Direct model access
Applications call model providers through SDKs or direct HTTP clients.
Limit: Policy, logging, redaction, budget checks, and provider restrictions depend on each application team implementing them correctly. No centralized enforcement boundary.
Risk: Fast integration with high bypass risk. Evidence is scattered across application logs. Cannot produce attributable evidence for AI actions.