Voice Agent Deployment Patterns: Cloud, BYOC, and On-Prem in 2026

Voice agent deployments split three ways in 2026. Managed cloud is the default for teams that want fastest time to value and whose security review accepts the hosted compliance posture. BYOC fits the regulated middle where the customer owns the data plane but the vendor still owns iteration speed. Air-gapped on-prem covers federal, defense, and sovereign-data workloads where even a vendor control plane is unacceptable. The pattern you pick is not a runtime decision. It’s a procurement decision, and it gates everything downstream.

TL;DR (which pattern, which workload)

The decision matrix below maps procurement constraints to the right pattern. The BYOC section walks through a concrete AWS deployment of Agent Command Center with VPC peering, KMS, IAM, and audit-log streaming. The on-prem section covers the signed-release path that replaces over-the-air updates.

Why deployment pattern is the procurement decision

Most engineering teams start by picking a voice runtime (Vapi, Retell, ElevenLabs, LiveKit, Pipecat) and an eval and observability layer. That’s the right starting point for the prototype. It’s the wrong starting point for procurement.

Procurement asks four questions that the runtime can’t answer alone. Where does the data plane live. Who owns the call recordings and traces at rest. Who controls the encryption keys. Which auditor signs off on the control plane. The deployment pattern is the answer to all four. The runtime sits inside the pattern.

When a security review starts with “your vendor cannot store customer call recordings outside our VPC,” no amount of feature differentiation on the runtime fixes it. The pattern has to bend. Teams that hit this gate without a BYOC or on-prem option lose months waiting for a roadmap item that may never ship.

Pattern 1: cloud (managed hosted)

This is the right default. Vendor hosts everything. Customer integrates via API key and dashboard.

What’s included

A managed cloud voice deployment typically includes a hosted voice runtime (Vapi, Retell, ElevenLabs Agents, LiveKit Cloud), a hosted eval and observability layer (Future AGI Cloud or equivalent), a managed model gateway, and a vendor-operated dashboard. The customer’s only ops responsibility is API key rotation and dashboard user management.

Compliance posture

Future AGI Cloud carries SOC 2 Type II, HIPAA, GDPR, CCPA, and ISO 27001 as certified per the trust page. ISO 42001 (AI management standard) is in progress. The cert set covers retail support, e-commerce, healthcare (with a BAA), most banking workflows, and the bulk of enterprise SaaS procurement.

Vendor-side audit attestation means the customer’s procurement team can accept SOC 2 reports, HIPAA attestation letters, and DPIA documentation without provisioning anything inside their own infrastructure. The vendor is the system of record for the data plane.

Tradeoffs

Three real tradeoffs come with cloud.

Data egress. Call recordings, transcripts, and traces leave the customer’s network and land in the vendor’s cloud. For most teams this is fine (the DPA covers data handling, regional residency is configurable, the cert set is sufficient). For regulated industries with explicit data-plane residency clauses in their security review, it’s a blocker.

Vendor lock-in. The control plane and the data plane are co-located in vendor cloud. Migrating to another vendor means re-instrumenting and re-exporting. Open-source SDKs (traceAI plus ai-evaluation are Apache 2.0) reduce the lock-in surface to the dashboard and the hosted runtime, but the dashboard is what most teams actually use day-to-day.

Multi-tenant risk. A managed cloud is a multi-tenant deployment. The vendor’s security model (SOC 2 controls, key rotation, tenant isolation, blast-radius limits) is what protects you from another customer’s incident. The cert set is the audit-defensibility for that protection. Worth diligencing the vendor’s incident response history before signing.

When to pick cloud

If your security review accepts SOC 2 Type II plus HIPAA plus GDPR plus CCPA plus ISO 27001 as sufficient, and if your data-plane residency requirement maps to a region the vendor supports, cloud is the right default. The iteration speed, the zero ops burden, and the cert coverage are hard to beat.

Pattern 2: BYOC (Bring Your Own Cloud)

BYOC is the regulated middle. The data plane runs inside the customer’s cloud account (AWS, GCP, or Azure VPC). The vendor still operates the control plane, the model registry, and the release pipeline. The customer owns the data at rest, the encryption keys, and the audit boundary.

