before the ALB has stopped sending them, which is the 502 we saw, or you set the grace period too short and SIGKILL lands while requests are still in flight. The trick is keeping the pod alive and serving until the ALB has actually deregistered it. That's what the preStop hook buys you.&lt;/p&gt;

&lt;h2&gt;
  
  
  The preStop hook and deregistration delay fix
&lt;/h2&gt;

&lt;p&gt;We added a preStop sleep so the container stays up and keeps serving in-flight requests while deregistration propagates, and we set a grace period longer than that sleep. The values came from watching how long deregistration took during a rollout, which for us was about 10 to 12 seconds.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;terminationGracePeriodSeconds&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;40&lt;/span&gt;
  &lt;span class="na"&gt;containers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;orchestrator&lt;/span&gt;
      &lt;span class="na"&gt;lifecycle&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;preStop&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;exec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;command&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;/bin/sh"&lt;/span&gt;&lt;span class="pi"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;-c"&lt;/span&gt;&lt;span class="pi"&gt;,&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;sleep&lt;/span&gt;&lt;span class="nv"&gt; &lt;/span&gt;&lt;span class="s"&gt;20"&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The sleep does nothing clever. It just delays SIGTERM so the pod keeps answering during the window where the ALB might still route to it. We also enabled pod readiness gates via the AWS Load Balancer Controller, so a new pod isn't marked Ready until the ALB reports its target as healthy. That closes the matching race on the scale-up side, where a fresh pod takes traffic before it's actually registered.&lt;/p&gt;

&lt;p&gt;A cleaner long-term option is handling SIGTERM in the application itself: stop accepting new connections, finish in-flight ones, then exit. We're moving that way, but the preStop sleep got the 502s to zero on the same afternoon, so it shipped first.&lt;/p&gt;

&lt;h2&gt;
  
  
  Testing it with a game day
&lt;/h2&gt;

&lt;p&gt;I don't trust a fix I haven't watched fail under load, so we ran a small game day. We pointed a constant load generator at the service and triggered a rolling deploy while watching the status codes. A simple loop with &lt;code&gt;hey&lt;/code&gt; does the job:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;hey &lt;span class="nt"&gt;-z&lt;/span&gt; 120s &lt;span class="nt"&gt;-c&lt;/span&gt; 50 https://orchestrator.internal/healthz
kubectl rollout restart deployment/orchestrator
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Before the change, every rollout produced a burst of 502s in the &lt;code&gt;hey&lt;/code&gt; summary that lined up exactly with the Terminating events in &lt;code&gt;kubectl get pods -w&lt;/code&gt;. After adding the preStop hook and readiness gates, three consecutive rollouts under the same 50-concurrent load showed zero 502s. That's the only evidence I'll accept that graceful pod shutdown is genuinely working, because "never had a bad deploy" usually just means nobody measured one.&lt;/p&gt;

&lt;h2&gt;
  
  
  Trade-offs and limitations
&lt;/h2&gt;

&lt;p&gt;A preStop sleep is a blunt instrument. It adds fixed latency to every pod termination, so a 20 second sleep across a large deployment slows your rollouts and your scale-down. If you're cost-sensitive on spot capacity, that delay is real money.&lt;/p&gt;

&lt;p&gt;It also masks the better fix. Sleeping the container is a workaround for an app that doesn't drain connections on SIGTERM, and if your app holds long-lived connections, a flat sleep won't cover them. Readiness gates help, but they add a dependency on the AWS Load Balancer Controller being healthy, and they make pod startup slower because Ready now waits on ALB registration. Pick the grace period from observed deregistration time, not a number you reckon looks safe.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where to go next
&lt;/h2&gt;

&lt;p&gt;If your EKS deploys throw 502s, instrument the rollout first: run constant load, watch status codes against pod Terminating events, and measure your actual deregistration time before picking a preStop value. Then decide whether a sleep is enough or whether you want proper SIGTERM draining in the app. The next thing I'd try is replacing the static sleep with application-level connection draining, so the pod exits as soon as in-flight requests finish instead of always waiting the full window.&lt;/p&gt;

&lt;h2&gt;
  
  
  Further reading
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination" rel="noopener noreferrer"&gt;Kubernetes pod termination lifecycle&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.aws.amazon.com/elasticloadbalancing/latest/application/edit-target-group-attributes.html#deregistration-delay" rel="noopener noreferrer"&gt;AWS target group deregistration delay&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/deploy/pod_readiness_gate/" rel="noopener noreferrer"&gt;AWS Load Balancer Controller pod readiness gates&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/" rel="noopener noreferrer"&gt;Kubernetes container lifecycle hooks&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>sre</category>
      <category>infrastructure</category>
      <category>llm</category>
      <category>kubernetes</category>
    </item>
    <item>
      <title>We made our LLM gateway a single point of failure. Then we tested it.</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Tue, 23 Jun 2026 13:21:51 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/we-made-our-llm-gateway-a-single-point-of-failure-then-we-tested-it-25ca</link>
      <guid>https://dev.to/claire_nguyen/we-made-our-llm-gateway-a-single-point-of-failure-then-we-tested-it-25ca</guid>
      <description>&lt;p&gt;&lt;strong&gt;TL;DR: We put an LLM gateway in front of about 40 internal services to get failover and one billing view. Then a game day showed the gateway itself was now the thing that took everything down. Here's how we ran two Bifrost replicas, what broke, and where LiteLLM and Portkey were honestly better for us.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Right, so the irony. We added a gateway to stop one flaky provider from taking down our internal tooling at Buildkite. Anthropic 529s, OpenAI timeouts, the usual. The gateway gave us automatic fallbacks and a single place to see spend. Lovely.&lt;/p&gt;

