AI Governance · AI + MCP Gateway · 2026
Emil Pastor
Applied AI and Data
Emil Pastor
← Back

Governed Agentic AI · Reference Architecture

Governance was always
an enforcement problem.
AI just removed the friction that hid it.

A multi-agent financial crime investigation system built on Neo4j, Anthropic Claude, and a dual gateway control plane — demonstrating that a gateway control plane is the only way to make AI governance real at execution.

Neo4j AuraDBClaude Haiku + Sonnet MCP GatewayAI Gateway FastMCP · RailwayRole-Based ACL Graph-Native AuditApache 2.0
System at a Glance
15
MCP Tools
3
AI Agents
2
Gateway Layers
4
System Layers
7
Orch. Stages
0
Bypass Paths
Executive Summary

Most AI governance frameworks describe what should happen. This system enforces what can happen. Entity Risk AI is a fully governed multi-agent investigation platform. Every tool call and every LLM invocation routes through a dual gateway control plane before reaching any upstream service. Denied actions are blocked, logged, and traceable. No agent — and no human — bypasses the control plane. The audit trail lives in Neo4j as a queryable subgraph, not a flat log file.

The Problem
Why Governance Fails at Execution

Governance Lives Outside the System

Organisations have policies, roles, and approval workflows. What most don't have is a single point where those policies are enforced at the moment a decision is made. Governance describes intent. Execution determines reality.

AI agents make this gap impossible to ignore. They don't hesitate. They don't ask for exceptions. They execute every permitted path, consistently, at machine speed. What was occasional becomes guaranteed.

The Fix Is Architectural, Not Cultural

The answer is not more policy documentation. It is a control plane — a single enforcement layer that sits between intent and execution for every action, human or agent, before it happens.

That layer must be centralised (no bypass paths), fail-closed (denied actions blocked and logged), fully traceable, and role-consistent — the same gate applies to humans and agents equally.

Architectural Highlights
What Makes This System Different
🔐
Dual Gateway Control Plane
The MCP Gateway enforces tool-level access via key-auth and consumer-group ACL. The AI Gateway routes and rate-limits all LLM traffic. No agent holds upstream credentials.
🤖
Multi-Agent Orchestration
Graph, Risk, and Trace agents orchestrated by Claude Sonnet. Each dispatches only through MCP — never touching the database directly. A 7-stage workflow controls the full lifecycle.
🕸️
Graph-Native Audit Trail
Every action persisted as a TraceEvent in Neo4j, linked to the business nodes it touched. A queryable subgraph — independent, replayable, and deletable without side effects.
🛡️
Fail-Closed by Default
Gateway denials (HTTP 403) propagate as StepStatus.SKIPPED in the trace. Never silent. Permitted and denied outcomes are both recorded.
👤
Same Rules, Every Actor
Junior and Senior analysts have structurally different tool access enforced at the gateway via consumer groups — not in application code. Same gate for humans and agents. Every time.
System Architecture · Four Layers · Two Gateways · One Principle
Layer 01
Application
Streamlit UI · LLM Planner · Specialist Agents · Orchestrator
Layer 02
Gateway
MCP Gateway · AI Gateway · key-auth · ACL · rate-limit
Layer 03
Execution
FastMCP Server · Anthropic Claude API · Railway hosting
Layer 04
Storage
Neo4j AuraDB · Business Graph · Trace Subgraph
Gateway Control Plane
Two Gateways. One Enforcement Principle.
MCP GatewayTool Access Control

Routes all 15 investigation tools through Kong's /mcp route with key-auth validation. Consumer groups enforce per-role restrictions. Denials return HTTP 403 and are traced.

AI GatewayLLM Traffic Control

All Anthropic calls route through Kong's AI Gateway. The planner uses /ai/sonnet; agents use /ai. The app never holds the Anthropic API key.

