Pricing
Simple, Transparent Pricing
No hidden fees. No surprise bills. Three plans — pick the one that fits. All include the full AI governance layer with 30+ PII types, prompt injection blocking, and spend enforcement.
We sit between your app and every LLM provider to enforce policy before data leaves your system.
Not sure which plan to pick?
Choose Managed Credits if…
- • You're just getting started with AI
- • You don't have accounts with AI providers
- • Smart Router auto-picks the cheapest provider
- • You're building a prototype or side project
Choose Starter BYOK if…
- • You have your own API keys
- • You want 0% Hub markup on calls
- • You need up to 3 production projects
- • You want full governance at the lowest price
Choose Pro BYOK if…
- • You need more than 3 projects
- • You run multiple teams or products
- • You want priority support
Choose Enterprise / Hybrid if…
- • Prompts must stay in your VPC
- • You're in healthcare, finance, or government
- • You need SAML SSO, RBAC, or SIEM integration
- • You need the MCP Gateway running inside your own VPC
- • You require an SLA guarantee
Included on every plan — no exceptions
Full AI Firewall (30+ PII types) · Prompt injection blocking · Agent loop detection & auto-kill · Hard budget caps per project · EU AI Act audit logs · Webhook alerts · 600+ models · 1M free credits
Managed Credits
Best for prototypes & teams who want zero provider setup
- 1M free credits — no credit card
- We provide AI access (no provider signups)
- Smart Router picks cheapest provider
- 600+ models across all providers
- 3 projects
- Image generation (FLUX, DALL-E, SD)
Starter BYOK
Best for solo devs & small projects
- Everything in Managed, plus:
- Bring your own API keys — 0% markup
- All premium models across providers
- AES-256 encrypted key storage
- Hybrid Mode: BYOK + Credits fallback
- 3 projects
Pro BYOK
Best for teams & production apps
- Unlimited projects
- Everything in Starter, plus:
- Priority support
Enterprise
For regulated industries & data sovereignty
- Everything in Pro, plus:
- Hybrid VPC — proxy runs in your network
- Prompts never leave your infrastructure
- SAML SSO — Okta, Azure AD, Google Workspace
- RBAC — 4-tier roles, 17 granular permissions
- SIEM connectors — Splunk, Datadog, Sentinel
- MCP Gateway in your VPC — agent tool-plane security (beta)
- Dedicated support & SLA
- Custom deployment & onboarding
- Air-gapped deployment options
We'll set up a 30-minute demo with your team
Hybrid Mode — Best of Both (Starter & Pro)
Pro subscribers can use their own keys for some providers and fall back to AISG Credits for the rest. If you have an OpenAI key but not a Gemini key, GPT requests use your key (0% markup) while Gemini requests route through Managed Mode. The Hub resolves keys automatically — no configuration needed.
Included on every plan — no exceptions
Full AI Firewall (30+ PII types) · Prompt injection blocking · Custom DLP policies & regex · Audit logs · 600+ models · Switch or upgrade anytime
Model pricing is based on our internal cost-optimization engine. While we aim to provide competitive rates across our provider network, final pricing is subject to provider availability and real-time market fluctuations. Routing is best-effort and does not guarantee the absolute lowest cost on every request. All Managed Mode usage includes a service fee (25% open-weight / 30% closed models) for security and infrastructure management. See Section 25 of our Terms.
Key Security
How we protect your API keys
We take key custody seriously. Here’s exactly what happens when you add a provider key to AI Security Gateway.
Encrypted at Rest
AES-256-GCM authenticated encryption. Keys are never stored in plaintext — not in our database, not in logs, not anywhere.
Never Logged
Keys are decrypted in-memory only for the duration of a single API call. They never appear in logs, traces, or analytics.
Instant Deletion
Delete your project and your keys are gone immediately. No retention period, no backups, no recovery — by design.
Verify in Source
Our encryption logic is open source. Inspect exactly how keys are handled — no black boxes.