&lt;p&gt;What it also gave us was a brand new single point of failure that nothing on our side had been tested against.&lt;/p&gt;

&lt;h2&gt;
  
  
  How we got here
&lt;/h2&gt;

&lt;p&gt;We run a fair bit of LLM-backed tooling internally. PR summarisers, a flaky-test classifier, log triage. Around 40 services, all of them eventually calling OpenAI or Bedrock.&lt;/p&gt;

&lt;p&gt;Every team had its own keys, its own retry logic, its own idea of a timeout. No worries when one service breaks. Real problem when a provider has a bad hour and 40 services all melt down differently.&lt;/p&gt;

&lt;p&gt;So we put &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt; in the middle. One OpenAI-compatible endpoint, &lt;a href="https://docs.getbifrost.ai/features/retries-and-fallbacks" rel="noopener noreferrer"&gt;automatic fallbacks&lt;/a&gt; between providers, and &lt;a href="https://docs.getbifrost.ai/features/observability/default" rel="noopener noreferrer"&gt;Prometheus metrics&lt;/a&gt; we didn't have to build. Spend went to one dashboard. Good outcome.&lt;/p&gt;

&lt;p&gt;The catch is obvious in hindsight. Forty services now had a hard dependency on one box.&lt;/p&gt;

&lt;h2&gt;
  
  
  The game day
&lt;/h2&gt;

&lt;p&gt;We do game days. "Never had an outage" usually means you never tested your failure handling, and I'd rather find the gap on a Tuesday than at 3am.&lt;/p&gt;

&lt;p&gt;First run, single replica. We killed the gateway pod. 38 of 40 services started failing within 4 seconds. The two that survived had their own local fallback to a cached response. Everyone else just ate connection-refused.&lt;/p&gt;

&lt;p&gt;Lesson one: a gateway you run as one replica is worse than no gateway. You've concentrated the blast radius and added a hop.&lt;/p&gt;

&lt;p&gt;So we moved to two replicas behind a Kubernetes Service, with proper probes. Bifrost is stateless for routing, which makes horizontal scaling boring in the good way. Config lives in &lt;code&gt;config.json&lt;/code&gt; and env-referenced secrets, so both pods read the same provider setup.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="c1"&gt;# bifrost-deployment.yaml (trimmed)&lt;/span&gt;
&lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;replicas&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;2&lt;/span&gt;
  &lt;span class="na"&gt;template&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;spec&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;containers&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;bifrost&lt;/span&gt;
          &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;maximhq/bifrost:latest&lt;/span&gt;
          &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;containerPort&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;8080&lt;/span&gt;
          &lt;span class="na"&gt;readinessProbe&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;httpGet&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
              &lt;span class="na"&gt;path&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;/metrics&lt;/span&gt;
              &lt;span class="na"&gt;port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;8080&lt;/span&gt;
            &lt;span class="na"&gt;periodSeconds&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;5&lt;/span&gt;
            &lt;span class="na"&gt;failureThreshold&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;2&lt;/span&gt;
          &lt;span class="na"&gt;livenessProbe&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;httpGet&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
              &lt;span class="na"&gt;path&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;/metrics&lt;/span&gt;
              &lt;span class="na"&gt;port&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;8080&lt;/span&gt;
            &lt;span class="na"&gt;periodSeconds&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;10&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Second run, killed one of two pods. Readiness flipped that pod out in about 8 seconds. p99 on the surviving pod jumped from 180ms to roughly 340ms while it carried full load, then settled once Kubernetes scheduled a replacement. No service-level errors. That's the result we wanted.&lt;/p&gt;

&lt;h2&gt;
  
  
  What still bit us
&lt;/h2&gt;

&lt;p&gt;Killing a pod is the easy test. The nasty one is a slow gateway, not a dead one.&lt;/p&gt;

&lt;p&gt;We injected 700ms of latency on one replica using a sidecar. Bifrost stayed "ready" because &lt;code&gt;/metrics&lt;/code&gt; answered fine, but real requests crawled. Health checks that only prove the process is alive don't prove it's useful. We ended up adding our own synthetic probe that does a tiny &lt;code&gt;/v1/chat/completions&lt;/code&gt; call against a cheap model every 15 seconds and alerts on latency, not just liveness.&lt;/p&gt;

&lt;p&gt;The other gotcha was client timeouts. Several services had no timeout at all, so a degraded gateway meant threads piling up. We standardised on a 30s client timeout and let Bifrost's &lt;a href="https://docs.getbifrost.ai/features/retries-and-fallbacks" rel="noopener noreferrer"&gt;retries and fallbacks&lt;/a&gt; handle the provider-side mess.&lt;/p&gt;

&lt;h2&gt;
  
  
  How it compares
&lt;/h2&gt;

