Bifrost is the open-source AI gateway for building a complete AI audit trail and governing every AI interaction, from the data center to every laptop.
Ask most enterprises how many AI requests their employees fire off in a given day, and they can only vouch for a slice of them. The reason is simple: a request shows up in the logs only when something was deliberately wired to send it through a gateway. A trustworthy AI audit trail flips that default by recording each AI interaction in full (the prompt, the response, the model and provider involved, what it cost, and the policy verdict that shaped it), then preserving that record so it stays tamper-evident and easy to export. That is the job Bifrost was built for. The open-source AI gateway that Maxim AI wrote in Go gives enterprises a single control plane from which to route, govern, and audit the whole of their AI traffic. What follows is a walkthrough of two things: standing up an AI audit trail at the gateway, and pushing it out to every endpoint so that governance reaches every AI interaction and not merely the handful that were configured.
What an Enterprise AI Audit Trail Needs to Capture
Think of an AI audit trail as a single queryable ledger covering every AI interaction in the business. It tracks who or what issued each request, the content sent and received, the model and provider that handled it, the cost incurred, and each administrative tweak to the policies in force. For an enterprise, that ledger has to be tamper-evident, kept for a stated window of time, and exportable into the review tooling already in use.
Two layers, each filling a gap the other leaves, make such a trail genuinely useful:
- Administrative audit logs: every change to policy or configuration, captured with the actor behind it, the timestamp, the result, and which resource was touched.
- Request-level interaction logs: a structured entry for each AI request and its response, carrying the inputs, outputs, token counts, cost, latency, and the provider that fielded the call.
One layer settles the question "what did our organization's AI actually do?" The other settles "who altered the rules, and at what point?" Both are expected by compliance regimes including SOC 2, ISO 27001, GDPR, and HIPAA. In the same spirit, the NIST AI Risk Management Framework places documented accountability and traceability at the heart of its "Govern" and "Map" functions.
The Reason Few Enterprises Can Govern Every AI Interaction
Whatever traffic is configured to pass through a gateway is the only traffic that gateway can govern. Hold onto that fact, because it explains nearly every hole in an AI governance program. The usual pattern looks healthy on the surface: a team deploys a gateway, aims its production services at it, and watches those requests get logged cleanly. Beyond that boundary, though, everything goes dark.
And the dark portion keeps expanding. Staff download desktop chat apps, lean on AI inside the browser, fire up coding agents in the terminal and the IDE, and connect Model Context Protocol (MCP) servers to all of it, with not one of those paths ever pointed at a gateway. That ungoverned activity is shadow AI: sensitive information flowing out of the company through tools the security team never sees, unaccompanied by any audit trail, spend limit, or guardrail. Precisely this kind of unsupervised prompt traffic is why the OWASP Top 10 for LLM Applications ranks sensitive information disclosure among its top hazards.
So governing every AI interaction comes down to two pieces that have to operate in tandem. One is a control plane that sets and enforces policy over the traffic it can observe. The other is a way to pull the traffic it cannot observe under that very same control plane. Bifrost delivers the first as an AI gateway, and the second arrives through Bifrost Edge.
How Bifrost Assembles the Audit Trail at the Gateway
Bifrost serves as both control plane and policy engine for AI traffic. Anything routed through it is authenticated, governed, logged, and made observable, and that combination is exactly why the gateway is where the audit trail belongs.
Capture every interaction through built-in observability
Built-in observability ships inside Bifrost and, with no setup, records rich detail on each AI request and response moving through the gateway. A single entry holds the input messages, the model parameters, the provider and model that answered, the output, the token usage, the cost, the latency, and whether the call succeeded or failed. Because the logging happens asynchronously, building out the interaction trail costs the request no extra latency. This is the audit trail's request-level layer, and it fills in for every call without anyone editing application code.
Tie every request to a virtual key
The primary governance object in Bifrost is the virtual key. Each one comes with its own permissions, budgets, and rate limits, and you can scope it to a team or to a single customer. Since authentication for every request runs through a virtual key, the audit trail can pin each interaction to a particular consumer, project, or user instead of lumping it under one shared provider key. That precise attribution is the step that converts plain logs into a record you can hold someone accountable to. Teams running this at scale can study the patterns laid out on the Bifrost governance resource page.
Log every policy change with signed audit logs
Administrative activity is captured by Bifrost Enterprise audit logs, giving operators a way to see who changed what, the moment it happened, and the resource it affected. You can sign each audit entry with an HMAC key so it is independently verifiable, keep it for a number of days you choose, and filter the set by action, outcome, initiator, target, IP, and date range. Every entry holds the time, the action it represents (create, update, delete, authenticate, authorize, export, or import among them), the outcome, the initiator, and the target resource.
Apply content controls via guardrails and access control
There is more to governing an interaction than writing it down. Guardrails in Bifrost fire before a prompt ever reaches a model and again before a response goes back, intercepting secrets, PII, and content that is not allowed. As for the control plane itself, role-based access control limits who can administer it, so policy is only ever changed by authorized operators, and each such change drops into the signed audit log.
