Enterprise-grade security at every layer of the stack.
RBAC, SSO/SCIM, PII firewall, immutable audit logs, and air-gapped deployment — all built into the same binary as the gateway. No additional security services to deploy or maintain.
RBAC & SSO/SCIM
Role-based access control with admin, team lead, and user tiers. SAML 2.0 and OIDC SSO for centralised identity. SCIM provisioning automates user onboarding and deprovisioning from your identity provider.
- Fine-grained permissions: manage providers, view audit, set budgets
- SAML 2.0 and OIDC — compatible with Okta, Azure AD, Google Workspace
- SCIM provisioning for automated lifecycle management
RBAC & SSO/SCIM — capability summary
PII Firewall & Guardrails
Every request passes through a PII detection layer before reaching any provider. Names, email addresses, phone numbers, SSNs, and credit card numbers are redacted automatically. Guardrail rules can block, warn, or silently audit based on content category.
- PII detection runs locally — sensitive fields never leave your network unredacted
- Configurable redaction per team: some teams may require full block, others audit-only
- Guardrail rule library includes off-the-shelf and custom classifier support
PII Firewall & Guardrails — capability summary
Audit Log
Every request and response is recorded with provider, model, latency, token counts, cost, applied policy decisions, and team identity. Audit records are append-only and cannot be modified after write. Export to Postgres, S3, or stdout in structured JSON.
- Immutable append-only records — no post-write modification possible
- Structured JSON export compatible with SIEM tools and compliance dashboards
- Configurable retention period from 30 days to indefinite
Audit Log — capability summary
Air-Gap & Data Residency
ManyLayers supports fully air-gapped deployments where no outbound connections leave your network perimeter after initial installation. License file activation works offline. For regulated industries, all compute, storage, and logging stays within your designated region or data centre.
- No telemetry, no usage reporting, no callbacks to external services
- License activation via offline file — no internet required after install
- Data residency configurable per deployment region or data centre
Air-Gap & Data Residency — capability summary
Security controls across all deployment modes.
| Security Control | SaaS Cloud | Self-Hosted | Air-Gapped | Notes |
|---|---|---|---|---|
| RBAC | ✓ | ✓ | ✓ | Admin/lead/user tiers |
| SSO (SAML/OIDC) | ✓ | ✓ | ✓ | Okta, Azure AD, Google WS |
| SCIM provisioning | ✓ | ✓ | ✓ | Automated lifecycle |
| PII firewall | ✓ | ✓ | ✓ | Local detection, no egress |
| Guardrails | ✓ | ✓ | ✓ | Block / warn / audit |
| Audit log | ✓ | ✓ | ✓ | Immutable, exportable |
| Air-gap mode | — | ✓ | ✓ | Offline license activation |
| Data residency | Region-locked | Your DC | Your DC | No external egress |