What the customer owns

• The VPC the data plane runs in
• The Kubernetes cluster (or equivalent compute) that hosts the runtime
• The Postgres or equivalent metadata store
• The S3 (or GCS or Azure Blob) bucket for call recordings, traces, and eval results
• The KMS keys (customer-managed) that encrypt every persistent volume
• The IAM roles that scope every service-to-service call
• The CloudWatch (or Cloud Logging or Azure Monitor) log groups that capture every audit event

What the vendor owns

• The container images for the runtime, eval engine, Protect, and Agent Command Center components
• The release pipeline (signed images promoted to the customer’s registry)
• The control plane that pushes config updates and feature flags via a scoped IAM role and a VPC peering connection
• Optional managed model proxy if the customer wants Future AGI to route 15+ providers without standing up its own gateway

Compliance posture

Future AGI’s certified cloud/control-plane posture remains relevant to vendor-operated components; the customer-owned BYOC data plane stays inside the customer’s audit boundary. The data plane is scoped to the customer’s cloud, so PCI-DSS scope, GLBA scope, and HIPAA scope minimize to the customer’s existing audit boundary. The vendor’s auditor signs off on the build pipeline and the control plane. The customer’s auditor signs off on the data plane.

This is the pattern that lets a bank’s CISO accept the deployment without asking the vendor to extend their SOC 2 boundary to cover the bank’s specific data flows. The bank’s audit boundary already covers their VPC. The vendor’s audit boundary covers the build and ship pipeline.

Tradeoffs

Customer ops burden. The customer’s platform team owns the VPC, the cluster, the database, the bucket, and the keys. That’s real work. Most enterprises with a dedicated platform team find it manageable. SMBs without one find it painful.

Slower iteration. The control plane still pushes config and feature-flag updates on the vendor’s cadence. Data plane container images require a customer-side terraform apply to roll forward. In practice that’s a one to two week lag behind cloud GA.

Higher cost. BYOC carries the customer’s underlying cloud bill (compute, storage, network) plus the vendor’s BYOC license tier. Net cost is typically higher than cloud because the customer pays infrastructure plus the BYOC license; avoid a multiplier unless Finance/CS has approved it. The premium buys the data-plane residency and the cert scope minimization.

Concrete walkthrough: BYOC deployment on AWS

The reference deployment of Future AGI Agent Command Center on AWS uses Terraform to provision the data plane inside the customer’s account. The customer’s platform team runs the Terraform. Future AGI provides the module and the signed container images.

VPC and networking

module "fagi_byoc_vpc" {
  source = "future-agi/byoc-vpc/aws"
  version = "1.4.0"

  name             = "fagi-byoc-prod"
  cidr             = "10.42.0.0/16"
  private_subnets  = ["10.42.1.0/24", "10.42.2.0/24", "10.42.3.0/24"]
  public_subnets   = []
  enable_nat       = true
  single_nat       = false
  flow_logs_bucket = aws_s3_bucket.vpc_flow_logs.id
}

resource "aws_vpc_peering_connection" "control_plane" {
  peer_vpc_id   = var.fagi_control_plane_vpc_id
  vpc_id        = module.fagi_byoc_vpc.vpc_id
  peer_owner_id = var.fagi_control_plane_account_id
  auto_accept   = false
  tags = {
    Name = "fagi-control-plane-peering"
  }
}

The reference VPC keeps runtime services private. If outbound access is needed, route it through approved egress controls such as NAT or VPC endpoints; otherwise disable egress explicitly. VPC flow logs land in a customer-owned S3 bucket. A scoped VPC peering connection accepts control-plane traffic from Future AGI’s regional control-plane VPC. PrivateLink is the alternative if the customer’s networking policy disallows peering.

EKS cluster for the runtime

module "fagi_eks" {
  source = "future-agi/byoc-eks/aws"
  version = "1.4.0"

  cluster_name    = "fagi-byoc-prod"
  cluster_version = "1.30"
  vpc_id          = module.fagi_byoc_vpc.vpc_id
  subnet_ids      = module.fagi_byoc_vpc.private_subnets

  node_groups = {
    runtime = {
      instance_types = ["m6i.2xlarge"]
      min_size       = 3
      max_size       = 24
      desired_size   = 6
    }
    eval = {
      instance_types = ["m6i.xlarge"]
      min_size       = 2
      max_size       = 12
      desired_size   = 3
    }
  }

  encryption_config = {
    provider_key_arn = aws_kms_key.fagi_eks.arn
    resources        = ["secrets"]
  }
}

The EKS cluster runs the runtime components (Agent Command Center, Protect, ai-evaluation execution pods). Node groups split by workload class. EKS secrets are encrypted with a customer-managed KMS key.