Carrying the Audit Trail Out to Every Endpoint with Bifrost Edge
For the traffic that actually reaches the gateway, the gateway audit trail is complete. What about the rest? Bifrost Edge shuts that remaining gap by stretching the same governance the whole way to the endpoint. If Bifrost is the policy engine, Bifrost Edge is the layer that ferries those policies out to every machine, so that the AI people genuinely reach for is governed and logged as well. Note that Bifrost Edge sits in alpha for now.
Running unobtrusively on each computer, Edge sends all AI traffic through the organization's Bifrost, covering desktop chat apps, AI in the browser, coding agents in the terminal and the IDE, and the MCP servers those tools hook into. Whatever virtual keys, budgets, audit logs, and guardrails were already set at the gateway now extend to endpoint AI on their own, without a single base URL to rewrite or SDK to swap out. Each endpoint interaction settles into the very same request-level log as gateway traffic, and that is what makes "every AI interaction" a scope you can actually reach rather than a slogan.
Take inventory of and govern MCP servers across the fleet
Edge tackles a blind spot most organizations simply cannot peer into: the MCP servers users have plugged into their AI tools. MCP governance catalogs the MCP servers configured within each AI app and assembles a live, fleet-wide picture of which servers are set up, in which places, and on how many devices. Per server, administrators issue an allow or deny decision, and Edge applies each one on the device itself, which means a denied server stays unusable even within an app that had it configured before any policy existed. Today, MCP discovery reaches the major AI apps that support it, among them Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor.
Decide which AI apps get the green light
With app governance, administrators choose the AI applications permitted on company machines. The ones that are allowed run as usual and stay fully governed; the ones that are not get blocked before any data slips off the machine. Should Edge spot a fresh app or MCP server, it raises an approval request in the admin console, and administrators can decide in advance whether pending items default to allowed or blocked. Since policy lives in one central place, allowing or blocking an app propagates across the fleet without anyone touching individual devices, and each approval counts as an administrative action that the audit trail records.
Run the same guardrails on the laptop
Routing endpoint AI traffic through Bifrost means endpoint security and guardrails enforce the identical rules that already shield gateway traffic. A guardrail executes before the prompt arrives at a model and before the response heads back, so sensitive material such as secrets or PII is intercepted before it can leave the machine. The device needs no additional configuration; policy continues to live in exactly one place, the gateway.
Building an Audit Trail That Holds Up to Compliance
Logs alone do not satisfy compliance frameworks. What they actually demand is logs that carry attribution, resist tampering, persist on a schedule, and can be reviewed inside the tools auditors already work with. The Bifrost audit trail was shaped around that exact workflow.
- Attribution: each interaction is tied to a consumer through virtual keys, and each change is tied to an operator through role-based access control.
- Defined retention: you set retention in days, so records stick around for whatever period a given control demands.
- Tamper-evident records: an HMAC key can sign each audit log entry, making every event verifiable.
- Export into existing review systems: audit logs come out as JSON, JSON Lines, or Syslog (RFC 5424), feeding straight into SIEM and log-forwarding pipelines. Request-level interaction logs can travel onward via log exports into object storage and data lakes.
Regulated industries can keep this audit trail entirely within their own perimeter. Through in-VPC and on-prem deployment paired with data access control, Bifrost ensures the record of every AI interaction need never leave infrastructure the team owns. Put the two halves together, gateway and endpoints, and a SOC 2, ISO 27001, GDPR, or HIPAA program can finally claim coverage of AI usage as a whole rather than a fraction of it.
What sets an AI audit trail apart from ordinary application logging?
Ordinary application logs document how a service behaves. An AI audit trail documents the AI-specific story instead: the prompt, the response, the model and provider, the cost, the guardrail decision, and the policy that applied at that moment, all attributed to a particular user or service.
Can an AI audit trail reach tools that employees install on their own?
It can, provided endpoint governance is running. By itself a gateway only sees configured traffic. Send endpoint AI through the gateway using Bifrost Edge, however, and desktop apps, browser AI, coding agents, and MCP servers all join the same logged, governed path.
Where do MDM and Bifrost Edge meet?
Fleet-wide rollout through the device management platforms organizations already run is exactly what Bifrost Edge is designed for. You can push it to every machine using Jamf, Intune, Kandji, Workspace ONE, or JumpCloud, shipping a managed configuration that aims each device at the organization's Bifrost, so governance switches on with no per-user setup at all.
Getting Started with Bifrost
A complete AI audit trail begins with one control plane that logs, attributes, and governs every AI interaction, and it grows from there to the endpoints where most ungoverned AI usage really takes place. Bifrost supplies the gateway, while Bifrost Edge carries that governance to every machine, so the audit trail mirrors all AI usage instead of only the configured slice. Want to see how the Bifrost AI gateway and its governance capabilities can hand your organization an auditable, governed record of every AI interaction? Book a demo with the Bifrost team.
Top comments (0)