AI Governance · AI + MCP Gateway · 2026
Emil Pastor
Applied AI and Data
EP

Governed Agentic AI · Reference Architecture

Governance was always
an enforcement problem.
AI just removed the friction that hid it.

A multi-agent financial crime investigation system built on Neo4j, Anthropic Claude, and Kong — demonstrating that a gateway control plane is the only way to make AI governance real at execution.

Neo4j AuraDBClaude Haiku + Sonnet Kong MCP GatewayKong AI Gateway FastMCP · RailwayRole-Based ACL Graph-Native AuditApache 2.0
System at a Glance
15
MCP Tools
3
AI Agents
2
Kong Gates
4
System Layers
7
Orch. Stages
0
Bypass Paths
Executive Summary

Most AI governance frameworks describe what should happen. This system enforces what can happen. Entity Risk AI is a fully governed multi-agent investigation platform. Every tool call and every LLM invocation routes through Kong's dual gateway layer before reaching any upstream service. Denied actions are blocked, logged, and traceable. No agent — and no human — bypasses the control plane. The audit trail lives in Neo4j as a queryable subgraph, not a flat log file.

The Problem
Why Governance Fails at Execution

Governance Lives Outside the System

Organisations have policies, roles, and approval workflows. What most don't have is a single point where those policies are enforced at the moment a decision is made. Governance describes intent. Execution determines reality.

AI agents make this gap impossible to ignore. They don't hesitate. They don't ask for exceptions. They execute every permitted path, consistently, at machine speed. What was occasional becomes guaranteed.

The Fix Is Architectural, Not Cultural

The answer is not more policy documentation. It is a control plane — a single enforcement layer that sits between intent and execution for every action, human or agent, before it happens.

That layer must be centralised (no bypass paths), fail-closed (denied actions blocked and logged), fully traceable, and role-consistent — the same gate applies to humans and agents equally.

Architectural Highlights
What Makes This System Different
🔐
Dual Kong Gateway
Kong MCP Gateway enforces tool-level access via key-auth and consumer-group ACL. Kong AI Gateway routes and rate-limits all LLM traffic. No agent holds upstream credentials.
🤖
Multi-Agent Orchestration
Graph, Risk, and Trace agents orchestrated by Claude Sonnet. Each dispatches only through MCP — never touching the database directly. A 7-stage workflow controls the full lifecycle.
🕸️
Graph-Native Audit Trail
Every action persisted as a TraceEvent in Neo4j, linked to the business nodes it touched. A queryable subgraph — independent, replayable, and deletable without side effects.
🛡️
Fail-Closed by Default
Kong denials (HTTP 403) propagate as StepStatus.SKIPPED in the trace. Never silent. Permitted and denied outcomes are both recorded.
👤
Same Rules, Every Actor
Junior and Senior analysts have structurally different tool access enforced at the Kong gateway via consumer groups — not in application code. Same gate for humans and agents. Every time.
System Architecture · Four Layers · Two Gateways · One Principle
Layer 01
Application
Streamlit UI · LLM Planner · Specialist Agents · Orchestrator
Layer 02
Gateway
Kong MCP Gate · Kong AI Gate · key-auth · ACL · rate-limit
Layer 03
Execution
FastMCP Server · Anthropic Claude API · Railway hosting
Layer 04
Storage
Neo4j AuraDB · Business Graph · Trace Subgraph
Kong's Role
Two Gateways. One Enforcement Principle.
MCP GatewayTool Access Control

Routes all 15 investigation tools through Kong's /mcp route with key-auth validation. Consumer groups enforce per-role restrictions. Denials return HTTP 403 and are traced.

AI GatewayLLM Traffic Control

All Anthropic calls route through Kong's AI Gateway. The planner uses /ai/sonnet; agents use /ai. The app never holds the Anthropic API key in Kong mode.

