Level 2: Basics

Enterprise Features

Scale your AI security infrastructure with SSO/SAML, team management, RBAC, compliance automation, unlimited retention, on-premise deployments, dedicated support, and custom SLAs. Built for organizations that need enterprise-grade control.

40 minutes

7 sections

Intermediate

SSO & SAML Configuration

Centralize authentication with Single Sign-On. Supports any SAML 2.0 provider and simplifies user onboarding/offboarding.

Why SSO Matters

Centralized control: Disable all access instantly when employees leave
MFA enforcement: Inherit your IdP's security policies (2FA, passwordless, etc.)
Audit trail: Tie AAIS activity to corporate directory (no orphaned accounts)
Compliance: Meet SOC 2 / ISO 27001 requirements for identity management
User experience: One login for all tools (no password fatigue)

SSO Provider Support

Works with Okta, Azure AD (Entra), Google Workspace, OneLogin, Auth0, JumpCloud, and any SAML 2.0 compatible IdP. SCIM provisioning available for automated user lifecycle.

Setup Flow: Okta Example

In AAIS dashboard, navigate to Settings → Authentication → SSO
Click Configure SAML and copy the ACS URL and Entity ID
In Okta admin, create new SAML 2.0 app integration
Paste ACS URL: https://agentaishield.com/api/v1/auth/saml/acs
Paste Entity ID: agentaishield:your-org-id
Configure attribute statements (email → email, firstName → firstName, etc.)
Download Okta metadata XML or copy SSO URL + certificate
Upload metadata to AAIS or manually enter SSO URL and certificate
Test with Validate SSO button (opens test login flow)
Enable Enforce SSO to require SAML for all users

[email protected] Jane Doe Engineering Security

Azure AD (Entra) Configuration

In Azure Portal, go to Enterprise Applications → New application
Create custom SAML application named "AgentAIShield"
Set Identifier (Entity ID): agentaishield:your-org-id
Set Reply URL: https://agentaishield.com/api/v1/auth/saml/acs
Configure user claims (email, givenname, surname, groups)
Download Federation Metadata XML
Upload to AAIS SSO settings
Assign users/groups in Azure AD
Test login and enable enforcement

Google Workspace Setup

In Google Admin Console, go to Apps → Web and mobile apps → Add custom SAML app
Name it "AgentAIShield" and download IdP metadata
Enter ACS URL and Entity ID from AAIS
Map attributes: Primary email → email, First name → firstName, Last name → lastName
Turn on for everyone or specific OUs
Upload Google metadata to AAIS
Test and enforce

Pro Tip: Domain Verification

Enable auto-provisioning by verifying your email domain (DNS TXT record). New employees with @yourcompany.com emails automatically get AAIS accounts when they first SSO in.

SCIM Provisioning (Automated User Lifecycle)

Sync users and groups automatically from your IdP:

Auto-create: New employees get AAIS accounts on first SSO
Auto-update: Name/email changes sync instantly
Auto-deactivate: Offboarded employees lose access immediately
Group sync: Map IdP groups to AAIS roles (e.g., "Engineering" → "Developer")

// Enable SCIM in Okta
SCIM Base URL: https://agentaishield.com/api/v1/scim/v2
OAuth Bearer Token: 

Supported operations:
- Create users (POST /Users)
- Update users (PUT /Users/{id})
- Deactivate users (PATCH /Users/{id} with active=false)
- Sync groups (POST /Groups)

Role-Based Access Control (RBAC)

Assign granular permissions to team members based on their role.

Built-In Roles

AgentAIShield includes 5 predefined roles:

Owner: Full control — manage billing, delete organization, invite/remove users
Admin: Configure agents, security policies, webhooks, SSO (cannot manage billing)
Developer: Create/edit agents, view logs, generate API keys (cannot change org settings)
Viewer: Read-only access to dashboards, logs, reports (no configuration changes)
Billing: Manage payment methods, view invoices, export usage reports (no security access)

Permission Inheritance

Roles are hierarchical: Owner > Admin > Developer > Viewer. Higher roles inherit all permissions from lower roles.

