How it routes

One request,
seven movements.

Follow a single inference request through the gate. Each movement adds microseconds and removes risk. The same seven movements hold whether the request is served on sovereign capacity, routed in-region behind a de-identification gate, or refused outright.

The request lifecycle
Movement 01 · Arrive

The single enforcement point

The application calls heimdall.run() over mTLS with an idempotency key. No path to any model exists except through the gate. A malformed request is rejected before a cent is spent.

AC-GW · idempotent retries · streaming pass-through
Movement 02 · Classify

Verify what the caller declares

The task class is checked against the schema registry; an owned PHI detector confirms the data class. Declared de-identified but detected identifiable? Blocked at the gate, no upstream call, no payload kept.

AC-CL-1 · PHI recall ≥ 0.995 · +≤15 ms p99
Movement 03 · Govern

Policy decides, in under a millisecond

The tenant's signed policy resolves residency, model allowlist, budget and escalation. Identifiable PHI ⇒ sovereign-only. If the engine cannot be evaluated, the request fails closed.

AC-PE-1 · decide ≤ 1 ms p99 · fail-closed
Movement 04 · Route

Cheapest compliant supply wins

A depth ladder, owned distil → owned specialist → frontier via gate → human, resolves to the cheapest rung that satisfies the policy. Compliance outweighs cost; failover stays within tier, never across.

AC-RT-1 · route ≤ 2 ms · no eval pass ⇒ no traffic
Movement 05 · Bound

The cost of the request is capped before it runs

The envelope sets context caps, output schema, retry ceiling, agentic depth and a hard per-request budget. Breach the cap and the request is queued, not silently overspent.

AC-EN-1 · no request exceeds its class budget
Movement 06 · Cross

Sovereign, frontier-via-gate, or human

Owned capacity on Bifrost serves in-tenancy. A non-sovereign route crosses the de-identification trust boundary first. The hard tail escalates to a consultant, by policy, not by failure.

AC-DI · re-ID map never leaves sovereign storage
Movement 07 · Account

Back through the gate, never around it

The result returns through the gateway, re-identified there if it was de-identified, and one immutable, hash-chained record lands in the ledger. The per-study price accrues as a single, known line item.

AC-LG-1 · zero accepted-request loss
The trust boundary

When a request must leave sovereign supply, it is unrecognisable before it does.

Residency answers where. The de-identification gate answers what, stripping identity from any payload bound for a non-sovereign model, and restoring it only inside the border, only at the gateway, only on the way back.

Exhibit 02The de-identification trust boundary
SOVEREIGN ZONE · IN-REGION Identifiable payload data_class: PHI De-identification gate · pseudonymise identifiers · interval-preserving date shift · offshore classes ⇒ anonymisation grade exits as pseudonymous payload → RE-ID MAP · sovereign HSM · never sent TRUST BOUNDARY Egress proxy allowlist · mTLS · DLP tap ZDR · no-train Frontier model in-region · pinned version pseudonymous only return path, re-identified at the gateway, inside the border, before display Gate failure ⇒ request fails closed · no partial payload egress · round-trip integrity property-tested (AC-DI-1/2/3)
The map that could re-identify the data is the one thing that never crosses. No API returns it; data-flow tests verify it.
Three worked paths · one morning
PathRequestDecisionSupplyOutcome
A · Sovereign draft CT chest + 3 priors, identifiable PHI ⇒ sovereign-UK only 3v-rad-32b on Bifrost, LHR Structured draft in 1.74s; radiologist edits and signs.
B · Frontier synthesis 9 studies / 4 yrs, oncology Resident OK after de-ID gate Frontier model, UK region Re-identified at the gateway; flagged pending consultant.
C · Fail-closed Confidence 0.71 < 0.80 threshold Escalate per playbook Human consultant queue Reviewed, amended, signed, joins the eval bank.

The amended case sharpens future routing. The gate does not just enforce policy: it learns the shape of the hard cases, and feeds them back into the evals that gate every model version change.

See the full reference architecture