Gatekeeper

Reference architectures

6 deployment patterns for running Gatekeeper across SaaS, on prem, and hybrid environments. Each architecture shows the dataflow, the components, and the security considerations for a production agent deployment.

SaaS

SaaS gateway for enterprise copilots

Claude, ChatGPT, and internal copilots reach SaaS APIs through a managed gateway. Credentials stay sealed in an attested enclave.

MCPOkta OIDCNitro EnclavesAWS KMS
SaaS

Credential controls for AI coding agents

Coding agents clone, search, and ship. Production writes require approval; AWS signing keys never transmit.

Claude CodeCursorGitHubSigV4
On prem

Self hosted Gatekeeper in your AWS VPC

The entire stack inside your VPC: customer managed keys, private endpoints, nothing crossing your boundary.

TerraformCustomer CMKPrivateLinkMicrosoft Entra / Azure AD
On prem

Enterprise MCP hub with approvals and SIEM

One hub fronts every internal MCP server, with provenance tainting, Slack approvals, and SIEM streaming.

Microsoft Entra / Azure ADMCP serversSlack approvalsSplunk
Hybrid

Hybrid control plane with a VPC data plane

Policy authored in the SaaS console; enforcement, credentials, and decryption stay inside your VPC.

SaaS consolePolicy syncCustomer CMKSIEM export
Hybrid

MPC wallet operations for digital assets

Governed transaction signing for Fireblocks, Fordefi, and Utila with quorum approvals and spend caps.

FireblocksFordefiUtilaQuorum approvals