What’s Included
Full firewall on every plan. Zero compromises.
Every core security feature is available on all plans. The difference is how you pay for model access and which governance features you need.
| Feature | Managed | Starter | Pro | Enterprise |
|---|---|---|---|---|
| 30+ PII entity detection | ||||
| Prompt injection & jailbreak blocking | ||||
| OCR image scanning | ||||
| Custom DLP Policies & regex rules | ||||
| Budget enforcement — hard spending caps per project | ||||
| Recursive agent loop detection & auto-kill | ||||
| Webhook security alerts (HMAC-signed) | ||||
| EU AI Act compliance logs (hash-chained, tamper-evident) | ||||
| Real-time dashboard & analytics | ||||
| OpenAI SDK compatible | ||||
| Image generation (FLUX, DALL-E, SD) | ||||
| Smart Cost Router | — | — | — | |
| Multi-provider failover | — | — | — | |
| Projects | 3 | 3 | Unlimited | Unlimited |
| Bring Your Own API Keys | — | |||
| 0% Hub markup | — | |||
| All premium models across providers | — | |||
| AES-256 key encryption at rest | — | |||
| Hybrid Mode (mix BYOK + Credits) | — | |||
| Priority support | — | — | ||
| SAML SSO — Okta, Azure AD, Google Workspace | — | — | — | |
| RBAC — 4-tier roles, 17 granular permissions | — | — | — | |
| SIEM connectors — Splunk, Datadog, Sentinel | — | — | — | |
| MCP Gateway (cloud) — agent tool-call security | Beta | Beta | Beta | Beta |
| MCP Gateway — runs inside your VPC (beta) | — | — | — | |
| Hybrid VPC — proxy in your network | — | — | — | |
| Dedicated support & SLA | — | — | — |
MCP Gateway is in private beta. The cloud gateway can be enabled on any plan by request — email enterprise@aisecuritygateway.ai. In-VPC deployment ships with the Enterprise / Hybrid VPC plan.
Prefer to self-host?
AISG is open source. Deploy the core AI security proxy on your own infrastructure — no account required. When you need dashboards, multi-project management, or team features, the cloud version is here.
FAQ
Common Questions
No. We only log metadata (like "1 email address was blocked") — we never store the actual content of your messages or the AI’s responses. Your data passes through our security layer and is forwarded to the AI provider. Nothing is saved on our servers.
If your app uses the OpenAI SDK (the most popular AI library), you only need to change two lines: the API key and the base URL. Everything else — your models, your prompts, your response handling — stays exactly the same.
BYOK stands for "Bring Your Own Key." It means you already have an account (and API key) with a provider like OpenAI, Google Gemini, xAI, Groq, or Together.ai. On the Pro plan, you save those keys in AISG, and we use them to make AI calls on your behalf — so you pay the provider directly at their regular price with zero markup. BYOK also unlocks premium models like GPT-4o and Gemini Pro.
That’s perfectly fine! The "Managed Credits" plan is designed exactly for this. Add credits to your AISG wallet (10M Credits / $10 minimum), and we handle everything — we use our own provider accounts to process your requests.
No. Every request is protected from your very first API call. AISG applies a "Maximum Protection" default policy that scans for all 30 entity types (emails, credit cards, SSNs, API keys, prompt injection attacks, and more) and redacts any matches before the AI model sees them.
The security check adds less than 50 milliseconds for text — that’s faster than a blink. For images, it takes about 0.5–1 second depending on image size. Every response includes timing headers so you can verify this yourself.
Yes. Pro subscriptions are managed through Stripe — cancel with one click anytime. Wallet balances never expire, so any prepaid credits stay in your account.
More questions? Read the docs or email support@aisecuritygateway.ai
Ready to govern your AI calls?
Start free with 1M credits, go Starter for $9/mo, or talk to us about Hybrid VPC for your enterprise.
Or self-host for free →