There is a question that every organisation deploying AI-assisted tooling should be asking – and most are not asking it loudly enough:
When your platform sends a query to an AI model, exactly where does that query go? Who receives it? What do they do with it once they have it? And did you actually agree to that?
These are not hypothetical concerns. They are live, consequential issues for any organisation whose platform touches sensitive financial data, commercial strategy, infrastructure topology, or budget intelligence. And they are exactly the issues that shaped how Opactiv approaches AI integration.
The short version: in Opactiv, you choose which AI endpoints your data is sent to. You configure the URL. You hold the key. If you haven’t explicitly selected an endpoint, your data doesn’t go there. Full stop.
The Problem With “Default” AI Integrations
Most platforms that have bolted AI capabilities onto their existing product have done so in the most expedient way available: they pick a preferred AI provider, hardcode the endpoint, and ship. The customer gets the AI feature. The AI company gets the data. The terms of what happens to that data next are buried somewhere in a vendor agreement that may not even have been reviewed by anyone associated to the customer.
This is a problem for several reasons.
- AI training on your data. Many AI providers reserve the right, in their default terms of service – to use API inputs to improve, fine-tune, or retrain their models. That means the financial intelligence you submit in a query – your organisation’s cloud spend breakdown, your budget forecasts, your infrastructure cost anomalies, your pool allocations could, under default terms, become training material that eventually surfaces in outputs delivered to your competitors. Even where providers offer opt-out mechanisms, the burden is on the customer to find them, configure them, and verify they are being honoured.
- Regulatory and compliance obligations. Depending on your sector and jurisdiction, there may be explicit legal restrictions on where commercially sensitive or personally identifiable data can be sent for processing. A healthcare organisation in the EU, a financial institution under MiFID II, a defence contractor with export control obligations – none of these can afford to discover after the fact that their platform has been quietly routing queries to AI endpoints in jurisdictions they haven’t assessed or approved. The regulator’s position on “we didn’t know our vendor was doing that” is unsympathetic.
- Corporate information security policy. Most mature organisations have policies governing which third-party services are approved for data processing. Shadow AI – AI capability embedded in tools that bypasses the normal vendor approval process, is rapidly becoming one of the largest unmanaged risks in enterprise security. When a platform makes its own AI endpoint decisions, it effectively makes those third-party data processing decisions on your behalf, without your oversight.
- Concentration of competitive intelligence. A FinOps platform, by design, accumulates an extraordinarily detailed picture of your organisation’s technology investments, priorities, and operational patterns. The distribution of spend across cloud providers tells a story about your architecture strategy. The trajectory of AI API costs tells a story about your product roadmap. Budget pool structures reflect your team organisation and business unit priorities. This is not data you want aggregated at an AI provider without deliberate, informed consent.
How Opactiv Approaches AI Endpoint Configuration
Opactiv’s approach to AI integration is built on a principle we consider non-negotiable: the customer configures the endpoint, and only the customer’s configured endpoint receives the data.
Rather than deciding which AI provider is right for your organisation and routing your queries there by default, Opactiv exposes configurable AI service endpoint URLs. You, as the platform administrator, specify where AI-assisted features in the platform should send their requests. That configuration is explicit, visible, and under your direct control.
This design has several important practical consequences.
You can point Opactiv at your organisation’s own AI gateway. Many enterprises now operate centralised AI gateway services – internal proxies that sit in front of external AI APIs and enforce data governance, rate limiting, audit logging, and approved-provider policies before any data leaves the corporate perimeter. Opactiv works with these architectures. Configure your gateway’s endpoint, and all AI-assisted queries from Opactiv flow through your governance layer first. Your information security team retains full visibility and control.
You can select AI providers that have signed appropriate data processing agreements. Not all AI providers are equal from a data governance perspective. Some offer robust enterprise data processing agreements with explicit commitments that your data will not be used for training, that retention periods are defined and limited, and that processing is confined to approved jurisdictions. By controlling the endpoint, you control the provider, and therefore the contractual framework under which your data is processed. You are not at the mercy of whichever provider the platform vendor has a commercial relationship with this quarter.
You can use privately hosted or on-premises AI models. For organisations with the most stringent data sovereignty requirements, where even enterprise agreements with hyperscale AI providers are insufficient – Opactiv’s configurable endpoint architecture supports routing to privately deployed models. Whether that is a self-hosted open-source model running inside your own AWS VPC, a model deployed on your on-premises GPU infrastructure, or a regionally isolated model instance provided by your cloud vendor, Opactiv can direct its AI-assisted queries there. The data never leaves your controlled environment.
