Model Provider Routing Gate
Why this page exists. The secure context layer is not complete until it can answer one operational question: which model/provider is allowed to receive this context for this workflow, right now?
The product bet
SecurityRecipes is positioned as the Secure Context Layer for Agentic AI. That means context is not just retrieved, cited, signed, and egress-checked. It also needs a provider route decision before the next model call starts.
The enterprise version of agentic AI will be multi-provider. Teams will want OpenAI, Anthropic, xAI, private-cloud models, local models, and specialized guardrail models in the same estate. The problem is not choosing a favorite model. The problem is proving that the selected model route matches:
- the workflow,
- the data class,
- the autonomy level,
- the provider contract,
- the tenant region,
- the retention/training posture,
- the MCP and tool guardrails,
- the telemetry contract,
- the run receipt,
- and any human approval required for sensitive context.
The Model Provider Routing Gate makes that decision inspectable. It is a provider-neutral policy pack that enterprises can fork into their own model registry while keeping the open evidence shape stable.
What was added
- Source profile:
data/assurance/model-provider-routing-profile.json - Generator:
- Runtime evaluator:
- Evidence pack:
data/evidence/model-provider-routing-pack.json - MCP tools:
recipes_model_provider_routing_packand
Regenerate and validate the pack:
Evaluate a tenant-sensitive route before a model call starts:
Routing contract
The default state is hold_for_model_provider_review. A route is not
trusted just because a model is capable. The decision contract requires:
| Proof | What it prevents |
|---|---|
| Approved provider profile | Shadow AI, personal accounts, unmanaged agents, and revoked contracts. |
| Approved model route | Model misbinding and ad hoc provider/model selection. |
| Data-class allowlist | Customer code, regulated data, secrets, and browser context crossing the wrong boundary. |
| Autonomy ceiling | High-impact autonomy using a route intended only for assisted or bounded work. |
| ZDR / private runtime | Sensitive context being retained, trained on, or reused outside the tenant boundary. |
| DPA and residency evidence | External processor and regional-policy drift. |
| MCP gateway enforcement | Tool-backed context bypassing resource, audience, scope, and session controls. |
| Tool/output guardrails | Model calls starting before tool or output tripwires can block side effects. |
| Redacted telemetry | Prompts, tool arguments, outputs, and retrieved context becoming a new data sink. |
| Run receipt binding | Provider decisions that cannot be reconstructed during review or incident response. |
| Egress decision | Model routing bypassing the context egress boundary. |
Route classes
The generated pack ships with five reference routes:
| Route | Default decision | Intended use |
|---|---|---|
public-context-frontier-route |
allow_approved_route |
Public SecurityRecipes context, generated open evidence, and vulnerability intelligence. |
tenant-remediation-frontier-route |
allow_guarded_route |
Tenant remediation work through an approved frontier provider under enterprise controls. |
private-runtime-restricted-route |
allow_guarded_route |
Private runtime for tenant source, regulated data, and restricted support context. |
browser-and-untrusted-content-guardrail-route |
allow_guarded_route |
Blocking guardrail classification before browser or untrusted-content work proceeds. |
shadow-ai-deny-route |
deny_unapproved_route |
Personal accounts, unmanaged providers, and unsanctioned model hosts. |
Forks should replace abstract model IDs such as
frontier-code-and-security-reasoning with their approved OpenAI,
Anthropic, xAI, private-cloud, or local model SKUs.
Runtime decisions
The evaluator returns:
allow_approved_routewhen a low-risk route has all required evidence.allow_guarded_routewhen a sensitive route is acceptable with guardrails, receipts, telemetry, egress approval, and human approval.hold_for_model_provider_reviewwhen the route is plausible but proof is missing.deny_unapproved_routewhen the provider, route, workflow, data class, or autonomy request is not approved.kill_session_on_provider_signalwhen the request includes secrets, cross-tenant context, non-HTTPS endpoints, denied egress, or another route-level kill signal.
Why this matters
The review-ready story is simple: SecurityRecipes can become the neutral policy layer that makes multi-model agentic AI safe to approve. Open knowledge gets teams started. The hosted-ready surface is the hosted provider-routing PDP, tenant-specific model registry, contract-state checks, route telemetry, procurement exports, and trust-center evidence.
That is valuable to a frontier lab, an AI coding platform, a cloud platform, or a security vendor because it reduces the reviewer friction around letting agents use powerful models on real enterprise context.
MCP examples
Inspect all provider routes:
recipes_model_provider_routing_pack()
Review one workflow’s preferred routes:
recipes_model_provider_routing_pack(
workflow_id="sast-finding-remediation"
)
Evaluate a route:
Industry alignment
This feature follows current guidance:
- MCP Authorization 2025-11-25 for resource indicators, audience-bound tokens, HTTPS, PKCE, scope challenges, and token validation.
- MCP Security Best Practices for confused-deputy prevention, token-passthrough denial, scope minimization, SSRF controls, session safety, and audit trails.
- OWASP Top 10 for Agentic Applications 2026 for agent goal hijacking, tool misuse, privilege abuse, context poisoning, insecure inter-agent communication, cascading failures, and rogue-agent containment.
- OWASP MCP Top 10 for model misbinding, context spoofing, prompt-state manipulation, insecure memory references, and covert-channel concerns in MCP-shaped systems.
- OpenAI prompt-injection guidance for source-sink reasoning, constrained impact, and user confirmation before sensitive transmissions.
- OpenAI Agents SDK Guardrails and Tracing for input, output, and tool guardrails plus trace evidence.
- Anthropic Claude Code Security for read-only defaults, explicit approvals, trusted MCP server configuration, isolated execution, and command review.
- CISA AI Data Security for AI lifecycle data provenance, integrity, access control, monitoring, third-party handling, and incident evidence.
- NIST AI RMF and NIST AI 600-1 for govern/map/measure/manage practices and generative-AI risk management.
See also
- Context Egress Boundary for data-class and destination decisions before context leaves a boundary.
- Agentic Telemetry Contract for model-call and tool-call trace evidence.
- Agentic Run Receipts for proof that a run stayed inside delegated authority.
- MCP Authorization Conformance for OAuth resource, audience, PKCE, session, and scope-drift checks.
- Agentic App Intake Gate for app-level launch review before autonomy expands.