Why This Matters
Five Reasons This Architecture Is Significant
  • 1Agents don't introduce new risk. They make existing system permissiveness executable at scale. This addresses the root cause — the absence of an enforcement layer.
  • 2Kong becomes the control plane for agentic AI. The single enforcement point between intent and execution — for both tool calls and model invocations.
  • 3The audit trail is proof, not documentation. Every action captured at execution time in a queryable graph. Retroactively demonstrable and reliable.
  • 4The same rules apply to everyone. Humans and agents governed identically. Same gate. Same policy. Every time. No carve-outs.
  • 5Production-deployable, not a proof of concept. Open-sourced Apache 2.0, hosted on Railway + Neo4j AuraDB, built on public Companies House UBO data.
Reference Architecture

What Enforcement Actually Requires

A single control plane, enforced across multiple execution points. Every action, human or agent, evaluated before it reaches any system.  ·  Click any component to explore it.

Application Layer
Intent + Orchestration
🖥️
UI
🎯
Orchestrator
🧠
Planner
👤
Human Users
Specialist Agents
🔗
Graph Agent
⚠️
Risk Agent
🗂️
Trace Agent
Every action routed through control plane before execution
↓ CONTROL PLANE · WHAT MOST SYSTEMS DON'T HAVE ↓
Control Plane
Single control plane, enforced across multiple execution points
📋
Policy Engine
Policies translated into executable rules. Evaluated at runtime, not design time.
🪪
Identity, Role & Context
Session, request, and environmental context resolved. Same principal model for humans and agents.
🚦
Decision Engine (PDP)
Allow or deny at runtime. All decisions made before execution. Unpermitted actions are blocked and logged.
📊
Trace Capture & Audit
Every action recorded at execution. Permitted and denied. The audit trail is proof enforcement occurred.
↓ Permitted actions only PEP · Policy Enforcement Points at execution boundaries Results + audit data
Execution / Resource Layer
Runtime Systems
🔧
MCP Tools
tool invocations
💬
LLM Services
model inference
🕸️
Graph Database
knowledge graph
🗄️
RDBMS / Operational
relational stores
🔍
Vector Index
retrieval / RAG
🌐
Enterprise APIs
SaaS / internal
Event Bus
async processing
🗂️
Audit Storage
trace persistence
Centralised Access
All calls routed through the control layer. No execution path bypasses policy evaluation.
Fail Closed
Unpermitted actions are blocked and logged for audit. No silent pass-through.
Full Traceability
Every action logged at execution time. The audit trail is proof enforcement existed.
Same Rules, Every Actor
Humans and agents governed identically. Same gate. Same policy. Every time.
Applications generate intent. The control plane decides what is allowed. Execution systems only receive permitted actions.
Not the same job. Never the same layer.
Runtime Flow
1
Intent received
Human or agent submits query
2
Plan generated
LLM produces execution steps
3
Control plane evaluates
Every step checked against policy before dispatch
4
Execute
Permitted action reaches execution system
5
Denied → Blocked + Logged
Fail closed. Decision recorded for audit.
6
Trace persisted
All actions traced. Executed and denied.
← Click a component
to explore it
System Design · Entity Risk AI

Solution Architecture

↗ Click any component to explore its role

Application Layer UI + Orchestration + Agents
🖥️
Streamlit UI
app.py · src/app/
UI
🧠
Investigation Planner
Claude Sonnet via /ai/sonnet
LLM
🎯
Orchestrator
src/orchestration/
CORE
Specialist Agents
🔗
Graph Agent
entity_lookup · expand_ownership
AGENT
⚠️
Risk Agent
4 deterministic risk checks
AGENT
🗂️
Trace Agent
retrieve · summarise · replay
AGENT
Tool calls via MCP
LLM calls via AI proxy
Results + trace events
Gateway Layer — Control Plane Enforcement
🛡️
Kong MCP Gateway
/mcp · key-auth · ACL · consumer groups
🚫
FAIL CLOSED
HTTP 403 → SKIPPED · Not logged. Not warned. Blocked.
🤖
Kong AI Gateway
/ai · /ai/sonnet · ai-proxy · rate-limit
Permitted tool calls
Proxied LLM requests
Responses
Execution Layer Runtime
🚀
MCP Server
Railway · FastMCP · streamable-http · 15 tools
MCP
💬
Anthropic Claude
Haiku (agents) · Sonnet (planner)
LLM
Cypher queries
Trace events
Graph data + audit records
Storage Layer Persistence
🕸️
Neo4j Graph Database
AuraDB · Companies House UBO data
GRAPH
📋
Trace Subgraph
Same Neo4j instance · InvestigationTrace → TraceEvent → :ABOUT → business nodes
AUDIT
← Click a component
to explore it
Runtime Flow