Why This Matters
Five Reasons This Architecture Is Significant
  • 1Agents don't introduce new risk. They make existing system permissiveness executable at scale. This addresses the root cause — the absence of an enforcement layer.
  • 2The gateway becomes the control plane for agentic AI. The single enforcement point between intent and execution — for both tool calls and model invocations.
  • 3The audit trail is proof, not documentation. Every action captured at execution time in a queryable graph. Retroactively demonstrable and reliable.
  • 4The same rules apply to everyone. Humans and agents governed identically. Same gate. Same policy. Every time. No carve-outs.
  • 5Production-deployable, not a proof of concept. Open-sourced Apache 2.0, hosted on Railway + Neo4j AuraDB, built on public Companies House UBO data.

The Problem · Entity Risk AI

AI agents expose governance gaps.
They don't create them.

Organisations have policies, roles, and approval workflows. What most don't have is a single point where those policies are enforced at the moment a decision is made — before an action reaches any system.

Situation
AI agents make existing permissiveness executable at scale

Enterprises operating in regulated industries — financial services, government, telco — have invested heavily in governance frameworks: role-based access, approval workflows, audit logging. But these controls live in documents, not in systems. When AI agents arrive, they execute every permitted path, consistently, at machine speed. What was occasional human error becomes guaranteed systemic behaviour.

🗃
Governance describes intent
Policies define what should happen. Without an enforcement layer, they have no mechanism to determine what actually does happen — especially at agent speed.
Agents don't hesitate
A human pauses, asks for exceptions, exercises judgement. An agent executes every permitted path, every time, without friction. Permissive systems become guaranteed outcomes.
👁
Audit trails come after the fact
Log files record what happened. They don't prevent it. A governance model built on logs is a post-mortem system — not a control system.
Task
Enforce what AI can actually do — not just what policy says it should

The requirement

Design a multi-agent financial crime investigation system where every tool call and every LLM invocation is evaluated against policy before it reaches any upstream service. Governance must be enforced at execution — not described in a README. Denied actions must be blocked, logged, and traceable. No bypass paths.

The constraint

The same rules must apply to human analysts and AI agents equally. A junior analyst restricted from a sensitive tool must face the same gate whether they click a button or an agent acts on their behalf. Role-based access cannot live in application code — it must be centralised and fail-closed.

Action
A control plane that sits between intent and execution
Four-layer architecture
LAYER 1
Application
Streamlit UI, Investigation Planner, Orchestrator, and three specialist agents — Graph, Risk, Trace
LAYER 2
Control Plane
MCP Gateway enforces tool-level ACL. AI Gateway routes and rate-limits all LLM traffic. Both fail-closed on denial
LAYER 3
Execution
FastMCP server on Railway. Anthropic Claude API. Neither is ever called directly by the application
LAYER 4
Storage
Neo4j AuraDB — business graph and trace subgraph in one instance. Every action persisted as a TraceEvent node
🔒
Dual gateway enforcement
MCP Gateway controls which tools each consumer group can call. AI Gateway controls which models are accessible and at what rate. Two enforcement points, one principle.
🕐
Fail-closed by design
HTTP 403 denials propagate as StepStatus.SKIPPED in the audit trace. Permitted and denied outcomes are both recorded — never silent.
🔍
Graph-native audit trail
Every action persisted as a TraceEvent node in Neo4j, linked to the business nodes it touched. Queryable, replayable, and deletable without side effects.
Result
Governance enforced at execution. Every time. For every actor.

Entity Risk AI demonstrates that a gateway control plane is the only architectural pattern that makes AI governance real. Policies are not described — they are enforced at the moment of execution, for humans and agents equally, with a queryable audit trail that proves enforcement occurred.

  • 1
    Same rules, every actor. Junior and senior analysts have structurally different tool access enforced at the gateway via consumer groups — not in application code. The gate applies to agents acting on their behalf identically.
  • 2
    No upstream credentials in the application. The app holds only a consumer key. The gateway injects the Anthropic API key and the upstream MCP credentials. Compromise of the application does not expose upstream systems.
  • 3
    The audit trail is proof, not documentation. TraceEvent nodes are written at execution time — retroactively demonstrable, not reconstructed from logs.
  • 4
    Production-deployable, not a proof of concept. Open-sourced Apache 2.0, hosted on Railway and Neo4j AuraDB, built on public Companies House UBO data.
Reference Architecture

What Enforcement Actually Requires

A single control plane, enforced across multiple execution points. Every action, human or agent, evaluated before it reaches any system.  ·  Click any component to explore it.