&lt;p&gt;We tested three before committing. All three do the core job. They differ on what happens when you push them.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Concern&lt;/th&gt;
&lt;th&gt;Bifrost&lt;/th&gt;
&lt;th&gt;LiteLLM&lt;/th&gt;
&lt;th&gt;Portkey&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Self-hosted HA&lt;/td&gt;
&lt;td&gt;Stateless, easy 2+ replicas&lt;/td&gt;
&lt;td&gt;Stateless, works fine&lt;/td&gt;
&lt;td&gt;Self-host is heavier, more moving parts&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Failover config&lt;/td&gt;
&lt;td&gt;Per-request fallbacks, native&lt;/td&gt;
&lt;td&gt;Solid router fallbacks&lt;/td&gt;
&lt;td&gt;Strong, config-driven&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Native Prometheus&lt;/td&gt;
&lt;td&gt;Yes, built in&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;td&gt;Via their stack&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Latency overhead&lt;/td&gt;
&lt;td&gt;Low, Go-based&lt;/td&gt;
&lt;td&gt;Higher under load in our test&lt;/td&gt;
&lt;td&gt;Low, but managed-first&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Managed dashboard&lt;/td&gt;
&lt;td&gt;Behind enterprise&lt;/td&gt;
&lt;td&gt;Lighter&lt;/td&gt;
&lt;td&gt;This is their strength&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Honest read: if you want a polished managed dashboard with the least ops work, Portkey is genuinely ahead. If you're already deep in Python and want the widest community model coverage, LiteLLM's router is hard to beat and it's been battle-tested by a lot of people. We picked Bifrost because the Go binary held p99 better under our load test and the self-hosted clustering story was the least fiddly for our EKS setup.&lt;/p&gt;

&lt;h2&gt;
  
  
  Trade-offs and limitations
&lt;/h2&gt;

&lt;p&gt;The gateway is still a dependency. Two replicas reduce risk, they don't delete it. If your config is wrong, both pods are wrong together.&lt;/p&gt;

&lt;p&gt;Semantic caching saved us real money on repeated PR-summary calls, but it can serve a stale answer when prompts are near-identical but context differs. Worth tuning the similarity threshold rather than trusting defaults.&lt;/p&gt;

&lt;p&gt;Adding the hop costs you something. Our measured median overhead was single-digit milliseconds, which is nothing next to provider latency, but it's not zero and you should measure it on your own traffic, not trust mine.&lt;/p&gt;

&lt;p&gt;And clustering with adaptive load balancing sits in &lt;a href="https://www.getmaxim.ai/bifrost/enterprise" rel="noopener noreferrer"&gt;enterprise&lt;/a&gt;. The open-source path scales horizontally fine for our size, but know where the line is before you plan.&lt;/p&gt;

&lt;h2&gt;
  
  
  Further Reading
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/features/retries-and-fallbacks" rel="noopener noreferrer"&gt;Bifrost retries and fallbacks&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/features/observability/default" rel="noopener noreferrer"&gt;Bifrost observability and Prometheus metrics&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/features/semantic-caching" rel="noopener noreferrer"&gt;Semantic caching docs&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;Bifrost GitHub repo&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/" rel="noopener noreferrer"&gt;Kubernetes probe configuration&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>sre</category>
      <category>infrastructure</category>
      <category>llm</category>
      <category>devops</category>
    </item>
    <item>
      <title>EBS gp2 burst credits ran dry and our builds slowed to a crawl</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Tue, 23 Jun 2026 04:21:28 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/ebs-gp2-burst-credits-ran-dry-and-our-builds-slowed-to-a-crawl-5402</link>
      <guid>https://dev.to/claire_nguyen/ebs-gp2-burst-credits-ran-dry-and-our-builds-slowed-to-a-crawl-5402</guid>
      <description>&lt;p&gt;&lt;strong&gt;TL;DR: A chunk of our EC2 build agents got slow at the same time every afternoon. No CPU pressure, no memory pressure, no network weirdness. It was EBS gp2 burst credits draining to zero, and the fix was a one-line volume type change to gp3 plus a CloudWatch alarm we should've had years ago.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Right, so this one annoyed me for about a week before the penny dropped.&lt;/p&gt;

&lt;p&gt;I work on the core compute platform at Buildkite. We run a fleet of EC2 build agents that pick up jobs off a queue and run them. Sydney afternoon, roughly 2pm local, a handful of agents would start dragging. Builds that normally finished in 4 minutes were taking 11. Not all agents. Maybe 15% of the fleet at any given time.&lt;/p&gt;

&lt;h2&gt;
  
  
  The symptom that lied to us
&lt;/h2&gt;

&lt;p&gt;First instinct was the obvious stuff. CPU? Flat at 30%. Memory? Plenty free. The agent process itself looked bored.&lt;/p&gt;

&lt;p&gt;One of our test suites shells out to an LLM step for flaky-test classification, routed through a gateway, so my first paranoid thought was an upstream provider slowdown. We run that traffic through Bifrost so failover and latency are visible per-provider, and the dashboards there were clean. Not the model. Not the gateway. The slow part was local.&lt;/p&gt;

&lt;p&gt;So I SSH'd onto a sick agent mid-build and ran &lt;code&gt;iostat -x 1&lt;/code&gt;. There it was. &lt;code&gt;%util&lt;/code&gt; pinned at 100, &lt;code&gt;await&lt;/code&gt; sitting around 80ms, and the volume was doing maybe 100 IOPS when the workload clearly wanted more.&lt;/p&gt;

&lt;p&gt;A gp2 volume. 100GB. Baseline 300 IOPS.&lt;/p&gt;

&lt;h2&gt;
  
  
  Burst credits, the thing nobody remembers
&lt;/h2&gt;

&lt;p&gt;Here's the bit that bites people. A gp2 EBS volume gives you 3 IOPS per GB as a baseline. Our 100GB volumes get 300 baseline IOPS. Below 1TB, volumes earn burst credits and can spike to 3000 IOPS, but only while they've got credits in the bucket.&lt;/p&gt;

