cocoshedeStart blueprint

// PROCUREMENT_LAYER

Enterprise AI Vendor Catalog

Cocoshede blueprints reference infrastructure categories, not vendor hype. This catalog gives leaders a structured shortlist for the common procurement layers behind private, governed AI adoption.

// BUYER_FILTERS

Evaluate the Architecture Fit.

Vendor procurement should follow the target architecture, not the other way around. Use these filters to separate useful infrastructure from attractive demos that create governance debt.

Data sovereignty

Can sensitive prompts, embeddings, traces, and outputs remain in an approved region or private boundary?

Deployment model

Does the vendor fit the architecture lane: public API, private cloud, VPC, self-hosted, or on-premise?

Operational ownership

Who operates reliability, updates, monitoring, access control, incident response, and model evaluation?

Commercial exposure

What becomes variable cost: tokens, GPU hours, storage, traces, evaluations, or support seats?

// PROCUREMENT_LANES

Three Buying Lanes.

Cocoshede blueprints recommend infrastructure by lane. This prevents a team from buying sovereign infrastructure for a low-risk experiment or using a public API path for regulated workflow automation.

Lane 01

Fast governed prototype

Managed model platform

Managed vector layer

AI gateway

Use when leadership needs evidence quickly and data sensitivity is moderate.

Lane 02

Private workflow deployment

Private inference hosting

Vector database

Observability and evaluation

Use when the workflow touches customer records, internal IP, regulated documents, or repeatable high-volume operations.

Lane 03

Sovereign operating layer

Self-hosted inference

Self-hosted vector store

Security and output guardrails

Use when public API dependency, residency, or model-call exposure is unacceptable.

VendorDeploymentCompliance postureOn-premBest fit
Vector database

Neon Postgres + pgvector

Strong fit for MVP and mid-market teams already comfortable with Postgres governance.

SLA: Managed database SLA by plan

Managed cloud Postgres

GDPR: EU region available

HIPAA: Provider-dependent BAA review required

No

Teams that want a pragmatic vector layer close to relational application data.

Qdrant

Useful when sovereignty or self-hosting is a major buying criterion.

SLA: Enterprise SLA available

Cloud, private cloud, self-hosted

GDPR: EU hosting and self-hosting options

HIPAA: Enterprise review required

Yes

Private retrieval layers where teams need vector search portability and deployment choice.

Private inference hosting

vLLM

Requires internal ML platform maturity or an implementation partner.

SLA: Depends on hosting provider and internal SRE coverage

Self-hosted / private cloud

GDPR: Customer-controlled deployment

HIPAA: Customer-controlled deployment

Yes

Serving open-weight models in private GPU environments with strong throughput requirements.

Managed model platform

AWS Bedrock

Strong candidate when the target architecture already lives in AWS.

SLA: AWS service SLA

Managed cloud

GDPR: Regional controls available

HIPAA: Eligible service review required

No

Enterprises standardizing AI adoption inside AWS procurement and security controls.

Azure AI Foundry

Evaluate when Azure AD, Purview, and Microsoft security tooling are already standard.

SLA: Microsoft cloud SLA

Managed cloud

GDPR: Regional controls available

HIPAA: Eligible service review required

No

Microsoft-centric enterprises requiring identity, governance, and procurement alignment.

Observability and evaluation

Langfuse

Important once prototypes move from demo usage into governed production monitoring.

SLA: Enterprise plan dependent

Cloud, self-hosted

GDPR: EU and self-hosting options

HIPAA: Enterprise review required

Yes

Tracing prompts, model calls, evaluations, costs, and quality for production AI systems.

AI gateway

Cloudflare AI Gateway

Useful for teams pursuing hybrid API routing without building gateway infrastructure first.

SLA: Enterprise SLA available

Managed edge

GDPR: Regional and enterprise controls dependent on plan

HIPAA: Enterprise review required

No

Centralized routing, caching, observability, and policy control across model providers.

Security and output guardrails

Guardrails AI

Consider when report generation, extraction, or agent actions need deterministic gates.

SLA: Provider/implementation dependent

Open-source, managed options

GDPR: Deployment-dependent

HIPAA: Deployment-dependent

Yes

Schema validation, output constraints, and policy checks around LLM workflows.

// PROCUREMENT_NOTE

How to Use This Catalog

Treat every entry as a due-diligence starting point. Enterprise buyers should still validate data residency, contractual terms, support coverage, security documentation, and implementation ownership before selection. Cocoshede links blueprint recipes to categories so teams can compare realistic options without turning strategy into a vendor shopping exercise too early.

// FAQ

Procurement Questions.

Is this a ranked vendor list?

No. It is a procurement map. The right vendor depends on data sensitivity, deployment posture, operating maturity, and the workflow economics shown in the blueprint.

Should we choose vendors before the blueprint?

Usually no. Choose the architecture lane first, then evaluate vendors that fit the lane. Premature vendor selection often creates avoidable lock-in.

Does Cocoshede receive referral fees from listed vendors?

The catalog is presented as an architecture resource. Vendor choice should still go through your procurement, security, and legal review.

What should a CISO ask before approving a vendor?

Ask where data is processed, what is retained, how access is controlled, how incidents are handled, and whether traces or prompts are used for training.