Application Layer
Intent + Orchestration
🖥️
UI
🎯
Orchestrator
🧠
Planner
👤
Human Users
Specialist Agents
🔗
Graph Agent
⚠️
Risk Agent
🗂️
Trace Agent
Every action routed through control plane before execution
↓ CONTROL PLANE · WHAT MOST SYSTEMS DON'T HAVE ↓
Control Plane
Single control plane, enforced across multiple execution points
📋
Policy Engine
Policies translated into executable rules. Evaluated at runtime, not design time.
🪪
Identity, Role & Context
Session, request, and environmental context resolved. Same principal model for humans and agents.
🚦
Decision Engine (PDP)
Allow or deny at runtime. All decisions made before execution. Unpermitted actions are blocked and logged.
📊
Trace Capture & Audit
Every action recorded at execution. Permitted and denied. The audit trail is proof enforcement occurred.
↓ Permitted actions only PEP · Policy Enforcement Points at execution boundaries Results + audit data
Execution Layer
Runtime Systems
🔧
MCP Tools
tool invocations
💬
LLM Services
model inference
🌐
Enterprise APIs
SaaS / internal
Event Bus
async processing
Storage Layer
Persistence
🕸️
Graph Database
knowledge graph
🗄️
RDBMS / Operational
relational stores
🔍
Vector Index
retrieval / RAG
🗂️
Audit Storage
trace persistence
Centralised Access
All calls routed through the control layer. No execution path bypasses policy evaluation.
Fail Closed
Unpermitted actions are blocked and logged for audit. No silent pass-through.
Full Traceability
Every action logged at execution time. The audit trail is proof enforcement existed.
Same Rules, Every Actor
Humans and agents governed identically. Same gate. Same policy. Every time.
Applications generate intent. The control plane decides what is allowed. Execution systems only receive permitted actions.
Not the same job. Never the same layer.
Runtime Flow
1
Intent received
Human or agent submits query
2
Plan generated
LLM produces execution steps
3
Control plane evaluates
Every step checked against policy before dispatch
4
Execute
Permitted action reaches execution system
5
Denied → Blocked + Logged
Fail closed. Decision recorded for audit.
6
Trace persisted
All actions traced. Executed and denied.
← Click a component
to explore it
System Design · Entity Risk AI

Solution Architecture

↗ Click any component to explore its role

Application Layer UI + Orchestration + Agents
🖥️
Streamlit UI
app.py · src/app/
UI
🧠
Investigation Planner
Claude Sonnet via /ai/sonnet
LLM
🎯
Orchestrator
src/orchestration/
CORE
Specialist Agents
🔗
Graph Agent
entity_lookup · expand_ownership
AGENT
⚠️
Risk Agent
4 deterministic risk checks
AGENT
🗂️
Trace Agent
retrieve · summarise · replay
AGENT
Tool calls via MCP
LLM calls via AI proxy
Results + trace events
Gateway Layer — Control Plane Enforcement
🛡️
MCP Gateway
/mcp · key-auth · ACL · consumer groups
🚫
FAIL CLOSED
HTTP 403 → SKIPPED · Not logged. Not warned. Blocked.
🤖
AI Gateway
/ai · /ai/sonnet · ai-proxy · rate-limit
Permitted tool calls
Proxied LLM requests
Responses
Execution Layer Runtime
🚀
MCP Server
Railway · FastMCP · streamable-http · 15 tools
MCP
💬
Anthropic Claude
Haiku (agents) · Sonnet (planner)
LLM
Cypher queries
Trace events
Graph data + audit records
Storage Layer Persistence
🕸️
Neo4j Graph Database
AuraDB · Companies House UBO data
GRAPH
📋
Trace Subgraph
Same Neo4j instance · InvestigationTrace → TraceEvent → :ABOUT → business nodes
AUDIT
← Click a component
to explore it
Runtime Flow

