Reference architecture

Multi-model orchestration with audit trail by architecture.

The layout below is the default. Every engagement starts here, then adapts to client constraints (sovereign deployment, model catalog, identity provider, observability stack). Variations are documented per engagement in the architecture decision record.

                ┌────────────────────────────────────────────────────────┐
                │   YOUR BUSINESS WORKFLOWS                              │
                │   (CRM, ERP, claims, KYC, clinical, ticketing, ...)    │
                └─────────────┬────────────────────────┬─────────────────┘
                              │                        │
                              ▼                        ▼
                ┌──────────────────────────┐ ┌────────────────────────┐
                │  IDENTITY & ACCESS       │ │ POLICY ENGINE          │
                │  Okta / Azure AD /       │ │ OPA / Cedar / custom   │
                │  SailPoint / Entra       │ │ (per-tenant, per-task) │
                └─────────────┬────────────┘ └───────────┬────────────┘
                              │                          │
                              ▼                          ▼
                ┌───────────────────────────────────────────────────────┐
                │   HIKARI BLUE OPS · the operating layer               │
                │   ┌──────────────┐  ┌──────────────┐ ┌────────────┐   │
                │   │ Multi-model  │  │ Audit trail  │ │ Kill       │   │
                │   │ orchestrator │  │ (immutable)  │ │ switch     │   │
                │   └──────┬───────┘  └──────┬───────┘ └────┬───────┘   │
                │          │                 │              │           │
                │   ┌──────┴─────────────────┴──────────────┴────┐      │
                │   │  Tool calls, retrieval, evaluation harness │      │
                │   └────────────────────┬───────────────────────┘      │
                └───────────────────────┬┴──────────────────────────────┘
                                        │
              ┌──────────┬───────────────┼──────────────┬───────────┐
              ▼          ▼               ▼              ▼           ▼
        ┌──────────┐ ┌─────────┐  ┌──────────┐  ┌──────────┐  ┌──────────┐
        │ Anthropic│ │ OpenAI  │  │ Mistral  │  │ Google   │  │ Local /  │
        │ Claude   │ │         │  │          │  │ Vertex   │  │ on-prem  │
        └──────────┘ └─────────┘  └──────────┘  └──────────┘  └──────────┘

         OBSERVABILITY            DATA RESIDENCY              REGULATOR PORTAL
         OpenTelemetry         EU / US / on-prem            Evidence export
         Sentry / Grafana      Customer-managed keys        DORA / NIS2 / MDR
         Datadog / Honeycomb   Zero cleartext server-side    EU AI Act Art. 12
      
  • Multi-model by architecture

    Routing by task, by risk profile, by cost. Model switches in hours, never months. No vendor lock-in. Default catalog covers Anthropic, OpenAI, Mistral, Google Vertex. Self-hosted models and on-prem inference supported where regulation requires.

  • Audit trail by architecture

    Every prompt, every output, every operator action, every model switch, every kill switch trigger: recorded immutably by the platform itself. Queryable by client teams. Exportable to regulator portals. Not a feature retrofitted before an audit.

  • Sovereign by construction

    Data residency selectable per workload: EU, US, on-prem. Encryption at rest (AES-256) and in transit (TLS 1.3). Zero cleartext data server-side. Customer-managed keys on AWS KMS, Azure Key Vault, GCP KMS, HashiCorp Vault.

  • Kill switch as a property

    Halt, throttle or roll back per workflow, per model, per user. Triggered from the operations console, from a policy violation event, or from a regulator notification. Behavior documented in the engagement runbook, tested quarterly.

Native integrations

We meet your stack where it already runs.

The integrations below are exercised on real engagements. Glue is built in days, not quarters. Anything not listed is supported via an architecture decision review at engagement kick-off.

  • Identity & access

    Okta, Azure AD / Entra ID, SailPoint, Ping Identity, AWS IAM, GCP IAM. SCIM provisioning, SAML and OIDC, fine-grained RBAC. MFA enforced. No service accounts without rotation.