System Control Flow

↗ Click any participant or message row to see what happens at that step

🖥️
Application
UI · Orchestrator · Agents
🛡️
Kong MCP Gateway
/mcp · key-auth · ACL
🤖
Kong AI Gateway
/ai · /ai/sonnet · ai-proxy
☁️
Upstream Services
MCP Server · Anthropic API
APP — Planning Phase
Planner → generate plan
POST /v1/messages · Sonnet · auth injected by ai-proxy
JSON plan returned
GATEWAY — Tool Enforcement Phase
resolve_entity · X-Kong-API-Key
ACL check: consumer group → tool allowlist
MCP tools/call → upstream · Railway
Canonical name returned
Tool call Agent.run() · PERMITTED ✓
Forward to MCP Server upstream
Tool call · DENIED 🚫
Kong returns HTTP 403 · ACL denial → StepStatus.SKIPPED
TRACE — Persistence Phase
Persist TraceEvent · TraceService → Neo4j (both permitted + denied)
OrchestratorResult → Streamlit UI {steps, trace_id, final_answer}
Legend MCP / tool call AI / LLM call Permitted / traced Denied / blocked Response
← Click a participant
or message row
to explore it
Neo4j AuraDB · Property Graph · Two Subgraphs

Graph Data Model

↗ Click any node or relationship to explore its full schema  ·  Business graph (left) and Trace subgraph (right) shown together

BUSINESS GRAPH TRACE SUBGRAPH OWNS OWNS REGISTERED_AT HAS_SIC OFFICER_OF HAS_EVENT NEXT_EVENT ABOUT RETRIEVED Company focal entity Company parent / owner Person UBO / officer Address registered office SIC industry code Investigation Trace one per investigation Investigation Trace retrieved TraceEvent one per step
Nodes
Company
Person
Address
SIC
InvestigationTrace
TraceEvent
Relationships
OWNS
REGISTERED_AT
HAS_SIC
OFFICER_OF
HAS_EVENT
ABOUT
NEXT_EVENT
RETRIEVED
Click any node
or relationship
to explore its schema
Kong Konnect · entity-risk-ai · Live Configuration

Control Plane Configuration using Kong

Click any route or tool to inspect its full configuration  ·  /kongai routes excluded

AI Gateway · ai-proxy-advanced
AI Gateway
entity-risk-ai-kong-ai-gateway · Routes LLM calls to Anthropic
Service
name entity-risk-ai-kong-ai-gateway
upstream Anthropic API via ai-proxy-advanced plugin
consumer entity-risk-ai-app (X-Kong-API-Key auth)
Routes — click to inspect
POST /ai
claude-haiku-4-5 20 req/min
key-auth ai-proxy-advanced rate-limiting
POST /ai/sonnet
claude-sonnet-4-6 10 req/min
key-auth ai-proxy-advanced rate-limiting
MCP Gateway · ai-mcp-proxy
MCP Gateway
mcp-upstream-service · Routes tool calls to Railway MCP server
Service
name mcp-upstream-service
host entity-risk-ai-production.up.railway.app
protocol / port https / 443
Route — click to inspect
GET/POST /mcp
Railway upstream
key-auth ai-mcp-proxy
Consumers & Groups
entity-risk-ai-app ungrouped orchestrator key
jr-analyst-app jr-analyst restricted access
sr-analyst-app sr-analyst full access
MCP Tools — 15 tools, click to inspect
All roles jr-analyst denied
resolve_entity all
validate_plan all
evaluate_stop_conditions all
entity_lookup all
company_profile all
expand_ownership all
shared_address_check all
sic_context all
ownership_complexity_check all
control_signal_check all
retrieve_trace all
find_traces_by_entity all
list_recent_traces all
address_risk_check deny: jr
industry_context_check deny: jr
Click any route or tool above to inspect its configuration