Aegis AI: closing the gap between enterprise AI adoption and accountability

How a governance-first platform makes shadow AI a non-option, attributes the cost of every AI call down to the token, and keeps a complete, exportable audit trail — applied to legacy modernization and ITSM.

The problem

Enterprise AI adoption has accelerated dramatically, yet for most organisations the gap between AI hype and measurable ROI keeps widening.

Billions are being spent on model training, prompt engineering, and proof-of-concept demos, while the operational fundamentals — governance, cost attribution, compliance traceability — stay unaddressed. The result:

•Shadow AI proliferates — teams adopt models outside governed channels.
•AI spend is invisible — no one can say which team used which model at what cost.
•Compliance risk accumulates — PII flows through unmonitored AI pipelines.
•Legacy modernization stays manual — too expensive and too slow to scale.

The approach

Aegis AI was designed around a single thesis: AI adoption without embedded governance is technical debt at scale.

Instead of bolting governance on as a separate compliance layer (which teams inevitably work around), Aegis embeds it directly into the two highest-leverage workflows in enterprise IT:

1. Legacy application modernization

AI-powered translation of COBOL, FORTRAN, PL/I, RPG, and Assembly into modern Python — with every transformation logged for audit, cost analysis, and compliance review. Output includes docstrings, type hints, and unit tests.

2. IT Service Management (ITSM) copilot

AI-assisted incident resolution built on ITIL v4 best practice. Every response carries a governance card with token count, estimated cost, ROI time saved, and PII compliance status.

My role

Product architecture, end-to-end implementation, stakeholder alignment, and rollout coordination across teams and business units. I was responsible for defining the governance model, choosing the tech stack, designing the audit schema, and building the complete platform from zero to production — functioning as a fractional AI Product Manager and AI Architect.

Tech stack

Next.js 13.5App Router with server-side API routes

Vercel AI SDK v4useChat, streamText, generateText

OpenAI GPT-4o / GPT-4o-miniCode modernization and ITSM chat

Supabase (PostgreSQL)Audit logging with row-level security policies

Tailwind CSSCream, enterprise-grade design system

TypeScriptEnd-to-end type safety

VercelZero-configuration CI/CD deployment

Key architecture decisions

Fire-and-forget logging — Supabase inserts are non-blocking and never delay AI responses to the user.
Graceful degradation — if Supabase credentials are absent, the platform continues to operate normally with logging disabled.
Lazy client initialisation — the Supabase client is created on first use, not at import time, which prevents build-time failures.
Node.js runtime for API routes — full database-client compatibility, predictable cold-start behaviour on Vercel.
Governance as UX — compliance metrics are rendered inline with AI responses, never hidden in admin panels.

Outcomes

Governed

Every AI call routed through one audited path

Zero

Ungoverned “shadow AI” paths — by design

Per-token

Cost attribution on every call, every workflow

Complete

Audit trail — every invocation logged and exportable

Lessons learned

Shadow AI prevention starts with better alternatives

Engineers don’t route around governance because they want to — they do it because governed tools tend to be slow, clunky, or simply missing. Aegis demonstrated that when the governed path is also the fastest path, adoption is immediate and shadow AI quietly disappears.

Governance only works when it doesn’t slow builders down

Every governance card, audit log, and cost-attribution metric in Aegis is computed asynchronously. The user never waits for compliance — it arrives alongside the AI response. Zero-latency governance is the only kind that survives contact with production teams.

Cost visibility changes behaviour before any policy does

Once teams can see their token-level AI spend in real time, prompt optimisation tends to happen on its own — no mandates required. Making spend visible at the point of use changes behaviour faster than any policy memo.

Audit trails must be automatic, not optional

If logging requires developer effort, it won’t happen. Aegis logs every AI invocation automatically via fire-and-forget Supabase inserts, so developers never have to think about compliance. It’s the only model that scales.

Try Legacy Modernization →Try ITSM Copilot →

Interested in a similar engagement? Reach out via aurimas.io — I take on fractional AI Product Manager and AI Architect engagements.