&lt;p&gt;Those credits refill at the baseline rate. Burn faster than you refill and the bucket empties. When it hits zero you're hard-capped at 300 IOPS until it recovers.&lt;/p&gt;

&lt;p&gt;Our build agents do a lot of small random writes. Cloning repos, unpacking caches, npm doing what npm does with its 40,000 tiny files. Early in an agent's life it's got a full credit bucket and flies. After a few hours of back-to-back builds, the bucket's empty. The 2pm pattern wasn't a time-of-day thing at all. It was just agents that had been alive long enough to drain their credits.&lt;/p&gt;

&lt;p&gt;You can watch it happen. The metric is &lt;code&gt;BurstBalance&lt;/code&gt;, a percentage, and we had zero alarms on it.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;aws cloudwatch get-metric-statistics &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--namespace&lt;/span&gt; AWS/EBS &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--metric-name&lt;/span&gt; BurstBalance &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--dimensions&lt;/span&gt; &lt;span class="nv"&gt;Name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;VolumeId,Value&lt;span class="o"&gt;=&lt;/span&gt;vol-0abc123def456 &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--start-time&lt;/span&gt; 2026-06-20T00:00:00Z &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--end-time&lt;/span&gt; 2026-06-20T06:00:00Z &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--period&lt;/span&gt; 300 &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--statistics&lt;/span&gt; Minimum
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Run that against a sick volume and you'll see &lt;code&gt;Minimum&lt;/code&gt; walking down toward 0 over the build session. Clean as.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why gp3 fixes it
&lt;/h2&gt;

&lt;p&gt;gp3 doesn't do the burst-credit dance. You get a flat 3000 IOPS baseline regardless of size, and you can provision up to 16,000 if you pay for it. No bucket, no draining, no surprise cliff at hour three.&lt;/p&gt;

&lt;p&gt;It's also cheaper for our shape of workload. gp3 storage is about 20% less per GB than gp2, and the first 3000 IOPS are included.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Volume type&lt;/th&gt;
&lt;th&gt;Baseline IOPS (100GB)&lt;/th&gt;
&lt;th&gt;Burst behaviour&lt;/th&gt;
&lt;th&gt;Predictable under sustained load&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;gp2&lt;/td&gt;
&lt;td&gt;300&lt;/td&gt;
&lt;td&gt;Credits to 3000, then cliff&lt;/td&gt;
&lt;td&gt;No&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;gp3&lt;/td&gt;
&lt;td&gt;3000 (flat)&lt;/td&gt;
&lt;td&gt;None, provision up to 16k&lt;/td&gt;
&lt;td&gt;Yes&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;io2&lt;/td&gt;
&lt;td&gt;Provisioned, up to 64k&lt;/td&gt;
&lt;td&gt;None&lt;/td&gt;
&lt;td&gt;Yes, but pricey&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;For a build fleet, gp3 is the boring correct answer. io2 is overkill unless you genuinely need tens of thousands of sustained IOPS, and we don't.&lt;/p&gt;

&lt;p&gt;The migration is a volume modification, no snapshot dance, no detach:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;aws ec2 modify-volume &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--volume-id&lt;/span&gt; vol-0abc123def456 &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--volume-type&lt;/span&gt; gp3 &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--iops&lt;/span&gt; 3000 &lt;span class="se"&gt;\&lt;/span&gt;
  &lt;span class="nt"&gt;--throughput&lt;/span&gt; 125
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;We baked it into the launch template so every new agent comes up gp3. Existing volumes got modified in a rolling batch over a maintenance window. p95 build duration on the affected cohort dropped from 9.2 minutes back to 4.1.&lt;/p&gt;

&lt;h2&gt;
  
  
  Trade-offs and limitations
&lt;/h2&gt;

&lt;p&gt;gp3 isn't free of footguns. The default throughput is 125 MB/s, and if your workload is throughput-heavy rather than IOPS-heavy you'll need to bump that separately, because gp3 decouples the two. We left ours at 125 and it's fine, but I've seen teams forget and wonder why their big sequential reads didn't speed up.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;modify-volume&lt;/code&gt; also has a cooldown. You can't modify the same volume again for 6 hours, so if you fat-finger the IOPS number you're waiting it out. Plan the values before you run it.&lt;/p&gt;

&lt;p&gt;And this didn't make our agents infinitely fast. It removed an artificial cliff. If a build is genuinely I/O bound at 3000 IOPS, gp3 buys you headroom, not magic. The real long-term fix for us is shrinking what we write to disk per build, which is a slower piece of work.&lt;/p&gt;

&lt;p&gt;Last thing. Burst credits exist on other AWS resources too, with different names and different cliffs. T-series instance CPU credits. NAT gateway. If you've got one burst-credit surprise in your stack, you've probably got more hiding.&lt;/p&gt;

&lt;h2&gt;
  
  
  Further Reading
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;a href="https://docs.aws.amazon.com/ebs/latest/userguide/ebs-volume-types.html" rel="noopener noreferrer"&gt;Amazon EBS volume types&lt;/a&gt; — the gp2 vs gp3 IOPS model in AWS's own words&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://docs.aws.amazon.com/ebs/latest/userguide/using_cloudwatch_ebs.html" rel="noopener noreferrer"&gt;Monitoring EBS BurstBalance with CloudWatch&lt;/a&gt; — the metric we should've alarmed on&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://aws.amazon.com/blogs/storage/migrate-your-amazon-ebs-volumes-from-gp2-to-gp3-and-save-up-to-20-on-costs/" rel="noopener noreferrer"&gt;Migrating gp2 to gp3&lt;/a&gt; — the modify-volume path, no downtime&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;Bifrost&lt;/a&gt; — the gateway we route LLM build steps through, handy for ruling provider latency in or out fast&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://man7.org/linux/man-pages/man1/iostat.1.html" rel="noopener noreferrer"&gt;iostat man page&lt;/a&gt; — &lt;code&gt;%util&lt;/code&gt; and &lt;code&gt;await&lt;/code&gt; are your friends when a disk is lying to you&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;She'll be right once you alarm on the bucket. Don't wait a week like I did.&lt;/p&gt;

