Most teams adopt LLMs the same way: someone creates a provider API key, pastes it into a service, and ships. It works, so it spreads. Six months later there are a dozen raw keys across a dozen repos, each one an unscoped, uncapped, unattributed line to a provider that bills by the token. Nobody can say which team is spending what, no key is limited to the models it should use, and a leaked key is an unbounded charge until someone notices.
That is not an AI strategy. It is a pile of blank checks.
The problem is that a raw provider key is all-or-nothing. It carries no notion of which team holds it, which app, which budget, or which models it is allowed to call. The provider sees one key and one bill. Your org sees a number at the end of the month and no way to break it down.
ZopNight’s AI Gateway replaces the sprawl with a single, governed entry point to your LLM providers.
One front door, scoped keys behind it
Instead of raw provider keys, you issue scoped virtual keys, one per team or app. Each is limited to the providers and models you allow, so a key meant for a summarization feature cannot quietly start calling your most expensive model. The gateway sits between your apps and the providers, and every call goes through it.
Budgets, breakdown, and who holds the keys
A front door is only useful if it can say no. AI Gateway caps spend with budgets, so a runaway workload cannot blow past its limit and hand you a surprise bill. Usage and spend break down across keys, providers, and models, so “which team is spending what” finally has an answer, in the same view.
And the keys themselves are governed. Who can view, create, edit, or delete virtual keys and models runs through your existing roles, scoped to specific providers when you need it. Managing AI access becomes the same RBAC conversation as every other resource, not a side channel of shared secrets.
| Raw provider keys | AI Gateway virtual keys | |
|---|---|---|
| Scope | All providers, all models | Only what you allow |
| Spend cap | None | Budget per key |
| Attribution | One opaque bill | By key, provider, model |
| Revoke a leak | Rotate everywhere | Kill one key |
| Who manages | Whoever holds the key | Your existing roles |
When a gateway earns its place
This earns its place the moment more than one team or app touches an LLM. At that point raw keys stop being convenient and start being risk: unbounded spend, no attribution, and a leak that is expensive to contain. A gateway turns all of that into scoped, capped, attributed access.
For a single script calling one model, a raw key is fine, and a gateway is overhead you do not need yet. The line is teams. Once AI access is something several people provision, it needs a control plane, the same way cloud and infrastructure already do. The AI Gateway is that control plane for the model layer.
