Control Plane and Data Plane¶

Trust3 separates where governance is coordinated from where your AI assets and data live. Understanding this split helps you deploy collectors in the right place, configure network access, and reason about what leaves your environment.

Definitions¶

Control plane¶

The control plane is the Trust3-operated environment that runs Trust3 backend services — the APIs and services behind AI Governance (inventory, policies, Trust Score evaluation, workflows, and the product experience your users see in the Trust3 console).

Your administrators and governance users interact with Trust3 through this layer. Policy decisions, inventory records, and audit evidence are anchored here.

Data plane¶

The data plane is your environment — the networks, cloud accounts, and platforms where AI agents run and where platform APIs expose metadata about those agents (for example Databricks workspaces or Microsoft Power Platform).

AI Assets Collectors run in the data plane. They connect to your data sources using credentials you supply, read the metadata needed to build the inventory, and send structured results to Trust3. Collectors are designed to operate close to your sources so discovery stays efficient and you keep clear boundaries around what crosses the network edge.

How they connect¶

Collectors do not talk to Trust3 backend services directly as an opaque internal mesh. Instead, traffic goes through the Trust3 API server (the public AI Governance API edge). Each request from a collector is authenticated with a Trust3 API key (the same secret you configure as AI_GOVERNANCE_API_KEY when you run the collector). The API server validates the key and routes allowed calls to the appropriate Trust3 backend services.

flowchart TB
  subgraph DP["Data plane (your environment)"]
    direction TB
    SRC["Data sources (Databricks, Azure / Power Platform, …)"]
    COL["AI Assets Collectors"]
    COL -->|"Read metadata and relationships"| SRC
  end

  subgraph CP["Control plane (Trust3)"]
    direction TB
    API["Trust3 API server (validates Trust3 API key)"]
    BE["Trust3 backend services (inventory, policies, scoring, …)"]
    API --> BE
  end

  COL -->|"HTTPS (Trust3 API key on each request)"| API

Summary

Location	What runs there	Role
Data plane	AI Assets Collectors (and your platforms)	Discover AI assets next to your sources; outbound-only HTTPS to Trust3 where your network policy allows
Control plane	Trust3 API server and Trust3 backend services	Authenticate callers, persist inventory, evaluate policies, power the Trust3 experience

Operational notes¶

Secrets: The Trust3 API key identifies and authorizes your collector to the API server. Treat it like any production credential — scope access, rotate when needed, and never commit it to source control.
Network path: From the data plane, collectors need reachability to the Trust3 API hostname your deployment uses (for example the host you use for Docker registry login in the Run Collector guide). Your firewall or egress rules should allow that HTTPS traffic.
Data minimization: Collectors send governance-oriented metadata to Trust3 so the inventory and policies reflect your estate. Design and configuration of what is collected are described in the collector documentation; align those choices with your own data handling standards.

Run Collector

Configure AI_GOVERNANCE_API_KEY and start collectors in your environment
Core Concepts

Inventory, policies, Trust Score, and how discovery feeds governance
AI Assets Collector

Collector guides and prerequisites