What stays the same
IntentChain is designed so the enforcement model does not change across deployment flavors. The agent still requests an action, the control plane still evaluates policy and issues a signed permit, and the gateway still verifies before forwarding.
That consistency matters because teams should not have to relearn the security model when they change where the gateway runs.
What changes with custody
In SaaS, IntentChain runs the managed gateway and supporting execution path. In enterprise self-hosted deployments, IntentChain keeps the control plane while the customer runs the gateway in their own environment and points it at their own vault or credential source.
- SaaS: fastest rollout, managed operations, managed gateway custody.
- Enterprise: self-hosted gateway, customer-managed routing, and zero-custody control over downstream credentials.
Why private VNets matter
Private VNets let the customer keep the executable path inside their own network boundary. Routing, DNS, vault access, and downstream connectivity stay under customer control while the permit and policy semantics stay unchanged.
That is what zero-custody enterprise deployment really means: IntentChain still authorizes and signs, but the final hop and credential access remain inside customer infrastructure.