Permission Matrix

| Action                        | Owner | Admin | Developer | Viewer | Billing |
|-------------------------------|-------|-------|-----------|--------|---------|
| View dashboards               |   ✓   |   ✓   |     ✓     |   ✓    |    ✗    |
| View logs & request history   |   ✓   |   ✓   |     ✓     |   ✓    |    ✗    |
| Create/edit agents            |   ✓   |   ✓   |     ✓     |   ✗    |    ✗    |
| Generate API keys             |   ✓   |   ✓   |     ✓     |   ✗    |    ✗    |
| Configure security policies   |   ✓   |   ✓   |     ✗     |   ✗    |    ✗    |
| Manage webhooks               |   ✓   |   ✓   |     ✗     |   ✗    |    ✗    |
| Configure SSO/SAML            |   ✓   |   ✓   |     ✗     |   ✗    |    ✗    |
| Invite/remove users           |   ✓   |   ✓   |     ✗     |   ✗    |    ✗    |
| Assign roles                  |   ✓   |   ✗   |     ✗     |   ✗    |    ✗    |
| View/export billing data      |   ✓   |   ✗   |     ✗     |   ✗    |    ✓    |
| Manage payment methods        |   ✓   |   ✗   |     ✗     |   ✗    |    ✓    |
| Delete organization           |   ✓   |   ✗   |     ✗     |   ✗    |    ✗    |

Team Management Workflow

Onboarding a new team member:

Navigate to Settings → Team
Click Invite Member
Enter email address and select role
They receive email invitation with signup link
If SSO enabled, they automatically sign in via IdP
Their permissions are active immediately

Offboarding:

Go to Settings → Team
Find user in member list
Click Remove or Deactivate
All active sessions are immediately revoked
API keys created by that user are optionally rotated

Audit Trail Requirement

All role changes, invitations, and removals are logged with timestamp and actor. Immutable audit logs retained according to your plan's retention policy.

Custom Roles (Enterprise+)

For complex organizations, create custom roles with granular permissions:

Compliance Auditor (read logs + export reports, cannot modify agents)
Security Analyst (run red team campaigns, cannot deploy agents)
Integration Engineer (manage API keys, cannot view sensitive logs)

// Custom role API (example)
curl -X POST https://agentaishield.com/api/v1/roles \
  -H "Authorization: Bearer sk_live_..." \
  -d '{
    "name": "Compliance Auditor",
    "permissions": [
      "logs:read",
      "reports:export",
      "audit_trail:read"
    ],
    "deny": [
      "agents:write",
      "api_keys:create",
      "settings:write"
    ]
  }'

Compliance Reports & Automation

Generate audit-ready reports for GDPR, SOC 2, HIPAA, and custom frameworks.

GDPR Compliance

AgentAIShield includes built-in tools for GDPR compliance:

Data Processing Agreement (DPA): Auto-generated, legally reviewed template
Right to Access: Export all data for a specific user (API endpoint)
Right to Deletion: Purge user data across all systems (irreversible)
Consent Management: Track opt-in/opt-out per data category
PII Inventory: Automated report of all PII fields detected
Data Retention Policies: Auto-delete data after configured period

// GDPR data export (user request) curl -X POST https://agentaishield.com/api/v1/gdpr/export \ -H "Authorization: Bearer sk_live_..." \ -d '{ "user_email": "[email protected]", "include_logs": true, "include_pii_detections": true, "format": "json" }' // Response includes download link to encrypted archive

SOC 2 Readiness

Pre-built control mappings for SOC 2 Type II audits:

CC6.1 (Logical Access): SSO, MFA, RBAC audit logs
CC6.2 (Authentication): Password policies, session management
CC6.6 (Encryption): TLS 1.3, data-at-rest encryption evidence
CC6.7 (Transmission Integrity): API request signing, HMAC validation
CC7.2 (System Monitoring): Anomaly detection logs, uptime reports

Generate SOC 2 evidence package:

Go to Compliance → SOC 2
Select audit period (e.g., last 12 months)
Click Generate Evidence Package
Download ZIP with control screenshots, config exports, logs
Share with auditor via secure link (expires in 7 days)

HIPAA Compliance

For healthcare AI applications:

Business Associate Agreement (BAA): Signed by AAIS legal team
PHI Handling: Automatic detection + redaction of medical data
Encryption: AES-256 at rest, TLS 1.3 in transit
Access Logs: Immutable audit trail of all PHI access
Breach Notification: Automated alerts for unauthorized access

BAA Requirement

HIPAA compliance requires a signed Business Associate Agreement. Enterprise customers automatically receive BAA upon plan activation. Contact support to initiate signing process.