</description>
      <category>infrastructure</category>
      <category>devops</category>
      <category>sre</category>
      <category>aws</category>
    </item>
    <item>
      <title>Semantic caching our flaky-test summariser: 58% fewer LLM calls</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Mon, 22 Jun 2026 13:22:33 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/semantic-caching-our-flaky-test-summariser-58-fewer-llm-calls-3c53</link>
      <guid>https://dev.to/claire_nguyen/semantic-caching-our-flaky-test-summariser-58-fewer-llm-calls-3c53</guid>
      <description>&lt;p&gt;&lt;strong&gt;TL;DR: Our internal flaky-test summariser at Buildkite was firing ~40k LLM calls a day, and most were near-duplicates of failures we'd already explained. Switching on semantic caching in Bifrost cut live provider calls by 58% and dropped p50 latency on cache hits from ~900ms to about 40ms. It also kept the feature alive when our primary provider browned out for 11 minutes.&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  The feature that wouldn't shut up
&lt;/h2&gt;

&lt;p&gt;On our platform team (eight of us) we shipped a small thing last quarter: when a test goes flaky in a Buildkite pipeline, we pass the failure output to an LLM and stick a plain-English summary on the build page. Devs liked it. The provider bill less so.&lt;/p&gt;

&lt;p&gt;By March it was making roughly 40,000 calls a day against &lt;code&gt;anthropic/claude-haiku&lt;/code&gt;, with &lt;code&gt;openai/gpt-4o-mini&lt;/code&gt; as the fallback. p50 latency sat around 900ms. The monthly bill crept past $310. Not catastrophic. But the calls were doing the same work over and over.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why the calls were so repetitive
&lt;/h2&gt;

&lt;p&gt;Here's the bit that bugged me. Flaky tests are flaky for the same reasons across builds. A timeout in &lt;code&gt;payments_spec.rb&lt;/code&gt; looks almost identical on Tuesday as it did on Monday, minus a timestamp and a container ID.&lt;/p&gt;

&lt;p&gt;So we were paying full freight to summarise text we'd already summarised. Different bytes, same meaning. A normal key-based cache misses all of these because the strings never match exactly. That's the whole problem semantic caching solves: it matches on meaning, not on an md5 of the prompt.&lt;/p&gt;

&lt;p&gt;We already ran everything through Bifrost as our gateway, mostly for the automatic failover. Turns out the &lt;a href="https://docs.getbifrost.ai/features/semantic-caching" rel="noopener noreferrer"&gt;semantic caching&lt;/a&gt; was sitting right there.&lt;/p&gt;

&lt;h2&gt;
  
  
  Turning it on
&lt;/h2&gt;

&lt;p&gt;Bifrost runs as a single Go binary in front of our summariser. We added the cache plugin to the gateway config and pointed it at a small embedding model so we weren't paying much per lookup.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"plugins"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;[&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"name"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"semantic_cache"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"config"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"embedding_model"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"openai/text-embedding-3-small"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"threshold"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mf"&gt;0.92&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
        &lt;/span&gt;&lt;span class="nl"&gt;"ttl_seconds"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;86400&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;]&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The &lt;code&gt;threshold&lt;/code&gt; is the knob that matters. At 0.92 cosine similarity two failures have to be genuinely close before we serve a cached summary. We started at 0.97, which was too strict (hit rate sat around 20%), and walked it down while spot-checking summaries against the real failures.&lt;/p&gt;

&lt;p&gt;Settled on 0.92. Cache hit rate landed at 58% over the first three weeks. On a hit, the summariser returns in ~40ms instead of waiting on a provider round trip. No code change in our app, since Bifrost speaks the &lt;a href="https://docs.getbifrost.ai/features/drop-in-replacement" rel="noopener noreferrer"&gt;same OpenAI-compatible API&lt;/a&gt; we already called.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the brownout taught us
&lt;/h2&gt;

&lt;p&gt;Two weeks in, our primary provider had a rough afternoon. Elevated errors and timeouts for 11 minutes. Normally Bifrost's &lt;a href="https://docs.getbifrost.ai/features/retries-and-fallbacks" rel="noopener noreferrer"&gt;fallback&lt;/a&gt; kicks the traffic to the secondary, which it did.&lt;/p&gt;

&lt;p&gt;But the cache did something I hadn't planned for. More than half the requests during that window never reached either provider, because they matched recent failures already in the cache. The blast radius shrank on its own. The fallback handled the genuinely new failures, the cache absorbed the repeats, and nobody filed a ticket. She'll be right, basically.&lt;/p&gt;

&lt;p&gt;That's the reliability angle people miss with caching. It's not only a cost lever. It's load shedding you get for free when an upstream goes wobbly.&lt;/p&gt;

&lt;h2&gt;
  
  
  Bifrost vs LiteLLM vs Portkey
&lt;/h2&gt;

