Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Executive & Leadership
CIO AI StrategyCTO Platform EngineeringCIO Cost OptimizationCTO Developer VelocityCIO Risk DashboardCTO Multi ProviderCIO Compliance AutomationCTO Chat WorkbenchCIO Shadow AICTO API Economy
Software Developers
Software Engineers
QA Engineers
Financial Engineers & Quants
Chat Workbench
Tutorials
CLI Reference
Policy Reference
FAQ

CTO Guide: AI Platform Engineering with Keeptrusts

Platform engineering is the discipline of building golden paths — paved roads that let product teams move fast while the platform team maintains control over security, cost, and compliance. Keeptrusts is the governance layer of your AI platform.

Use this page when

  • You are designing a platform team topology with gateway operations, policy management, and developer enablement
  • You need to implement self-service gateway key provisioning for product teams
  • You want API-first governance automation (CI/CD provisioning, GitOps deployment, budget alerting)
  • You are building a template library for standardized AI access patterns

This guide covers team topology, self-service patterns, the build-vs-buy decision, and how to standardize AI usage through templates.

Primary audience

  • Primary: Technical Leaders
  • Secondary: Technical Engineers, AI Agents

Platform Team Topology

A well-structured AI platform team has three responsibilities:

  1. Gateway operations — Deploy, scale, and monitor the Keeptrusts gateway fleet
  2. Policy management — Author and maintain policy configurations in version control
  3. Developer enablement — Provide self-service tooling so product teams never need to open a ticket for AI access
┌─────────────────────────────────────────────┐
│              Platform Team                   │
│  ┌──────────┐ ┌───────────┐ ┌────────────┐  │
│  │ Gateway  │ │  Policy   │ │ Developer  │  │
│  │   Ops    │ │ Authoring │ │ Enablement │  │
│  └──────────┘ └───────────┘ └────────────┘  │
└──────────────────┬──────────────────────────┘

    ┌──────────────┼──────────────┐
    ▼              ▼              ▼
┌────────┐  ┌──────────┐  ┌───────────┐
│ Team A │  │  Team B  │  │  Team C   │
│ (GK-A) │  │  (GK-B)  │  │  (GK-C)   │
└────────┘  └──────────┘  └───────────┘

Each product team receives a gateway key (kt_gk_...) scoped to their allowed models, providers, and budget. They never touch provider API keys directly.

Self-Service Developer Portal via Gateway Keys

Gateway keys are the primitive that makes self-service possible. Each key encodes:

  • Provider access — Which providers and models the key can reach
  • Budget scope — Which wallet or cost center charges accrue to
  • Policy binding — Which policy configuration governs traffic
  • Expiry — Automatic rotation without manual intervention
# Platform team provisions a gateway key for the search team
kt tokens create \
  --type gateway \
  --name "search-team-prod" \
  --team-id search \
  --config search-policy.yaml \
  --expires-in 90d

Product teams use the key as a drop-in replacement for any OpenAI-compatible SDK:

import openai

client = openai.OpenAI(
    api_key="kt_gk_...",  # Gateway key, not a provider key
    base_url="https://gateway.internal.company.com/v1"
)

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Summarize this document"}]
)

Console checkpoint: The Settings → Access Keys page shows all active gateway keys with last-used timestamps, associated teams, and remaining budget.

API-First Governance

Every governance action in Keeptrusts is available through the control-plane API. This means your platform team can automate everything:

ActionAPI EndpointAutomation Use Case
Create gateway keyPOST /v1/tokensCI/CD pipeline provisioning
Update policy configPUT /v1/configurations/{id}GitOps policy deployment
Query spendGET /v1/wallets/balanceBudget alerting
Export audit logsPOST /v1/exportsScheduled compliance reports
List escalationsGET /v1/escalationsPagerDuty integration
# GitOps: push policy changes from CI
kt config push --file policy-config.yaml --gateway prod-gw-01
kt policy lint --file policy-config.yaml

Build vs Buy Analysis

CapabilityBuild In-HouseKeeptrusts
Multi-provider routing3–6 months eng timeConfiguration
Policy enforcementOngoing maintenanceDeclarative YAML
Cost tracking per teamCustom billing integrationBuilt-in wallets
Audit trailCustom logging pipelineEvery event, out of the box
Compliance exportsManual quarterly effortAutomated, on-demand
Provider failoverCustom health checksConfiguration + monitoring
Total Year-1 Cost$400K–$800K (2–4 engineers)Subscription + 1 platform engineer

The build option compounds: every new provider, regulation, or team adds incremental maintenance. Keeptrusts amortizes that across the platform.