Customer-managed KMS keys

resource "aws_kms_key" "fagi_data" {
  description             = "FAGI BYOC data-plane encryption"
  deletion_window_in_days = 30
  enable_key_rotation     = true
  multi_region            = false

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "EnableRootPermissions"
        Effect = "Allow"
        Principal = { AWS = "arn:aws:iam::${var.account_id}:root" }
        Action = "kms:*"
        Resource = "*"
      },
      {
        Sid    = "AllowFAGIRuntimeEncryptDecrypt"
        Effect = "Allow"
        Principal = { AWS = module.fagi_eks.runtime_role_arn }
        Action = [
          "kms:Encrypt",
          "kms:Decrypt",
          "kms:GenerateDataKey",
          "kms:DescribeKey"
        ]
        Resource = "*"
      }
    ]
  })
}

The data-plane KMS key is owned by the customer. The customer controls rotation, deletion, and grant policy. The Future AGI runtime role is granted only encrypt and decrypt actions, scoped to data-plane operations. No vendor-side principal appears in the key policy.

S3 bucket for call recordings and trace blobs

resource "aws_s3_bucket" "fagi_recordings" {
  bucket = "fagi-byoc-recordings-${var.environment}"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "fagi_recordings" {
  bucket = aws_s3_bucket.fagi_recordings.id

  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm     = "aws:kms"
      kms_master_key_id = aws_kms_key.fagi_data.arn
    }
    bucket_key_enabled = true
  }
}

resource "aws_s3_bucket_versioning" "fagi_recordings" {
  bucket = aws_s3_bucket.fagi_recordings.id
  versioning_configuration {
    status = "Enabled"
  }
}

resource "aws_s3_bucket_lifecycle_configuration" "fagi_recordings" {
  bucket = aws_s3_bucket.fagi_recordings.id

  rule {
    id     = "retain-90-days"
    status = "Enabled"
    expiration { days = 90 }
    noncurrent_version_expiration { noncurrent_days = 30 }
  }
}

Call recordings and trace blobs live in a customer-owned S3 bucket encrypted with the customer’s KMS key. Lifecycle rules enforce retention. The customer’s compliance team can audit the bucket policy directly.

IAM and audit logging

resource "aws_iam_role" "fagi_runtime" {
  name = "fagi-byoc-runtime"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Principal = {
        Federated = module.fagi_eks.oidc_provider_arn
      }
      Action = "sts:AssumeRoleWithWebIdentity"
      Condition = {
        StringEquals = {
          "${module.fagi_eks.oidc_provider}:sub" = "system:serviceaccount:fagi:runtime"
        }
      }
    }]
  })
}

resource "aws_cloudwatch_log_group" "fagi_audit" {
  name              = "/fagi/byoc/audit"
  retention_in_days = 365
  kms_key_id        = aws_kms_key.fagi_data.arn
}

Every audit event from Agent Command Center, every policy decision from Protect, and every eval result from ai-evaluation streams into the customer’s CloudWatch log group with 365-day retention and customer-managed encryption. The customer’s SIEM picks up audit events directly from CloudWatch. The example routes audit events to customer-owned CloudWatch/SIEM. Vendor visibility should be described according to the deployed control-plane contract.

Apache 2.0 SDK suite optionally self-hosted alongside

The customer can choose to also self-host the three Apache 2.0 packages alongside Agent Command Center:

• traceAI for OpenInference tracing across 30+ frameworks (including the dedicated traceAI-pipecat and traceai-livekit packages)
• ai-evaluation for the 70+ built-in eval rubrics
• agent-opt ships six prompt optimizers running against trace data: Bayesian Search, Meta-Prompt (per arXiv 2505.09666), ProTeGi, GEPA (per arXiv 2507.19457), Random Search (per arXiv 2311.09569), and PromptWizard. Both UI-driven (inside the Dataset view) and SDK-driven via Python

Self-hosting the trio inside the customer VPC keeps the SDK calls inside the customer’s network. The container images are public. The customer’s platform team owns the deploy.