System Control Flow

↗ Click any participant or message row to see what happens at that step

🖥️
Application
UI · Orchestrator · Agents
🛡️
MCP Gateway
/mcp · key-auth · ACL
🤖
AI Gateway
/ai · /ai/sonnet · ai-proxy
☁️
Upstream Services
MCP Server · Anthropic API
APP — Planning Phase
Planner → generate plan
POST /v1/messages · Sonnet · auth injected by ai-proxy
JSON plan returned
GATEWAY — Tool Enforcement Phase
resolve_entity · X-API-Key
ACL check: consumer group → tool allowlist
MCP tools/call → upstream · Railway
Canonical name returned
Tool call Agent.run() · PERMITTED ✓
Forward to MCP Server upstream
Tool call · DENIED 🚫
Gateway returns HTTP 403 · ACL denial → StepStatus.SKIPPED
TRACE — Persistence Phase
Persist TraceEvent · TraceService → Neo4j (both permitted + denied)
OrchestratorResult → Streamlit UI {steps, trace_id, final_answer}
Legend MCP / tool call AI / LLM call Permitted / traced Denied / blocked Response
← Click a participant
or message row
to explore it
Neo4j AuraDB · Property Graph · Two Subgraphs

Graph Data Model

↗ Click any node or relationship to explore its full schema  ·  Business graph (left) and Trace subgraph (right) shown together

BUSINESS GRAPH TRACE SUBGRAPH OWNS OWNS REGISTERED_AT HAS_SIC OFFICER_OF HAS_EVENT NEXT_EVENT ABOUT RETRIEVED Company focal entity Company parent / owner Person UBO / officer Address registered office SIC industry code Investigation Trace one per investigation Investigation Trace retrieved TraceEvent one per step
Nodes
Company
Person
Address
SIC
InvestigationTrace
TraceEvent
Relationships
OWNS
REGISTERED_AT
HAS_SIC
OFFICER_OF
HAS_EVENT
ABOUT
NEXT_EVENT
RETRIEVED
Click any node
or relationship
to explore its schema
entity-risk-ai · Live Configuration

Control Plane Configuration

Click any route or tool to inspect its full configuration

AI Gateway · ai-proxy-advanced
AI Gateway
AI Gateway Service · Routes LLM calls to Anthropic
Service
name ai-gateway-service
upstream Anthropic API via ai-proxy-advanced plugin
consumer entity-risk-ai-app (X-API-Key auth)
Routes — click to inspect
POST /ai
claude-haiku-4-5 50,000 tok/min
key-auth ai-proxy-advanced ai-rate-limiting-advanced ai-prompt-guard
POST /ai/sonnet
claude-sonnet-4-6 20,000 tok/min
key-auth ai-proxy-advanced ai-rate-limiting-advanced ai-prompt-guard
MCP Gateway · ai-mcp-proxy
MCP Gateway
mcp-upstream-service · Routes tool calls to Railway MCP server
Service
name mcp-upstream-service
host entity-risk-ai-production.up.railway.app
protocol / port https / 443
Route — click to inspect
GET/POST /mcp
Railway upstream
key-auth ai-mcp-proxy
Consumers & Groups
entity-risk-ai-app ungrouped orchestrator key
jr-analyst-app jr-analyst restricted access
sr-analyst-app sr-analyst full access
MCP Tools — 15 tools, click to inspect
All roles jr-analyst denied
resolve_entity all
validate_plan all
evaluate_stop_conditions all
entity_lookup all
company_profile all
expand_ownership all
shared_address_check all
sic_context all
ownership_complexity_check all
control_signal_check all
retrieve_trace all
find_traces_by_entity all
list_recent_traces all
address_risk_check deny: jr
industry_context_check deny: jr
Click any route or tool above to inspect its configuration

Read the Full Series

Medium

AI Agents Don't Break Governance. They Prove It Was Never There.

Why we must move from "Policy in a PDF" to real-time enforcement on the wire.