&lt;p&gt;We looked at the obvious alternatives before committing. All three can do semantic caching. They're not the same.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Capability&lt;/th&gt;
&lt;th&gt;Bifrost&lt;/th&gt;
&lt;th&gt;LiteLLM&lt;/th&gt;
&lt;th&gt;Portkey&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Semantic cache&lt;/td&gt;
&lt;td&gt;Built in, config-driven&lt;/td&gt;
&lt;td&gt;Yes, via Redis + embeddings&lt;/td&gt;
&lt;td&gt;Yes, mature&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Failover + cache together&lt;/td&gt;
&lt;td&gt;Single binary&lt;/td&gt;
&lt;td&gt;Proxy + Redis to wire up&lt;/td&gt;
&lt;td&gt;SaaS, polished&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Self-host&lt;/td&gt;
&lt;td&gt;Go binary, Docker&lt;/td&gt;
&lt;td&gt;Python proxy&lt;/td&gt;
&lt;td&gt;Self-host or cloud&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Dashboard&lt;/td&gt;
&lt;td&gt;Built-in web UI&lt;/td&gt;
&lt;td&gt;Community UI&lt;/td&gt;
&lt;td&gt;Strongest of the three&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Provider breadth&lt;/td&gt;
&lt;td&gt;23+&lt;/td&gt;
&lt;td&gt;Very broad&lt;/td&gt;
&lt;td&gt;Broad&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;Honest read: LiteLLM has the bigger community and the widest provider list, and if you already run Redis their cache is well-trodden. Portkey's dashboard and analytics are the slickest of the lot, and for a team that wants a managed SaaS it's hard to argue against.&lt;/p&gt;

&lt;p&gt;We picked Bifrost because we self-host on ECS and wanted the failover and the cache in one Go process, not a Python proxy plus a Redis we'd have to babysit. Fewer moving parts to break on a game day.&lt;/p&gt;

&lt;h2&gt;
  
  
  Trade-offs and Limitations
&lt;/h2&gt;

&lt;p&gt;Semantic caching isn't free of sharp edges, and pretending otherwise would be daft.&lt;/p&gt;

&lt;p&gt;The threshold is a real risk. Set it too loose and you'll serve a summary from a &lt;em&gt;different&lt;/em&gt; failure that happens to read similarly. We caught two of these at 0.88 during tuning. A bad summary on a build page erodes trust fast, so we erred conservative at 0.92 and accept a lower hit rate for it.&lt;/p&gt;

&lt;p&gt;Embeddings add a little latency and cost on every lookup, including misses. With &lt;code&gt;text-embedding-3-small&lt;/code&gt; it's small, but it's not zero. For workloads where every input is genuinely unique, you'll pay the embedding tax and get almost nothing back.&lt;/p&gt;

&lt;p&gt;Cache invalidation is on you. When we changed the summariser's prompt, every cached entry was suddenly stale against the new format. We dropped the TTL to 24 hours so the cache rolls over daily rather than holding stale shapes for a week.&lt;/p&gt;

&lt;p&gt;And it doesn't replace failover. The cache helped during the brownout, but only because we had recent traffic. Cold cache plus dead provider equals a bad time. Keep your fallback chain regardless.&lt;/p&gt;

&lt;h2&gt;
  
  
  Further Reading
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/features/semantic-caching" rel="noopener noreferrer"&gt;Bifrost semantic caching docs&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/features/retries-and-fallbacks" rel="noopener noreferrer"&gt;Retries and fallbacks&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/features/drop-in-replacement" rel="noopener noreferrer"&gt;Drop-in replacement guide&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;Bifrost on GitHub&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://docs.getbifrost.ai/quickstart/gateway/setting-up" rel="noopener noreferrer"&gt;Gateway setup&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>sre</category>
      <category>devops</category>
      <category>llm</category>
      <category>mlops</category>
    </item>
    <item>
      <title>What is shadow AI and how to govern it</title>
      <dc:creator>claire nguyen</dc:creator>
      <pubDate>Mon, 22 Jun 2026 06:14:58 +0000</pubDate>
      <link>https://dev.to/claire_nguyen/what-is-shadow-ai-and-how-to-govern-it-1k4f</link>
      <guid>https://dev.to/claire_nguyen/what-is-shadow-ai-and-how-to-govern-it-1k4f</guid>
      <description>&lt;p&gt;&lt;em&gt;Shadow AI is the use of AI tools inside an organization without IT's knowledge or approval. This guide explains what it is, why it creates real security and compliance risk, and how the Bifrost AI gateway together with Bifrost Edge brings that usage under governance on every machine.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Most of the AI tools employees rely on at work run on their own machines and reach a model provider directly, without passing through any corporate network checkpoint. A developer can install a desktop assistant, paste in proprietary source code, and send it to a third-party model before anyone in security knows the tool exists. Industry analysts call this pattern shadow AI: the use of AI tools or applications by employees without the approval or oversight of the IT department. The scale is no longer marginal, as a 2026 Gartner survey of cybersecurity leaders found that 69 percent have evidence or suspect that employees are using public generative AI at work.&lt;/p&gt;

&lt;h2&gt;
  
  
  What shadow AI is
&lt;/h2&gt;

&lt;p&gt;Shadow AI is the use of AI tools, models, and services by employees without the knowledge, approval, or governance of an organization's IT or security teams. It is a subset of shadow IT, the broader category of hardware and software that IT has not approved, but it carries risks that older shadow IT controls were never designed to handle. The distinction matters for how an organization should respond.&lt;/p&gt;

