top of page

FREQUENTLY ASKED QUESTIONS

Find Out More

It’s important to us that our clients feel fully informed and confident when working with us. That’s why we’ve made an extensive list of past clients’ questions along with answers from our experienced team. Browse through the information below, and if you have a question that isn’t included here, feel free to reach out to us today.

This page is for technical buyers who need fast, safe delivery. It answers common questions on AI infrastructure, Azure, and compliance. It covers guardrails, cost control, pipelines, and migration. I work globally.

Fewer Surprises. Clear Decisions. Solid Growth.
 

Security and compliance built into the way you work. Built secure, scalable systems for one of Azure’s largest estates, now optimised for lean start ups. From MVP to market ready without slowing you down. Calm. Clear. Scalable.


How do we move from MVP to market without rework?
This is for founders who want speed and audit readiness. Use light patterns that raise delivery velocity. Apply Azure landing zone, policy, and cost tags early. Treat architecture as a tool, never a phase.


How do we keep AI prompts and data private?
For teams using Azure OpenAI and vector databases. Use private endpoints and customer managed keys. Enforce model access boundaries and data residency. Log prompts and outputs securely with rotation and retention.


What is the safest fast Azure landing zone?
For platform owners who want guardrails not gates. Start with enterprise scale templates and trim to fit. Enable policy, RBAC, budgets, and PIM. Deploy only through CI CD.


How do we prove SOC 2 readiness quickly?
Compliance owners need automated evidence. Use Azure Policy, Defender, and activity logs. Map to ISO 27001 and HIPAA. Produce audit ready reports with owners and dates.


Do we need Kubernetes now?
Resource constrained teams should start simple. Use Azure App Service until control needs grow. Move to Azure Kubernetes Service for scale or isolation. Keep CI CD agnostic.


How do we ship daily without outages?
Release managers need zero downtime methods. Use blue green or canary in pipelines. Add health probes, autoscale, and rollbacks. Test infrastructure as code on each change.


Which vector database should we start with?
Start with Azure AI Search for early RAG. Use managed vector stores when embedding scale grows. Keep encryption and access control strict. Track lineage and consent for sources.


How do we separate environments safely?
Use one subscription per environment. Isolate networks, keys, and data stores. Limit roles by scope with RBAC and PIM. Enforce deploys only through pipelines.


How do we handle identity and least privilege?
Adopt Entra ID with RBAC. Require PIM for elevation and reviews. Remove standing privilege by default. Record access changes for audits.


How do we control cloud costs without slowing teams?
Product leads need clear budgets and alerts. Tag resources by team and environment. Rightsize, reserve, and schedule non production hours. Review top cost drivers weekly with owners.


How do we align AI work with company policy?
Set an AI safe systems standard. Cover prompt safety, key rotation, logging, and residency. Enforce checks in CI CD. Block deployment when rules fail.


How do we avoid vendor lock in with AI?
Abstract model calls behind a service. Support Azure OpenAI, OpenAI, and Anthropic. Keep embeddings and data portable. Version prompts and policies.


How do we migrate with minimal downtime?
For legacy modernisation and hybrid estates. Use database replication and staged cutover. Run parallel reads and plan a quiet switch. Test rollback and communication.


How do we modernise older applications?
Containerise or lift to App Service first. Externalise config and secrets in Key Vault. Add health checks and autoscale. Tackle code refactors after stabilisation.


How do we keep hybrid audit logs complete?
Centralise logs in Azure Monitor and Sentinel. Ingest on premises events and cloud events. Align retention with policy and regulations. Protect logs from tampering.


How do we bring AI into a regulated workflow?
Design AI with control checks. Approve data sources and retention rules. Keep model input and output logs. Provide appeal and human review steps.


How do we run secure multi region?
Use paired regions with clear residency controls. Replicate secrets safely with Key Vault. Test regional failover exercises. Limit blast radius with feature flags.


How do we govern Kubernetes safely?
Adopt the AKS baseline with Azure Policy. Enforce image provenance and network policy. Limit cluster admin with PIM. Log all cluster actions.


How do we standardise CI CD without slowing teams?
Create reusable workflows and paved paths. Require tests, scans, and approvals. Capture artefacts and deployment logs. Measure lead time and failure rate.


How do we implement zero trust?
Verify identity, device, and context each request. Use conditional access and segmentation. Monitor continuously with Sentinel. Review exceptions monthly.


How do we track spend by team and service?
Use cost allocation tags and scoped budgets. Share unit costs and trends weekly. Tie alerts to service owners. Publish actions and outcomes.

How do we manage secrets at scale?
Use Key Vault and managed identity. Rotate keys and certificates automatically. Block secrets in code with scanners. Report usage and expiry.


How do we show early value from AI?
Pick one visible workflow. Add retrieval augmented generation safely. Measure cycle time, accuracy, and cost. Publish a short impact report.


What does Azure PIM give us in practice?
Azure PIM reduces standing privilege and helps pass SOC 2. It enforces time bound elevation. It records approvals and reasons. Auditors accept its evidence.


What if auditors request quick proof?
Automate screenshots and logs into one store. Map controls to owners and evidence. Produce weekly summaries. Keep them audit ready and date stamped.


How do we decide between App Service and AKS?
Use App Service for simpler applications. Choose AKS for scale, control, or custom networking. Keep migration paths clear. Avoid premature complexity.


How do we secure AI assistants for staff?
Disable training on customer data. Use content filters and prompt guards. Limit model access by role. Log usage with correlation IDs.


How do we plan an Azure landing zone?
Start with identity, network, and policy. Separate environments by subscription. Add budgets and logging from day one. Keep templates versioned.


How do we prevent drift across environments?
Store everything as code. Scan for policy violations before deployment. Remediate automatically where safe. Review drift reports weekly.


How do we justify Azure spend to leadership?
Map spend to outcomes and unit costs. Use savings plans and reservations. Show trend down targets and actions. Publish a monthly cost note.


How do we work with Bagh Co and stay fast?
Use fractional CTO for clarity and direction. Use delivery squads for build and improvement. Keep guardrails not gates throughout. Measure results each sprint.


What Bagh Co does

  • Designs AI safe systems with audit ready guardrails, not gates.

  • Builds Azure landing zones, CI CD, and cost control that raise delivery speed.

  • Guides compliance readiness for SOC 2, ISO 27001, and HIPAA.

Calm. Clear. Scalable. Talk to us when you want fewer surprises and solid growth.

Startup
Bagh Co Logo

Bagh Co Ltd

  • LinkedIn
  • X
  • Threads

©2025 by Bagh Co Ltd.

bottom of page