Security & compliance track
Contain the blast radius when an injection gets through.
Your teams are shipping agents faster than your controls cover them, and the standards bodies have caught up: prompt injection is OWASP LLM01 two editions running, and the OWASP Top 10 for Agentic Applications (2026) names the tool-execution layer explicitly. The uncomfortable part: injection is the one risk you cannot patch out— it's intrinsic to how models read input. So the control objective isn't “block every injection.” It's to contain the blast radius when one gets through. Bridgekeeper is built around that objective.
Read this as agent supply-chain security and tool-call authorization, aligned to OWASP Agentic 2026 — not “AI firewall.” Same architecture, current-year language, so it shows up in the right RFP.
What the security owner is buying
Data sovereignty, enforced architecturally
In-process, air-gap capable, zero cloud egress. The control is the architecture: there's no telemetry path to review because there's no telemetry path. For regulated or air-gapped environments, this is qualifying — without it you're disqualified.
Contain-by-construction, not detect-and-respond
Endpoint-AIDR tools observe, flag, and quarantine after the fact. Bridgekeeper enforces in-line, before execution. The seatbelt, not the crash camera. Both have a place; only one stops the call before it leaves.
Supported and continuously current
Unsupported OSS fails audit and decays. The maintained feed is a published changelog of newly-covered techniques — your evidence that coverage tracks the threat, not a static policy you set once and forget.
No re-platforming risk
It augments LiteLLM, Ollama, and vLLM. You don't make a platform bet, retrain teams, or migrate an API surface to get the control.
Procurement continuity
Most independent guardrail vendors are inside acquirers now, with roadmaps consolidating into someone's suite. Bridgekeeper is the layer that stays in your stack — augmenting what you already run — regardless of who buys whom.
Map to controls
For the security questionnaire — what each primitive answers.
| Risk / standard | Bridgekeeper control |
|---|---|
| OWASP LLM01 — Prompt Injection | Heuristic content layer (sub-millisecond) plus outbound containment. |
| OWASP LLM06 / Agentic 2026 — Excessive Agency, tool abuse | Deny-by-default tool firewall, request binding, anti-replay. |
| Data exfiltration / indirect injection | Provenance labels plus outbound DLP; nothing leaves the box. |
| Supply-chain — poisoned MCP servers, skills, RAG | Request binding and provenance constrain what a compromised component can trigger. |
Compliance posture
Stated plainly, and only what's true today: SOC 2 Type II is in progress; Bridgekeeper is HIPAA-ready with a BAA available. We never say “HIPAA-certified” — HHS doesn't certify, and any vendor claiming it is describing a BAA plus organizational status, not a credential. Security-questionnaire support and a BAA template are available on request.