AI Governance

Claude Code Governance: Securing Agent Access with an AI Gateway

Claude Code Governance: Securing Agent Access with an AI Gateway
Bifrost is an open-source AI gateway that brings Claude Code governance to enterprise teams with virtual keys, per-developer budgets, RBAC, and signed audit logs.

Claude Code runs in the terminal with full user-level privileges: it reads source files, executes shell commands, connects to MCP servers, and sends code context to a model provider on every request. When developers point it directly at a provider API, platform teams lose visibility into who is using it, which models they reach, how much they spend, and what data leaves the building. Bifrost, the open-source AI gateway built in Go by Maxim AI, is the control plane that solves this: it sits in the request path between Claude Code and every provider, enforcing identity, access control, cost limits, and audit logging before a single token reaches the model. This post explains what Claude Code governance requires and how to implement it with an AI gateway.

What Is Claude Code Governance

Claude Code governance is the practice of routing every Claude Code request through a centralized control plane that enforces authentication, access control, spend limits, and audit logging at the infrastructure layer, rather than trusting each developer to configure those controls locally. It treats an autonomous coding agent as managed infrastructure instead of a standalone desktop tool.

The need is driven by scale. A 2026 Cyberhaven Labs report found that nearly 40% of all AI interactions involve sensitive corporate data, and that adoption of coding assistants reaches as high as 90% inside frontier organizations. At the same time, an IBM study cited in 2025 found that only 37% of organizations have AI governance policies in place. The gap between adoption and control is where ungoverned agent access becomes a security and compliance liability.

Why Ungoverned Claude Code Access Is a Risk

When Claude Code connects directly to a provider, several problems surface at once:

  • Shared credentials erase attribution. If multiple developers use one API key or service account, every request appears under a single identity. There is no way to answer who ran what, which is a direct audit and compliance gap.
  • Spend is unbounded. Claude Code consumes tokens quickly during agentic loops. A single long-running session can generate significant cost overnight, and nobody notices until the invoice arrives.
  • Secrets can leak in prompts. Because the agent reads local files and sends context to the provider, API keys and credentials embedded in a repository can travel out in a prompt.
  • Model access is uncontrolled. Without a policy layer, any developer can reach any model on any provider, including ones that fail data-residency or compliance requirements.
  • There is no usage record. Direct provider access leaves platform teams without the request-level logs needed for security review or regulated-industry audits.

Each of these is solvable, but not at the level of an individual developer's machine. The controls have to live in the request path, which is what an AI gateway provides.

How Bifrost Governs Claude Code Traffic

Bifrost routes Claude Code through a single endpoint and applies governance to every request before it reaches the provider. The integration is configuration-only: you set ANTHROPIC_AUTH_TOKEN to a Bifrost virtual key, and Claude Code sends that token in its Authorization: Bearer header automatically. Bifrost recognizes the header, authenticates the virtual key, and routes the request. No raw provider credentials ever touch the developer's machine, and no Anthropic account login is required.

The Claude Code integration is the entry point, but the governance happens through several Bifrost capabilities working together, all part of a single AI governance layer.

Virtual Keys for Identity and Access Control

Virtual keys are the primary governance entity in Bifrost. Each developer or team authenticates with a virtual key that carries its own access permissions, budgets, and rate limits. A virtual key can be restricted to specific models and providers, limited to specific upstream API keys, and switched to inactive to revoke access instantly. Because each Claude Code session authenticates with its own key, every request is attributable to a single identity, which closes the shared-credential gap that breaks audit trails.

Per-Developer Budgets and Rate Limits

Bifrost enforces budgets and rate limits at the virtual key, team, and customer levels. Budgets are dollar amounts with configurable reset windows (1h, 1d, 1w, 1M, 1Y), so a platform team can set policies like $500 per engineer per month or $100 per day for developers experimenting with Claude Code. Rate limits cap tokens and requests per period. When a runaway agentic loop would otherwise generate unexpected cost, the limit stops it at the gateway instead of at the invoice.

Role-Based Access Control

For larger organizations, role-based access control governs who can manage Bifrost itself. Bifrost Enterprise ships three system roles (Admin, Developer, Viewer) and supports custom roles for QA, security, compliance, or contractor access. RBAC follows the principle of least privilege and integrates with user provisioning over OIDC, so roles are assigned automatically from identity-provider groups and claims. This means access to virtual keys, budgets, and logs maps to organizational structure rather than to whoever holds a shared password.

Signed Audit Logs for Compliance

Every administrative action in Bifrost Enterprise is recorded in audit logs that capture the time, action, outcome, initiator, target, and request path. Entries can be signed with an HMAC key so they can be verified, retained for a configurable number of days, filtered in the dashboard, and exported as JSON, JSON Lines, or Syslog for downstream review. For teams pursuing SOC 2, GDPR, HIPAA, or ISO 27001, this is the immutable record that turns "we think it was governed" into a verifiable trail.

Governing the Tools Claude Code Can Reach

Claude Code governance does not stop at model access. As Claude Code connects to external tools through the Model Context Protocol (MCP), each new connection expands the attack surface. Bifrost acts as an MCP gateway, centralizing tool connections, authentication, and access control across every connected MCP server.

Two controls matter most for agent governance:

  • Tool filtering per virtual key. MCP tool filtering controls which tools a given virtual key can call, so a junior developer's key can be scoped to a safe subset while an admin key reaches more. This keeps tool access mapped to identity, the same way model access is.
  • Secrets detection on prompts. Bifrost Enterprise includes a secrets detection guardrail, backed by Gitleaks rules, that scans request and response text for leaked API keys, tokens, and private keys. When a credential is detected in a prompt, the request is intervened before it reaches the provider.

Routing MCP traffic through Bifrost gives platform teams one chokepoint for tool authentication, filtering, and audit logging across every agent-to-tool interaction, instead of a per-developer configuration that nobody can inspect.

Setting Up Claude Code Governance: Key Considerations

Implementing Claude Code governance with an AI gateway comes down to a few practical decisions.

How do you tie usage to identity instead of shared keys?

Issue one Bifrost virtual key per developer or per team rather than a shared provider key. Each Claude Code session authenticates with its own key via ANTHROPIC_AUTH_TOKEN, so every request carries a distinct identity that flows into budgets, rate limits, and audit logs.

How do you let developers use models beyond the Anthropic catalog?

Claude Code normally restricts usage to Anthropic models. Routed through Bifrost, the same Claude Code session can reach any of 1000+ models across 20+ providers through a unified API, with routing rules that rewrite model aliases to specific provider targets at request time. Platform teams control which models each virtual key can reach.

Does adding a gateway slow developers down?

Bifrost adds 11 microseconds of overhead per request at 5,000 requests per second in sustained benchmarks. Governance, routing, and logging happen in the request path with no perceptible latency for the engineer using Claude Code.

How do you deploy this in a regulated environment?

Bifrost supports in-VPC and on-prem deployment, so all inference traffic, governance logic, and audit data stay inside your cloud boundary. For healthcare, financial services, and other regulated industries, prompts and code context never leave infrastructure you control.

Claude Code Governance with Bifrost

Securing Claude Code at scale is an infrastructure problem, not a per-developer setting. An AI gateway gives platform teams the control plane to enforce identity, access control, spend limits, MCP tool governance, and signed audit logging on every request, while developers keep the speed they adopted Claude Code for in the first place. Bifrost delivers this Claude Code governance as an open-source AI gateway with enterprise governance controls layered on top, deployable in your own VPC with no provider credentials on developer machines.

To see how Bifrost can govern Claude Code and the rest of your AI traffic, book a demo with the Bifrost team.

Read next