You can change providers without vendor lock-in. The AI landscape is moving faster than any enterprise procurement cycle. The model that is best suited to your needs today may not be the right choice in twelve months. Because Opactiv treats the AI endpoint as a configuration parameter rather than a hardcoded dependency, you retain the flexibility to adopt new models, switch providers, or consolidate onto a preferred enterprise AI platform as your strategy evolves – without waiting for a platform update or renegotiating a vendor contract.
The HALO AI Agent: Capability Without Compromise
Opactiv’s HALO Assistant and HALO Agent pipeline bring genuine AI capability to the FinOps workflow – natural language querying of your cost data, intelligent anomaly investigation, automated recommendation analysis, and agentic pipeline execution across your entire spend portfolio covering cloud infrastructure, AI API consumption, datacenter costs, Microsoft 365 licence operations, and multi-company governance.
These are powerful capabilities. They work best when the AI model understands the full context of your environment – which means, inevitably, that rich operational and financial data flows through the AI integration.
The configurable endpoint architecture means that power does not come at the cost of control. When a HALO agent analyses your cloud spend anomalies, investigates an unexpected spike in AI API costs, or synthesises recommendations across your pool hierarchy, those queries go to the endpoint you have designated and no other. The intelligence stays within the boundary you have drawn.
This matters particularly in the context of agentic AI – AI that does not merely answer questions but takes multi-step actions, orchestrates workflows, and produces outputs that may inform real financial decisions. As AI agents become more capable and more deeply embedded in operational processes, the governance of what data those agents have access to, and where they send it, becomes correspondingly more critical. Opactiv’s decision-checkpoint architecture, where human approval is required before consequential actions are executed, pairs naturally with its endpoint governance model. You control not just what the agent can do, but where the cognitive work of deciding what to do is performed.
Practical Implications for Your Organisation
Consider a few scenarios that illustrate why this matters in practice.
The regulated financial institution. A tier-one bank using Opactiv to manage cloud FinOps and AI API costs needs to ensure that all AI-assisted analysis of cost data is performed by a provider that has passed its third-party risk assessment and signed a data processing agreement consistent with its regulatory obligations. With Opactiv’s configurable endpoint, the bank points the platform at its approved AI provider, one that has been through procurement, legal, and information security review – and nowhere else.
The multinational managing multiple group entities. An organisation using Opactiv’s multi-company governance capability to oversee FinOps across dozens of subsidiaries in different jurisdictions needs confidence that cost and usage data for each entity is handled consistently with that entity’s local data protection obligations. Configurable endpoints, combined with the ability to deploy Opactiv into region-specific AWS infrastructure, gives that organisation the architectural building blocks to meet those obligations.
The technology company with a proprietary AI strategy. A company investing heavily in its own AI capabilities, both as a commercial product and as internal infrastructure, may have strong reasons to avoid enriching competitor AI providers with data about its own AI API consumption patterns. Opactiv’s endpoint configuration lets that company route AI-assisted FinOps queries to its own internal models, keeping the intelligence about its AI investment strategy entirely in-house.
The security-conscious enterprise with an AI gateway. An organisation that has invested in a centralised AI governance platform – a gateway that enforces content filtering, data classification, rate limiting, and comprehensive audit logging for all AI API traffic, wants that gateway to be the single point of control for all AI data flows. Opactiv’s configurable endpoint makes it a compliant participant in that governance architecture, not an exception to it.
Transparency About What Opactiv Collects, and What It Does Not
Opactiv’s own data practices are grounded in the same principles we help our customers apply to their AI integrations. The platform requests read-only access to billing data and resource metadata from connected cloud accounts – the minimum necessary to perform cost analysis and generate recommendations. We do not share customer data with any third party. We do not sell it. We do not use it to train models that benefit other customers or the broader market.
The only data that flows to AI endpoints is what you send there, through the endpoint you have configured, governed by the agreement you have established with that provider.
Closing Thought: Configuration Is Governance
There is a temptation in enterprise software to treat configuration options as a technical convenience – something the IT team sets up during onboarding and never thinks about again. AI endpoint configuration is something different. It is a governance decision. It defines the boundary of your organisation’s data sovereignty in the context of AI-assisted workflows.
Opactiv exposes that decision explicitly because we believe it is your decision to make. Not ours. Not your AI provider’s. Yours.
As AI capability becomes more deeply embedded in the tools organisations rely on to manage their most sensitive operational and financial data, the question of where that data travels will only become more important. The organisations that will navigate this landscape most successfully are those that insist on platforms that make the answer to that question transparent, configurable, and firmly in their own hands.