When to pick BYOC

Pick BYOC when the security review explicitly requires data-plane residency in the customer’s cloud, when PCI-DSS or HIPAA scope minimization matters, or when the customer’s procurement insists on customer-managed KMS keys. The 1.5x to 2x cost premium and the platform-team ops burden are the price. The benefit is that the deployment passes security review on the first pass.

This is the common security-review failure mode BYOC is meant to address: data-residency clauses can block managed cloud, while BYOC keeps the data plane in the customer’s environment. Same software, customer-owned audit boundary, vendor still ships on the usual cadence.

Pattern 3: on-prem and air-gapped

On-prem is the smallest of the three patterns by deployment count, the largest by procurement complexity. Federal procurement, defense and intelligence, sovereign-data financial services, and a small set of regulated healthcare workloads run here.

What’s included

The full Apache 2.0 SDK suite (traceAI, ai-evaluation, agent-opt) deploys inside the customer’s datacenter or air-gapped VPC. Agent Command Center is available on-prem under a separate enterprise license. Protect can be deployed as part of the enterprise deployment surface; only claim self-contained/no-outbound packaging if on-prem docs confirm it.

Update path

Over-the-air updates are not possible in an air-gapped environment. Future AGI publishes signed releases on a quarterly cadence. The release artifact includes:

• Container images (signed with cosign, verifiable against the public Future AGI signing key)
• Helm charts (versioned, signed)
• Model weights for Protect (LoRA-trained adapters per arXiv 2510.13351)
• Release notes, security advisories, and a delta of evaluator rubric changes

The customer’s platform team transfers the artifact across the air gap (typically via a sneakernet or a one-way data diode), verifies signatures, and applies the upgrade in their environment.

Custom support tier

Air-gapped customers run on a dedicated support tier. Direct engineering contact, prioritized bug triage, custom evaluator authoring assistance, and on-site support for the largest deployments. The tier is priced separately from cloud and BYOC.

Tradeoffs

Highest ops cost. The customer owns the entire stack. Compute, storage, networking, monitoring, alerting, key management, audit, incident response. No vendor-managed layer underneath.

Latest features lag. The quarterly release cadence means air-gapped customers see features two to four weeks (sometimes longer for major releases) after cloud GA. Not a blocker for production workloads, a real consideration for teams wanting fastest iteration on prompt tuning or eval rubric updates.

Custom integration work. Telephony providers, identity providers, secrets managers, and SIEM systems vary across air-gapped environments. Each integration requires custom work. Future AGI ships reference integrations for the common ones (Active Directory, HashiCorp Vault, Splunk) and supports custom integration via the Apache 2.0 SDKs.

When to pick on-prem

Three workloads. Federal procurement when the agency requires FedRAMP-equivalent air-gapped posture and BYOC inside a commercial cloud is not sufficient. Defense and intelligence workloads where the data plane cannot leave a controlled facility. Sovereign-data workloads where a country’s regulator requires data and compute inside national borders with no cross-border control-plane connection.

Decision matrix: which pattern fits which workload

Five inputs drive the pattern decision.

Compliance posture

Ops capacity

If you have a dedicated platform team comfortable with Terraform, EKS or GKE or AKS, KMS, IAM, and audit log routing, BYOC is feasible. If you don’t, cloud is the right choice. On-prem requires the platform team plus a security ops team plus an in-house release management process.

Data sensitivity

Customer credit card data (PCI), protected health information (HIPAA), non-public personal information (GLBA), national security information, and sovereign citizen data drive the data-plane residency decision. The more sensitive the data, the stronger the case for BYOC or on-prem.

Geographic constraints

Some regulators require data and compute inside a specific country (financial services in India, healthcare in some EU member states, defense in many jurisdictions). The cloud vendor’s region map determines whether cloud is feasible. BYOC follows the customer’s existing cloud region. On-prem follows the customer’s datacenter location.