  • Data platforms

    Snowflake, Databricks, BigQuery, Redshift, Postgres, MongoDB, Elasticsearch, S3 / GCS / Azure Blob. Retrieval augmented generation built against client warehouses, never against a copy.

  • Workflow systems

    ServiceNow, Salesforce, SAP, Workday, Jira, Zendesk, Notion, Slack, Microsoft 365, Google Workspace. Operating layer plugs into existing workflows, does not replace them.

  • Security & observability

    Splunk, Microsoft Sentinel, CrowdStrike Falcon, Wiz, Datadog, Honeycomb, Grafana Cloud, Sentry. OpenTelemetry pipeline standard. SIEM connector ships with every production engagement.

Stack policy

What we use by default. What we will not ship.

Published so a client CTO knows what arrives in their environment before week one. Deviations are documented per engagement in the architecture decision record and approved by the Engineering Practice partner.

  • Default stack

    TypeScript and Python for application code. Go for performance-critical services. Postgres for relational, with vector extensions for retrieval. Container runtime on Kubernetes (EKS, AKS, GKE) or serverless where appropriate (AWS Lambda, Cloudflare Workers, Vercel). CI/CD on GitHub Actions or GitLab CI. IaC via Terraform or Pulumi.

  • Orchestration & agents

    LangGraph or in-house orchestrator depending on engagement risk profile. Anthropic tool use, OpenAI function calling, Mistral function calling supported. Open Policy Agent for runtime policy checks. Always paired with human-in-the-loop checkpoints where decisions carry consequence.

  • What we will not ship

    Single-vendor agent frameworks that lock model choice into the framework itself. Black-box vendor LLM wrappers without exportable prompts and traces. Production code without tests, observability and runbooks. Any model deployment without a kill switch wired to the operations console.

  • Open source posture

    We use open source where it is mature, license-compatible and well-maintained. We do not ship NPM micro-libraries with unclear provenance. SBOM published per build (see Trust Center, Supply chain security).

Engineering principles

Six principles every engineer signs on day one.

These are the rules of engagement. Posted in every project repository. Reviewed at every architecture decision.

  1. 01Production from line one

    We do not build POCs that are not designed to ship. The first commit assumes audit trail, observability and rollback. Throwaway code is rare and explicitly labelled.

  2. 02Reversibility by default

    Every architectural choice has a documented rollback path. No big-bang migrations. Strangler patterns where the legacy is alive. Feature flags on production changes.

  3. 03Evidence beats opinion

    Performance, security and reliability claims carry numbers. Numbers come from telemetry, not from slides. Architecture decision records cite measurements, not vendor pitches.

  4. 04Human-in-the-loop where consequence carries

    Decisions that affect a customer, a balance sheet or a patient receive human review by default. The platform asks for approval, logs the choice, and learns from rejections.

  5. 05Exit by design

    The day one architecture review names the conditions under which the client operates the system without us. We work toward that day from week one.

  6. 06Named accountability

    One of four partners signs every engagement. No anonymous architecture. No reviewer-without-a-name. The decision log carries the operator who signed it, on every line.

Public artifacts

What we publish so you can evaluate cold.

A CIO should be able to form an architectural opinion without a sales meeting. These are the public artifacts.

  • Architecture for AI agent governance (white paper)

    WP-HB-2026-00426, twenty pages, French. Reference paper on agent governance in regulated enterprise. English edition Q3 2026.

    Download the white paper (PDF, FR)

  • Operating System, the method

    The six phases every Hikari Blue engagement follows: Diagnostic, Architecture, Build, Governance, Adoption, Run. Method, not framework.

    Read the Operating System

  • Trust Center

    Compliance posture, sub-processors, security architecture, incident response timelines, legal framework, insurance, supply chain security.

    Open the Trust Center

  • Newsroom

    Operating field briefings on AI governance, agentic systems, regulation, enterprise architecture. Written from the field, not from the feed.

    Read the Newsroom

For CIO, CTO, Head of Platform

Walk through the architecture with the partner who signs it.

Thirty minutes. Xavier de Maillard, Engineering Practice partner. We bring the diagram for your stack and the integration matrix for your identity, data and security platforms. You bring the question that has not been answered yet.