&lt;p&gt;Where shadow IT generally involves an unapproved application or storage service, shadow AI centers on systems that process, generate, and retain data in ways that are difficult to reverse. Common forms include:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Public chatbots and assistants used on work data, such as the ChatGPT app or Claude Desktop signed in with a personal account.&lt;/li&gt;
&lt;li&gt;AI features inside browser tabs and SaaS products that an employee turns on without review.&lt;/li&gt;
&lt;li&gt;Coding agents in the terminal and IDE, including Claude Code, Codex, and Cursor, that read source code and call external services.&lt;/li&gt;
&lt;li&gt;MCP servers wired into those tools, which can read files, call APIs, and act on a user's behalf.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Salesforce's 2026 Workforce AI Survey found that 67 percent of employees use AI at work, while only 18 percent of organizations have a formal AI security policy. Adoption at that pace, with no governing layer underneath it, is what turns ordinary productivity into a security exposure.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why shadow AI is a security risk, not just a policy gap
&lt;/h2&gt;

&lt;p&gt;Shadow AI raises measurable security and compliance risk because sensitive data reaches systems that the organization cannot see, control, or audit. Gartner predicts that by 2030, more than 40 percent of organizations will experience &lt;a href="https://www.infosecurity-magazine.com/news/gartner-40-firms-hit-shadow-ai/" rel="noopener noreferrer"&gt;security or compliance incidents tied to the use of unauthorized AI&lt;/a&gt;, and the reasons follow directly from how these tools are used.&lt;/p&gt;

&lt;p&gt;The exposure goes well beyond a single pasted prompt. Several distinct failure modes make shadow AI harder to contain than earlier forms of unapproved software:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Data leaves the organization in a form that cannot be recalled. Once proprietary text enters a third-party model, it may be retained or used in ways the organization has no ability to reverse, unlike a file that can be deleted from a server.&lt;/li&gt;
&lt;li&gt;Compliance and audit trails break down. Legal and security teams cannot demonstrate where regulated data went, whether retention rules were followed, or whether residency obligations were met when the traffic never passed through a governed path.&lt;/li&gt;
&lt;li&gt;AI agents inherit standing access. An assistant connected through an MCP server can read email, repositories, and internal systems on a continuing basis, so the question shifts from what a user pasted once to what a connected tool can reach at any time.&lt;/li&gt;
&lt;li&gt;Governance trails adoption. Most organizations still have no reliable way to see which AI tools and connections are in use, which leaves the bulk of this activity outside any policy or review.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These concerns are not hypothetical; they describe what happens when fast, employee-driven adoption runs ahead of any mechanism for seeing or controlling it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why existing controls miss shadow AI
&lt;/h2&gt;

&lt;p&gt;Traditional network controls miss most shadow AI because the activity does not behave like the traffic those controls were built to inspect. Network proxies and data loss prevention systems observe what crosses the corporate network, yet a large share of AI usage runs on the endpoint and connects straight to a provider over an encrypted channel that resembles ordinary web traffic.&lt;/p&gt;

&lt;p&gt;Three gaps recur across the older approaches:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Network filtering and data loss prevention operate at the perimeter, so AI requests that originate and resolve on the device fall outside their view.&lt;/li&gt;
&lt;li&gt;Blocklists depend on a known list of destinations, and new AI tools, browser features, and MCP servers appear faster than any list can track.&lt;/li&gt;
&lt;li&gt;Written policies state what employees should do, but a document does not enforce anything at the moment a prompt is sent.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The common thread points toward the fix: the AI runs on the endpoint, where the person and the tool actually meet, so the endpoint is the one place where every request can be seen and governed before data leaves the machine.&lt;/p&gt;

&lt;h2&gt;
  
  
  How the Bifrost AI gateway with Bifrost Edge govern shadow AI
&lt;/h2&gt;

&lt;p&gt;Governing shadow AI well takes two things that fit together: one place to define policy, and a way to apply that policy to the AI running on every machine. Bifrost, the &lt;a href="https://github.com/maximhq/bifrost" rel="noopener noreferrer"&gt;open-source AI gateway&lt;/a&gt; built by Maxim AI, is that one place. The gateway already holds the &lt;a href="https://docs.getbifrost.ai/deployment-guides/config-json/governance" rel="noopener noreferrer"&gt;virtual keys, budgets, and rate limits&lt;/a&gt; that tie AI usage to a person or project, the &lt;a href="https://docs.getbifrost.ai/enterprise/guardrails" rel="noopener noreferrer"&gt;guardrail profiles&lt;/a&gt; that inspect prompts and responses, and the audit logs that record every exchange. The limitation, until now, has been reach: those controls governed only the traffic that someone had configured to point at the gateway.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://docs.getbifrost.ai/edge/overview" rel="noopener noreferrer"&gt;Bifrost Edge&lt;/a&gt; closes that gap by running on each machine and routing all supported AI traffic through Bifrost, so the same virtual keys, budgets, guardrails, and audit logs that already protect gateway traffic now apply to the desktop apps, browser AI, and coding agents people use day to day. The gateway stays the single control plane, and Edge becomes its reach to the endpoint, so there is no second policy model to build or maintain.&lt;/p&gt;