Iteration speed requirement

If you need every new feature on day one, cloud is the only answer. If a one to two week lag is acceptable, BYOC works. If a quarterly cadence is acceptable, on-prem works.

How Future AGI fits across all three patterns

Future AGI ships the same product across all three patterns. The control plane and the SDK packages are identical. The packaging and the deployment topology change.

Future AGI Cloud

The default managed hosted control plane. SOC 2 Type II, HIPAA, GDPR, CCPA, and ISO 27001 certified per the trust page. Hosted multi-region. Available on the AWS Marketplace. Default for new customers and the right path for teams whose security review accepts the cert set.

The five FAGI products on cloud:

• traceAI for 30+ framework integrations, OpenInference-compatible spans, Apache 2.0 (including traceAI-pipecat and traceai-livekit for voice)
• ai-evaluation ships 70+ built-in eval templates including conversation_coherence, conversation_resolution, audio_transcription, audio_quality, translation_accuracy, cultural_sensitivity, and task_completion, plus Protect-family safety rubrics and custom evaluators authored by an in-product agent. Apache 2.0
• agent-opt with six optimizers (Bayesian Search, Meta-Prompt per arXiv 2505.09666, ProTeGi, GEPA per arXiv 2507.19457, Random Search per arXiv 2311.09569, PromptWizard), available both UI-driven (Dataset view) and SDK-driven via Python
• Future AGI Protect model family. Gemma 3n foundation with LoRA-trained adapters per safety dimension per arXiv 2510.13351. Two surfaces, rule-based Protect and ProtectFlash single-call binary. Sub-100ms inline. Multi-modal across text, image, and audio
• Agent Command Center with RBAC, per-team workspaces, and 15+ provider routing

Native voice observability ships in Agent Command Center for Vapi, Retell, and LiveKit. Add provider API key plus Assistant ID to a FAGI Agent Definition and every call streams in as a logged session with transcript, separate assistant/customer audio downloads, and any of the 70+ built-in eval templates. No SDK required.

For pre-production testing, FAGI Simulate ships 18 pre-built personas plus unlimited custom-authored. Custom personas configure name, description, gender, age range (18-25 / 25-32 / 32-40 / 40-50 / 50-60 / 60+), location (US / Canada / UK / Australia / India), personality traits, communication style, accent, conversation speed, background noise, multilingual (many popular languages), plus custom properties and free-form behavioral instructions. Workflow Builder ships Conversation, End Call, and Transfer Call nodes; auto-generated branching scenarios with 20/50/100 rows include conversation paths, personas, situations, and outcomes. A 4-step Run Tests wizard (config → scenarios → eval → execute) drives the run; Error Localization pinpoints the exact failing turn.

Future AGI BYOC

Agent Command Center deployed inside the customer’s AWS, GCP, or Azure VPC. Same software, customer-owned audit boundary. The Apache 2.0 SDK suite optionally self-hosted alongside.

The deployment surface includes:

• Terraform module for VPC, EKS or GKE or AKS, Postgres, S3 or GCS or Blob, KMS, IAM
• Signed container images for runtime, eval engine, and Protect
• VPC peering or PrivateLink for control-plane reachability
• CloudWatch (or Cloud Logging or Azure Monitor) audit log streaming
• Helm chart for the in-cluster deployment

Reference provisioning time is two to four weeks, gated by the customer’s internal security review of the Terraform module and the network architecture. Once provisioned, day-two operations match a typical Kubernetes workload (apply image upgrades, monitor cluster health, rotate KMS keys per the customer’s policy).

Future AGI On-prem / air-gapped

The Apache 2.0 SDK suite (traceAI, ai-evaluation, agent-opt) self-hosted inside the customer’s air-gapped environment. Agent Command Center on-prem under enterprise license. Protect deployed as self-contained model artifact.

Updates ship via signed quarterly releases. Verification uses cosign against the published Future AGI signing key. Support runs on a dedicated tier with direct engineering contact and custom integration assistance.

