top of page
6d379c4f-63eb-4e7f-b0c5-6dcd362ceab8.png

Innovating Responsibly: AI Landing Zone for NGOs and Educational Institutions

Introduction

aihorizon R&D, in collaboration with Microsoft's Tech for Social Impact Team and Microsoft's CMF Team, has developed a new AI Landing Zone specifically tailored for educational institutions and NGOs. Designed with cost-efficiency, security, and sustainability in mind, the architecture harnesses lightweight, cloud-native technologies such as Azure Static Web Apps and Azure Functions. This approach significantly reduces operational costs, making advanced AI solutions accessible even to organizations with limited resources—without sacrificing scalability or flexibility.

Built upon Zero Trust principles, the architecture prioritizes identity-first security, rigorously controlling and continuously verifying access to all services and data.

More than just infrastructure, this landing zone embodies aihorizon R&D's commitment to Responsible AI. It fully aligns with our Responsible AI Framework, emphasizing privacy, security, sustainability, and transparency. Additionally, the architecture integrates our dedicated sustainability module, offering detailed CO₂ emissions and cost tracking to provide clear insights into both environmental impact and financial expenditure associated with AI use.

Furthermore, this AI Landing Zone serves as the foundation of our Responsible AI Learning Space, empowering educators and learners to engage with AI technologies within an ethical and controlled environment. To extend its reach and foster community collaboration, we will shortly publish the complete landing zone architecture as an open-source accelerator on GitHub.

Users can also benefit from interacting with our Responsible AI Coach, who is available to explain the landing zone's design, features, and governance principles.

By making these tools accessible, we aim to inspire a culture of thoughtful inquiry—encouraging educators, students, and technologists alike to ask meaningful, perhaps even the right, questions about AI.

 

System Architecture

 

Security & Zero Trust

Security is a foundational pillar of the AI Landing Zone, designed in strict alignment with Zero Trust principles. This identity-centric model ensures that every access request is explicitly verified, regardless of its origin within or outside the network.

Key elements include:

  • Authentication via Azure Entra ID: All users must log in using their organization's identity. The Azure Static Web App is integrated with Entra ID, and an app registration is used to enforce sign-in.

  • Token-based Authorization: Azure Functions require a valid, authenticated user token for invocation. When fine-grained authorization is needed (e.g., for accessing personal data), user tokens are enriched with additional identity information using Entra ID claims.

  • Role-Based Access Control (RBAC): Access to backend functions and sensitive data is governed by role assignments and claim-based authorization logic.

  • Secure Secret Management: All keys, secrets, and connection strings are retrieved from Azure Key Vault, which is accessed through Private Endpoints to ensure secure and isolated communication.

  • Private Endpoints for Service Communication: Azure services such as Translator, AI Foundry, and Cosmos DB are accessed via private links, reducing the surface area for external threats.

  • Azure Front Door provides secure, high-performance global routing and web application firewall (WAF) capabilities, ensuring fast, reliable, and protected access to the AI Landing Zone.

  • Continuous Monitoring and Logging: Security events and access patterns are logged to Log Analytics Workspace, enabling continuous auditing and early threat detection.

This cohesive security approach ensures that both platform integrity and user data remain protected, while enabling a flexible and scalable AI infrastructure.

 

Frontend

  • Built with React.js SPA

  • Deployed via Azure Static Web Apps

  • Integrated with Azure Entra ID using App Registration

 

Backend

Backend logic is implemented in Azure Function Apps, which are integrated directly with the Static Web App and require a valid user token for invocation.

Azure Functions handle:

  • Invoking AI services (e.g., Azure Translator, Azure AI Foundry) via Private Endpoints, using preprocessed content and contextual prompts.

  • Orchestrating RAG (Retrieval-Augmented Generation) workflows by calling additional functions and using data sources like Azure AI Search and Cosmos DB.

  • Reading/writing data in Azure Cosmos DB, which stores structured data such as conversations, personal configurations, and usage records.

  • Retrieving secrets (API keys, connection strings) securely from Azure Key Vault using Private Endpoints.

  • Writing logs and metrics to:

    • Log Analytics Workspace for fine-grained tracking of operations, emissions, and costs

    • Cosmos DB for user-specific, fast-access data (e.g., personal CO₂/cost summaries shown in the frontend)

  

 

AI & Data Services

Azure Translator and Azure AI Foundry are accessed securely through Private Endpoints. This ensures efficient, secure processing of translations and generative responses.

Azure AI Search provides contextual data during RAG orchestration. It acts as a semantic retrieval layer, providing relevant chunks of data based on user queries or AI prompts.

All data and service interactions follow strict access control, privacy, and performance principles using Azure-native security features.

 

Data Storage and Observability

Azure Cosmos DB serves as the main database for:

  • Storing user content such as conversations and tutor configurations

  • Logging emissions and usage metrics per user for transparency and tracking

Log Analytics Workspace is used for detailed monitoring, debugging, and cost/CO₂ evaluation across the system.

 

Closing Thoughts

With Horizon, our Responsible AI Learning Space, we aim to ask meaningful—perhaps even the right—questions about AI to deepen our collective understanding of this transformative technology. Our goal is not only to build innovative solutions, but to think holistically, especially in the context of education and NGOs, while creating tools and frameworks that can also benefit industry at large.

Our vision is a future where AI serves society—responsibly, sustainably, and equitably.

Contributors: Moritz Goeke, Sonja Kellner, Volker Leitzgen, Tobias Oberrauch, Yacin Yakoubi, Maral Demirseçen and Dr. Michael Jülich

AiHorizon - RAG 3.png
bottom of page