&lt;p&gt;A request from any &lt;a href="https://docs.getbifrost.ai/edge/supported-applications" rel="noopener noreferrer"&gt;supported AI tool&lt;/a&gt; follows the same governed path on every machine:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;A user works in a desktop app, a browser AI surface, or a coding agent exactly as before, with &lt;a href="https://docs.getbifrost.ai/edge/how-it-works" rel="noopener noreferrer"&gt;no base URL change and no SDK swap&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Bifrost Edge routes that request through the organization's Bifrost rather than letting it go straight to the provider.&lt;/li&gt;
&lt;li&gt;Bifrost ties the request to the user's virtual key and its budget, runs the configured guardrails, and writes the exchange to the audit log.&lt;/li&gt;
&lt;li&gt;The governed response returns to the original app, with sensitive content already caught or redacted.&lt;/li&gt;
&lt;/ol&gt;

&lt;h3&gt;
  
  
  Guardrails apply before data leaves the machine
&lt;/h3&gt;

&lt;p&gt;The &lt;a href="https://docs.getbifrost.ai/edge/security" rel="noopener noreferrer"&gt;guardrail profiles configured in Bifrost&lt;/a&gt; apply to endpoint traffic with no extra setup on the device. A guardrail runs before a prompt reaches a model and again before a response returns, so secrets and personal data are caught or redacted before they leave the machine. Built-in coverage includes Gitleaks-backed secrets detection for leaked API keys, tokens, and credentials, a PII detection template built on custom regex, and content safety, alongside integrations with AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, CrowdStrike AIDR, GraySwan Cygnal, and Patronus AI.&lt;/p&gt;

&lt;h3&gt;
  
  
  Visibility into MCP servers across the fleet
&lt;/h3&gt;

&lt;p&gt;Most organizations cannot say which MCP servers their employees have connected to AI tools. &lt;a href="https://docs.getbifrost.ai/edge/mcp-governance" rel="noopener noreferrer"&gt;Bifrost Edge inventories the MCP servers&lt;/a&gt; configured inside each supported app and builds a live picture across the fleet of which servers are in use, on which apps, and on how many devices. Administrators then allow or deny each server individually, and Edge enforces that decision on the device, even for an app that had the server configured before the policy existed. MCP discovery covers the major AI apps that support it, including Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor.&lt;/p&gt;

&lt;h3&gt;
  
  
  App policy enforced on every device
&lt;/h3&gt;

&lt;p&gt;&lt;a href="https://docs.getbifrost.ai/edge/app-governance" rel="noopener noreferrer"&gt;App governance&lt;/a&gt; lets administrators decide which AI applications are permitted across the organization. Approved apps run normally, with their traffic governed through Bifrost, while disallowed apps are blocked before any data leaves the machine. When Edge encounters an app or MCP server it has not seen, it requests approval from the admin console, and administrators choose whether pending items are allowed or blocked while a decision is pending. Policy changes reach the whole organization at once, without anyone revisiting individual machines.&lt;/p&gt;

&lt;h3&gt;
  
  
  Rollout through your existing device management
&lt;/h3&gt;

&lt;p&gt;&lt;a href="https://docs.getbifrost.ai/edge/deployment-mdm" rel="noopener noreferrer"&gt;Bifrost Edge deploys through the device management platforms&lt;/a&gt; an organization already runs, including Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud, across macOS, Windows, and Linux. The managed configuration carries only the connection settings that point each machine at the organization's Bifrost, and identity and keys come from the user's single sign-on, so no secrets sit on the device. After the first sign-in, governance stays in sync with the gateway, and central changes to app policy, MCP allow and deny lists, and routing reach the fleet on their own.&lt;/p&gt;

&lt;h2&gt;
  
  
  Common questions about shadow AI
&lt;/h2&gt;

&lt;h3&gt;
  
  
  Is shadow AI the same as shadow IT?
&lt;/h3&gt;

&lt;p&gt;Shadow AI is a subset of shadow IT, but the risk profile differs. Shadow IT covers any hardware or software that IT has not approved, whereas shadow AI specifically involves tools that process and retain data in a model, which makes the exposure harder to reverse and more likely to spread across teams.&lt;/p&gt;

&lt;h3&gt;
  
  
  Can shadow AI be detected?
&lt;/h3&gt;

&lt;p&gt;Shadow AI can be detected when AI requests are observed at the point where they originate. Because much of the usage runs on the endpoint, a layer that operates on the device, such as Bifrost Edge, can inventory the apps and MCP servers in use and route their traffic through a gateway where it becomes visible and auditable.&lt;/p&gt;

&lt;h3&gt;
  
  
  How do you govern AI coding agents?
&lt;/h3&gt;

&lt;p&gt;Coding agents such as Claude Code, Codex, and Cursor run locally and often connect directly to model providers and MCP servers. Routing their traffic through Bifrost applies the same guardrails, budgets, and audit logging used for the rest of an organization's AI, while app and MCP policies determine which agents and tools are allowed on each machine.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where this leaves enterprise teams
&lt;/h2&gt;

&lt;p&gt;Shadow AI persists because the activity happens on the endpoint and moves faster than perimeter controls can follow, so better intentions and longer policy documents do not resolve it on their own. The organizations that handle it well treat it first as a visibility problem and then as an enforcement problem, governing AI where people actually use it rather than where the network happens to see it.&lt;/p&gt;

&lt;p&gt;Pairing the Bifrost AI gateway with Bifrost Edge gives security and platform teams one control plane for that work, with the gateway defining the virtual keys, budgets, guardrails, and audit logs, and Edge, currently in alpha, extending them to every machine in the organization. Teams sizing up shadow AI can review how the combined approach works on the &lt;a href="https://docs.getbifrost.ai/edge/overview" rel="noopener noreferrer"&gt;Bifrost Edge overview&lt;/a&gt; and register there for alpha access.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>management</category>
      <category>security</category>
    </item>
  </channel>
</rss>