MLLMAudio and ConversationalTestCase for offline scoring

Even in air-gapped deployments, the eval surface stays intact. MLLMAudio accepts seven formats (.mp3, .wav, .ogg, .m4a, .aac, .flac, .wma) for offline batch scoring of call recordings. ConversationalTestCase runs multi-turn evals against captured transcripts.

from fi.testcases import MLLMTestCase, MLLMAudio
from fi.evals import Evaluator, AudioTranscriptionEvaluator

audio = MLLMAudio(url="/data/recordings/call_2026_04_01.wav", local=True)
test_case = MLLMTestCase(input=audio, query="Score this support call for resolution and tone")

ev = Evaluator(fi_api_key="...", fi_secret_key="...")
result = ev.evaluate(
    eval_templates=[AudioTranscriptionEvaluator()],
    inputs=[test_case],
)

The same code runs against cloud, BYOC, and on-prem deployments. The eval engine is portable. The deployment pattern is what changes underneath.

Three deliberate tradeoffs

These are deployment-posture and process choices baked into the platform, not feature gaps.

Federal procurement runs via BYOC self-host. Federal agencies and contractors deploy in their authorized VPC via BYOC, with audit logs streamed to the agency’s SIEM and KMS keys owned by the agency. Cloud customers get SOC 2 Type II, HIPAA, GDPR, CCPA, and ISO 27001 certified per the trust page; ISO 42001 is in progress. BYOC keeps the data plane inside the customer’s authorization boundary while the software is identical. The on-prem path remains available for fully air-gapped federal, defense, and sovereign-data requirements.

Async eval gating is explicit. agent-opt ships six optimizers (Bayesian Search, Meta-Prompt per arXiv 2505.09666, ProTeGi, GEPA Genetic-Pareto per arXiv 2507.19457, Random Search per arXiv 2311.09569, PromptWizard), available both UI-driven (Dataset view) and SDK-driven via Python. Runs require an explicit trigger plus a human approval gate before any candidate prompt ships to production. FAGI never auto-rewrites a regulated prompt without consent. The loop is closed, but the gate is intentional.

Native voice obs and Enable Others. Native call-log capture ships for Vapi, Retell, and LiveKit out of the box (provider API key plus Assistant ID, no SDK code). Other voice runtimes (Pipecat, custom orchestration, OpenAI Agents SDK) wire in via the 30+ documented traceAI instrumentors. The two paths together cover 90%+ of production voice stacks, including across cloud, BYOC, and on-prem deployments.

A reference 4-week BYOC deployment timeline

The timeline compresses for customers with mature platform teams and stretches for those without. The constraint that doesn’t bend is the customer’s internal security review of the Terraform module, which typically takes three to ten business days.

Related reading

• Voice Agent Logging and Analytics Architecture in 2026: the logging and trace store that sits inside any of these deployment patterns.
• Voice AI for Banking and Financial Services in 2026: the workload most likely to require BYOC for PCI scope minimization.
• Voice AI for Healthcare and Clinical Workflows in 2026: the parallel playbook for HIPAA-regulated voice deployments and BAA execution.
• Voice AI Evaluation Infrastructure: Developer’s Guide: eval rubrics that score voice workloads across all three deployment patterns.

Sources and references

• arXiv 2510.13351, Future AGI Protect model family (arxiv.org/abs/2510.13351)
• arXiv 2507.19457, GEPA Genetic-Pareto prompt optimizer (arxiv.org/abs/2507.19457)
• arXiv 2505.09666, Meta-Prompt bilevel optimization (arxiv.org/abs/2505.09666)
• arXiv 2311.09569, Random Search baseline (arxiv.org/abs/2311.09569)
• Future AGI trust page (futureagi.com/trust)
• traceAI repository (github.com/future-agi/traceAI)
• ai-evaluation repository (github.com/future-agi/ai-evaluation)
• Agent Command Center documentation (docs.futureagi.com/docs/command-center)
• Future AGI Protect documentation (docs.futureagi.com/docs/protect)
• AWS Well-Architected Framework, security and reliability pillars
• HashiCorp Terraform AWS Provider documentation (terraform.io)
• HIPAA Security Rule and BAA requirements
• PCI-DSS v4.0 scope minimization guidance
• FedRAMP Authorization Boundary guidance (fedramp.gov)
• Vapi, Retell AI, ElevenLabs Agents, LiveKit Cloud, Pipecat: vendor documentation and SOC 2 attestation pages (referenced in plain text per editorial policy)