Many organizations attempt to govern AI usage with network-level filtering, but modern encryption and AI-specific protocols render this approach ineffective. A dedicated AI gateway like Bifrost combined with endpoint visibility provides the deep control required for genuine security and governance.
As organizations grapple with the rapid adoption of AI tools, a common first instinct is to control their use at the network perimeter. The thinking is straightforward: if all traffic passes through a central firewall or proxy, it should be possible to inspect that traffic, identify requests to AI services, and block them. However, this approach, which relies on traditional network-level filtering, consistently falls short of providing meaningful AI control. Modern application protocols and the specific nature of AI traffic make it nearly impossible for network devices to see, understand, or act on AI requests with any reliability.
This analysis examines the technical limitations of network-level AI filtering and contrasts it with a purpose-built approach. Solutions like Bifrost, an open-source AI gateway, combined with endpoint agents, offer a more robust method for governing AI by operating at the correct layer of the technology stack.
The Limits of Network-Level Inspection
Network security appliances like firewalls and secure web gateways have historically relied on techniques such as deep packet inspection (DPI) to analyze and filter traffic. These tools inspect the content of network packets to identify signatures, keywords, or destinations associated with prohibited applications. While effective for simpler protocols of the past, this method is fundamentally breaking down against modern, encrypted web traffic.
Challenge 1: Pervasive Encryption (TLS 1.3)
The vast majority of web traffic, including virtually all API calls to AI providers like OpenAI and Anthropic, is encrypted with Transport Layer Security (TLS). The current standard, TLS 1.3, significantly enhances privacy and security by encrypting more of the handshake process than its predecessors.
A key change in TLS 1.3 is the encryption of the server certificate, which means that even the Server Name Indication (SNI) extension, previously a reliable indicator of the destination hostname, can be hidden through Encrypted Client Hello (ECH). As ECH adoption grows, network devices lose the ability to reliably determine which service a user is connecting to without decrypting the traffic.
Decrypting TLS traffic, often called "TLS inspection" or "man-in-the-middle" interception, is a resource-intensive process with significant drawbacks:
- Performance Degradation: Decrypting and re-encrypting every connection adds substantial latency and requires powerful, expensive hardware.
- Security Risks: It weakens end-to-end security by creating a central point of failure and can break applications that use certificate pinning for security.
- Maintenance Overhead: Managing the trusted certificates required for interception across an entire organization is a complex operational burden.
Without full TLS decryption, a network filter is mostly blind. It can see an encrypted connection to an IP address owned by a major cloud provider like AWS or Google Cloud, but it cannot know if that connection is for an AI service or any of the thousands of other services hosted on that same infrastructure.
Challenge 2: The Rise of HTTP/3 and QUIC
The web is also shifting from TCP to the QUIC protocol, which underpins HTTP/3. Unlike TCP, which can be inspected at the transport layer, QUIC is encrypted by default. Its headers, which contain critical session information, are part of the encrypted payload. This design choice was made explicitly to prevent network middleboxes from interfering with the protocol's evolution and to enhance user privacy.
As a result, network appliances that rely on analyzing TCP headers are completely unable to interpret QUIC traffic. They cannot distinguish between different streams within a connection or identify the application-layer protocol being used. For a network filter, a QUIC connection is an opaque, encrypted UDP stream. According to Google, over 60% of their client traffic is already over QUIC, and its adoption is accelerating across the web. This shift renders signature-based network filtering increasingly obsolete.
Challenge 3: Lack of AI-Specific Context
Even if a network device could decrypt and inspect the traffic, it lacks the context to make intelligent governance decisions. An AI gateway operates at the application layer and understands the structure of an AI request. A network firewall does not.
Consider these critical governance questions that are impossible to answer at the network level:
- Model Usage: Is this request for
gpt-4oor a much cheaper, less capable model? - Prompt Content: Does the prompt contain personally identifiable information (PII), credentials, or intellectual property?
- Budget Control: Has this specific user or project team exceeded its allocated budget for the month?
- Tool Usage: Is the AI agent attempting to use a high-risk external tool via Model Context Protocol (MCP)?
- Failover Logic: If a request to Anthropic's Claude 3.5 Sonnet fails, should it be retried on Google's Gemini 1.5 Pro?
A network filter sees a stream of text going to an endpoint. It cannot parse the JSON payload to identify the model, analyze the prompt for sensitive data with guardrails, or associate the request with a specific virtual key to enforce a budget. This lack of context makes granular control impossible.
A Better Approach: AI-Native Governance
Effective AI governance requires moving control from the network perimeter to a dedicated layer that understands AI traffic. This is the role of an AI gateway like Bifrost, which acts as a central control plane for all AI requests.
An AI gateway is a specialized service that sits between applications and AI providers. Because it operates at the application layer, it can terminate the TLS connection cleanly and analyze the full request payload. This enables a level of control that network filtering cannot achieve.
Key Capabilities of an AI Gateway
- Granular Routing: Direct requests to specific models or providers based on payload content, user identity, or other metadata using advanced routing rules.
- Budget and Rate Limit Enforcement: Apply fine-grained budgets and rate limits to users, teams, or projects.
- Content Guardrails: Inspect prompts and responses for sensitive data, secrets, or policy violations before they reach the model or the user.
- Automatic Failover: Ensure application reliability by automatically rerouting requests when a primary provider experiences an outage or performance degradation.
- Unified Observability: Maintain detailed audit logs of every request, including prompt content, model used, cost, and latency, for compliance and analysis.
- Semantic Caching: Reduce costs and improve latency by caching responses to semantically similar queries, a concept completely foreign to network-level tools.
Closing the Loop with Endpoint Control
An AI gateway governs traffic that is configured to pass through it. However, a significant amount of AI usage happens directly on employee machines through desktop apps like Claude Desktop, browser-based tools like ChatGPT, and coding agents in the terminal. This "shadow AI" bypasses any central gateway.
This is where an endpoint agent like Bifrost Edge becomes essential. Edge is a lightweight agent deployed on employee machines that automatically routes all AI traffic through the organization's central Bifrost AI gateway. This combined approach ensures that the same governance, security, and observability policies apply everywhere, whether the AI request originates from a production server or a developer's laptop.
With Bifrost Edge, organizations can discover which AI apps and MCP servers are in use across the fleet, and enforce centralized allow/deny policies on the device itself. This extends the gateway's control to the last mile, providing comprehensive visibility and enforcement that network-level filtering cannot match.
Conclusion: Use the Right Tool for the Job
Attempting to control modern AI applications with traditional network filters is an exercise in futility. The convergence of strong encryption, modern protocols like QUIC, and the need for application-specific context renders network-level inspection ineffective. It provides a false sense of security while failing to address the real risks of ungoverned AI usage.
A purpose-built AI gateway offers a superior solution by operating at the correct layer of abstraction. It understands the nuances of AI requests and provides the granular control over routing, security, and costs that organizations require. When combined with an endpoint agent to govern shadow AI, this approach delivers a complete, reliable, and future-proof platform for AI governance. Teams evaluating AI control solutions can request a Bifrost demo or explore the open-source repository to learn more.
Sources
- How Encrypted Client Hello (ECH) Works - Cloudflare
- QUIC Protocol Specification (RFC 9000) - Internet Engineering Task Force (IETF)
- Google's Adoption of QUIC - The Chromium Projects
- An Overview of TLS 1.3 and its Advantages - SSL.com



Top comments (0)