Every AI request through Aperture carries cryptographic proof of identity from Tailscale, turning the usual black-box LLM usage into an auditable trail tied to a specific person or device. No more guessing which coding agent sent what to which model or whether a CI runner just leaked internal tools to OpenAI. Aperture records login name, device ID, and tags on every request—human or otherwise.
How Aperture Ties Identity to Every LLM Request
Session tracking groups related requests—like a Claude Code task that spawns dozens of LLM calls, tool invocations, and data passes—into a single context. You see the full picture of what a deeper job cost and touched, not a firehose of individual messages. Tags on non-human devices like CI runners or background agents carry identity too, so tag:ci-runner appears in the audit log just as clearly as [email protected].
Aperture captures the full request body, full response body, HTTP headers (sensitive values redacted), token counts by type (input/output/cached/reasoning), model name, duration, and tool use. All collected asynchronously—no latency penalty on the actual LLM work.
What Gets Logged and Who Gets to See It
Access to session logs is deny-by-default. Administrators assign grants that can be as specific as [email protected], as categorical as tag:ci-runner, or as broad as *. You can scope grants by provider and model—anthropic/** or openai/gpt-5—and even set MCP tool access through the same system. Retention is configurable down to zero days, with the option to export everything to S3-compatible storage for SIEM ingestion. Or hold no local data but still maintain a full audit trail via exports.
Aperture does something most gateways skip: it logs what administrators do with those logs. When an admin views logs owned by another user, that access is recorded. Other admins can review the audit trail through the API or web interface. That's a clear signal to auditors that admin access to sensitive session data is both tracked and reviewable.
Policy Enforcement Before Data Leaves Your Network
Visibility is only half the story. Pre-request hooks can scrub PII, block requests that violate data policy, or strip specific tool declarations before they ever hit an LLM provider. If the guardrail service is unreachable, you choose fail_closed (blocked) or fail_open (proceed). Quotas enforce spending per user, group, agent, or run across all providers. Partners like Cribl, Oso, Apollo Research, and Cerbos add fine-grained authorization at the tool-call level.
With Aperture's deny-by-default logs and admin access auditing, teams can finally answer "who sent what to which model" without sacrificing performance.
Source: How to audit what your AI agents are accessing
Domain: tailscale.com
Comments load interactively on the live page.