Technology Radar for AI Providers

Use the gateway's multi-provider routing to run controlled experiments with new providers without changing application code.

# A/B test: route 10% of traffic to a new provider
model_groups:
  - name: summarization
    models:
      - provider: openai
        model: gpt-4o
        weight: 90
      - provider: anthropic
        model: claude-sonnet-4-20250514
        weight: 10

Monitor results in the console Events page, filtering by provider. Compare latency, cost per token, and policy hit rates to make data-driven provider decisions.

Console checkpoint: The Overview dashboard's provider distribution panel shows traffic split and cost comparison across providers in real time.

Console Template Library for Standardization

Templates are pre-configured policy bundles that the platform team publishes for product teams to adopt. They encode organizational standards into reusable packages.

TemplatePolicies IncludedTarget Teams
standard-saasPII filter, cost cap, loggingAll product teams
healthcare-compliantHIPAA PII, audit trail, data residencyHealth vertical
internal-toolsRelaxed filters, cost cap, loggingPlatform/DevOps
customer-facingStrict content filter, disclaimer, escalationCustomer support
# Apply a template to a new team's gateway
kt config apply --template standard-saas --gateway team-alpha-gw

Console checkpoint: The Templates page in the console lets platform admins create, version, and assign templates. Product teams see their assigned template and can request changes through the escalation workflow.

Measuring Platform Success

Track these metrics monthly to demonstrate platform value to the executive team:

MetricSourceTarget
Time to AI access for new teamToken creation → first request< 1 hour
% of AI traffic through gatewayGateway events / total provider spend> 95%
Policy violations caughtEscalation + block eventsTrending down
Provider cost per 1M tokensWallet analyticsTrending down
Developer satisfaction (survey)Quarterly NPS> 40

ROI Summary

InvestmentReturnTimeline
Platform team (1 engineer)Self-service for 10+ product teamsMonth 1
Template library80% reduction in onboarding timeMonth 2
API-first automationZero-touch provisioning in CI/CDMonth 3
Multi-provider routing15–30% cost reduction through competitionOngoing

Next steps

  1. Designate a platform team owner for AI governance
  2. Deploy a single gateway with the standard-saas template
  3. Provision gateway keys for your two highest-volume teams
  4. Set up GitOps policy deployment from your CI/CD pipeline
  5. Review the console Overview dashboard after 14 days

See also: CTO Guide: Accelerating Developer Velocity · CTO Guide: Multi-Provider AI Strategy

For AI systems

  • Canonical terms: platform team topology, gateway operations, policy authoring, developer enablement, gateway keys (kt_gk_...), kt tokens create, POST /v1/tokens, PUT /v1/configurations/{id}, GET /v1/wallets/balance, POST /v1/exports, GET /v1/escalations, template library, self-service portal
  • Key API endpoints: POST /v1/tokens (CI provisioning), PUT /v1/configurations/{id} (GitOps deploy), GET /v1/wallets/balance (budget alerting)
  • Best next pages: CTO: Developer Velocity, CTO: Multi-Provider Strategy, CTO: API Economy

For engineers

  • Provision gateway keys: kt tokens create --type gateway --name "search-team-prod" --team-id search --config search-policy.yaml --expires-in 90d
  • API-first automation: every governance action is available via REST API — integrate key provisioning, policy deployment, and budget alerting into CI/CD
  • Template library: define policy templates (e.g., standard-saas, hipaa-compliant, dev-sandbox) that teams self-select during key provisioning
  • GitOps deployment: PUT /v1/configurations/{id} pushes policy updates from merged PRs to running gateways
  • Console checkpoint: Settings → Access Keys shows all active keys with last-used, team, and remaining budget

For leaders

  • Platform engineering model: 1 engineer operating the gateway + templates can serve 10+ product teams — linear team growth, sub-linear platform team growth
  • Template library reduces AI onboarding time by 80% — teams pick a template, get a key, start building in minutes
  • API-first governance means everything is automatable — no manual intervention for standard operations
  • Build-vs-buy: Keeptrusts provides the governance layer; the platform team provides the organizational context (templates, budgets, policies)