ArcXOS (the identity/governance layer(ICAM)) integrates with Arcxa NNX (the model exchange). Add-on siblings in the Eqitus.ai Intelligent Ingestion Systems. With ArcxOS (ICAM)There are four distinct integration planes between these two products. Let me walk through each one with a diagram.
Plane 1 — Authentication: Every call into the NNX model exchange is gated by ArcxOS. No token, no access.Plane 2 — Authorization: Once identity is confirmed, ArcxOS enforces what that identity is allowed to do inside NNX — which models they can pull, push, run inference on, or administer. Generate an offensive or defensive posture, is interesting for government and defense customers.
ArcXOS doesn't just check role — it cross-references model-level attributes (classification, ITAR controls, approved use cases) against the caller's clearance and org membership before granting any NNX operation. A data scientist at a partner firm might be able to pull an unclassified model but get a hard deny on a FOUO-tagged one, even with the same role.
Plane 3 — Model provenance: Every model published to the NNX registry is signed against an ArcxOS identity, creating a chain of custody that can be audited.Plane 4 — Lifecycle governance: When an identity is deprovisioned in ArcxOS (employee offboarding, contractor expiry, org restructure), NNX access is revoked instantly — and any models that identity published are flagged for re-attestation by a new owner.To summarize the four planes:
Authentication — ArcXOS is the front door. Every NNX API call requires a valid ArcxOS-issued JWT; NNX holds no credentials of its own.
Authorization — ArcXOS's policy engine makes the allow/deny decision for each NNX operation (pull, push, infer, admin), enriched by model-level attributes like classification and export controls. This is where ITAR and data-boundary enforcement lives.
Provenance — ArcXOS's PKI signs every model artifact at publish time. The signature travels with the model, so any downstream consumer — another NNX node, a Fusion graph, a Video Sentinel deployment — can cryptographically verify who published it and when.
Lifecycle — ArcXOS is the single source of truth for identity state. When someone leaves or a service account expires, the revocation cascades to NNX automatically: active sessions die, and any models that person owned enter a re-attestation queue rather than becoming permanently orphaned.
The result is that NNX doesn't need its own user management, its own audit logging, or its own credential store — all of that is ArcXOS's job, and NNX trusts it completely. Want me to go deeper on any of these planes, or sketch the API contract between them?
No comments:
Post a Comment