AI Pilot capability matrix
Audience: Platform engineers, AI governance owners
Time: ~10 min read
This matrix maps common operator goals to native AI Gateway CRDs (the Kubernetes profiles AI Pilot targets), ext_proc / AIGatewayFilter, OPA (PBAC), PIP data, and Control Plane UI paths. Use it to avoid duplicating gateway features in custom PEP code.
| Goal | AI Gateway CRDs | ext_proc / AIGatewayFilter | OPA + Rego | PIP | Control Plane UI |
|---|---|---|---|---|---|
| Multi-provider routing & fallbacks | AIGatewayRoute, AIServiceBackend, BackendSecurityPolicy | Filter chain hooks only | Allow/deny overlays | Attribute facts | Settings → AI Pilot → Routing; /pilot Routing tab |
| Token-aware rate limits | BackendTrafficPolicy | — | Cost obligations (audit) | Usage snapshots | Rate limits in routing bundle |
| Circuit breaker / retries / hedging | BackendTrafficPolicy | — | — | — | Settings → AI Pilot → Resilience |
| MCP broker / registry | MCPRoute | MCP enrichment block | Tool-level deny | — | Settings → AI Pilot → MCP Proxy |
| Upstream OAuth / API keys | AIGatewayUpstreamAuth | — | — | Secret refs | Upstream Auth guide |
| Semantic cache / Redis topology | AIGatewayFilter (semanticCache) | Applies obligations | — | — | Cache & Rate Limits |
| Guardrails / DLP | AIGatewayFilter (guardrails, dlp) | Enforcement | Policy decisions | Classifiers | /pilot Guardrails & DLP |
| Per-transaction metrics | AIGatewayMetricsPolicy | Emits dimensions | — | — | Observability settings |
Telemetry vs authority: Panels such as Resilience and MCP Proxy on /pilot may show live rollups from ext_proc for observability. BackendTrafficPolicy and MCPRoute remain authoritative for breaker behavior and MCP routing in the gateway runtime.
Next steps
- CRD config reference — emitted kinds and spec knobs
- Scenario library — step-by-step flows
- AI Pilot overview
Troubleshooting: If a capability column shows “gateway” but traffic ignores it, confirm the compiled bundle reached the bouncer and that your deployment profile is Kubernetes AI Gateway (Compose profiles may omit some CRD runners). See Troubleshooting.