Audit Trail Management

Every action is logged with immutable timestamps:

User authentication (SSO logins, API key usage)
Configuration changes (agent edits, policy updates)
Data access (log views, report exports)
Security events (injection attempts, anomalies)
Administrative actions (user invites, role changes)

// Example audit log entry { "timestamp": "2026-02-25T14:32:18.442Z", "event_type": "config.agent.update", "actor": { "user_id": "usr_abc123", "email": "[email protected]", "role": "admin", "ip_address": "203.0.113.42", "user_agent": "Mozilla/5.0..." }, "resource": { "type": "agent", "id": "agt_xyz789", "name": "customer-support-bot" }, "changes": { "injection_blocking": {"old": false, "new": true}, "pii_redaction": {"old": "partial", "new": "full"} }, "metadata": { "request_id": "req_def456", "session_id": "ses_ghi789" } }

Data Residency Controls

Choose where your data is stored and processed:

US (us-east-1): Default region, lowest latency for North America
EU (eu-west-1): GDPR-compliant, data never leaves EU
UK (eu-west-2): Post-Brexit data sovereignty
APAC (ap-southeast-1): Singapore region for Asian customers
On-premise: Full data residency control (requires VPC deployment)

Cross-Border Data Flow

Once a region is selected, data is never transferred out without explicit consent. For multi-region organizations, use separate AAIS workspaces per region.

Building Custom Reports

Create compliance reports for internal audits:

Navigate to Compliance → Custom Reports
Select report type (security events, PII access, user activity)
Define date range and filters
Choose format (PDF for auditors, CSV for analysis)
Schedule recurring delivery (weekly, monthly) or one-time export

// Schedule automated SOC 2 report { "report_name": "Monthly SOC 2 Evidence", "schedule": "0 0 1 * *", // First day of month, midnight UTC "format": "pdf", "sections": [ "access_logs", "config_changes", "security_events", "uptime_metrics" ], "recipients": [ "[email protected]", "[email protected]" ], "retention_days": 365 }

Unlimited Data Retention

Enterprise tier removes all retention limits — keep data as long as regulations require.

What's Retained

Request/response logs (full payloads or metadata-only)
Trust Score history (per-request scores over time)
Security events (PII detections, injections, anomalies)
Audit trails (all administrative actions)
Red team campaign results

Configuration Options

Set retention policies per data type:

Logs with PII: 90 days (auto-redact after 30)
Security events: 7 years (SOC 2 requirement)
Audit trails: Indefinite (immutable)
Performance metrics: 1 year (aggregated after 90 days)

// Configure retention policies
curl -X PATCH https://agentaishield.com/api/v1/organization/retention \
  -H "Authorization: Bearer sk_live_..." \
  -d '{
    "logs": {
      "full_payload_days": 90,
      "metadata_only_days": 365,
      "pii_redaction_after_days": 30
    },
    "security_events": {
      "retention_days": 2555  // 7 years
    },
    "audit_trail": "indefinite"
  }'

Archival & Cold Storage

Older data moves to cheaper storage tiers automatically:

Hot (0-30 days): Instant access, full-text search
Warm (31-180 days): 2-5 second latency, compressed
Cold (180+ days): 30-60 second restore, heavily compressed
Glacier (2+ years): 12-hour restore, archival pricing

Cost Optimization

Cold storage costs 90% less than hot storage. A customer with 500M requests/year saves $18K/year by auto-archiving data >6 months old.

Export & Backup

Download your entire dataset for external backup:

Go to Settings → Data Management → Export
Select data types and date range
Choose format (JSONL, Parquet, CSV)
Export job runs async (large datasets take hours)
Download from secure S3 presigned URL (expires in 7 days)

VPC & On-Premise Deployments

Run AgentAIShield in your own infrastructure for maximum control.

Deployment Options

Managed VPC: AAIS deploys to your AWS/GCP/Azure account
Self-Hosted Docker: Run on your own servers (single-node)
Kubernetes: Production-grade k8s deployment (multi-node, HA)
Air-Gapped: Fully offline environments (compliance/security requirement)

Docker Deployment

# Pull AAIS container (requires license key)
docker pull agentaishield/enterprise:latest

# Run with PostgreSQL backend
docker run -d \
  --name aais-enterprise \
  -p 8443:8443 \
  -e LICENSE_KEY=your-enterprise-license \
  -e DATABASE_URL=postgresql://user:pass@db:5432/aais \
  -e REDIS_URL=redis://cache:6379 \
  -v /data/aais:/var/lib/aais \
  agentaishield/enterprise:latest

# Access dashboard at https://localhost:8443

Kubernetes Deployment

Helm chart available for production k8s:

# Add AAIS Helm repo
helm repo add aais https://charts.agentaishield.com
helm repo update

# Install with custom values
helm install aais-prod aais/agentaishield \
  --namespace aais-system \
  --create-namespace \
  --set license.key=your-license-key \
  --set postgres.enabled=true \
  --set redis.enabled=true \
  --set replicas=3 \
  --set ingress.enabled=true \
  --set ingress.hostname=aais.company.com

Network Architecture

Recommended production architecture:

Load Balancer: NGINX/HAProxy → multiple AAIS instances
Application Tier: 3+ AAIS nodes (stateless, horizontally scalable)
Database: PostgreSQL with read replicas (or managed RDS/Cloud SQL)
Cache Layer: Redis cluster (6+ nodes for HA)
Object Storage: S3/GCS/Azure Blob for log archival
Monitoring: Prometheus + Grafana for metrics, ELK for logs

On-Prem Success Story

A Fortune 500 financial services company deployed AAIS on air-gapped Kubernetes in their datacenter. Handles 12M requests/day with 99.97% uptime, zero data ever leaves their network.

Dedicated Customer Success Manager

Every Enterprise customer gets a dedicated CSM for strategic support.

What to Expect

Onboarding (Week 1): Architecture review, integration planning, SSO setup assistance
Monthly check-ins: Review Trust Score trends, security posture, cost optimization
Quarterly business reviews: ROI analysis, roadmap alignment, feature requests
24/7 escalation path: Direct Slack/email to CSM for critical issues
Training sessions: Live workshops for your team (red teaming, compliance, API)

CSM vs Support

Support handles technical troubleshooting. CSM focuses on strategic success: helping you get more value, optimize workflows, and plan for scale. Both are included in Enterprise.

SLA Guarantees

Enterprise tier includes legally-backed SLAs:

Uptime: 99.95% availability (4.38 hours downtime/year max)
Support response: Critical issues < 1 hour, high priority < 4 hours
API latency: P95 < 150ms for security checks
Data durability: 99.999999999% (11 nines) — no data loss

// SLA violation credits (example)
Uptime < 99.95%: 10% monthly credit
Uptime < 99.50%: 25% monthly credit
Uptime < 99.00%: 50% monthly credit
Uptime < 95.00%: 100% monthly credit (1 month free)

Strategic Planning & Roadmap Input

Your CSM ensures AAIS evolves with your needs:

Quarterly feature requests reviewed with product team
Beta access to new capabilities (red team modules, compliance frameworks)
Custom integrations (SIEM, ticketing, LLM providers)
Architecture consulting for scale (10M+ requests/day)

Enterprise Unlocked!

You now understand all enterprise capabilities — SSO, RBAC, compliance automation, on-prem deployments, and dedicated support. Ready to dive deeper? Explore Compliance Deep Dive or Architecture & Scale modules.

Previous: Security Deep Dive Next: Compliance & Enterprise