Companion dashboard — optional UI component, separate container, same VPC boundary.
Every Layerup AI Agent deployment includes the option to deploy a companion dashboard: a browser-accessible interface that lets underwriters submit cases manually, monitor processing status, and review structured agent output — without requiring any integration work with your existing policy administration or CRM systems. The dashboard is entirely optional and is delivered as a separate, independently deployable OCI container image from the agent container. Many production deployments operate without the dashboard at all, using queue-based or API-based integration directly with the agent. The decision of whether to deploy the dashboard is typically made per line of business, not for an entire deployment.What the dashboard is and is not
What it is
A lightweight, browser-accessible web application purpose-built for Layerup AI Agent workflows. It provides: a case submission form (document upload), a processing queue view, and a structured output review screen that renders the agent’s recommendation, confidence score, evidence citations, and requirements list in a human-readable format.
What it is not
The dashboard is not a replacement for your policy administration system, your DMS, or your CRM. It does not store data independently — it reads and writes exclusively through the same S3 buckets and SQS queues that the agent uses. It is a UI lens on data that lives in your own infrastructure, not a separate data store.
Who typically uses it
Teams that want to begin processing cases immediately without completing system integration work. The dashboard lets your underwriting team interact with the agent from day one while your IT team works on connecting the agent to your downstream systems. It is also used when the downstream system has limited capability to consume structured agent output directly.
Who typically does not use it
Teams with fully integrated workflows where new business submissions arrive from and are processed by existing systems (policy admin, DMS, workbench) automatically. In these deployments the agent is invisible to end users — it receives tasks from SQS, processes them, writes output to S3, and notifies the downstream system via a completion event.
Deployment architecture
The dashboard is a second container image delivered through the same marketplace channel as the agent container. It is deployed into the same VPC, the same private subnet, and governed by the same security group policies. It introduces no new network boundaries and no new egress paths. Fig. D1.1 — Dashboard deployment topology. The dashboard container and the agent container are both in the same private subnet. The Internal ALB is accessible only from within your VPC — access from corporate endpoints requires a VPN or AWS Client VPN connection. No component has a public internet-facing endpoint.Container image delivery
The dashboard image is delivered through the same AWS Marketplace or Azure Marketplace subscription as the agent image. They arrive as two separate, independently versioned images in your private registry:| image | tag example | function |
|---|---|---|
layerup-ai-agent | layerup-ai-agent:1.4.2 | The underwriting reasoning agent |
layerup-dashboard | layerup-dashboard:1.4.2 | The companion web UI |
1.4.2 dashboard is always compatible with a 1.4.2 agent.
IAM role — minimal scope
The dashboard container operates under a dedicated IAM Execution Role that is entirely separate from the agent’s execution role. The dashboard has no access to Amazon Bedrock — it never makes inference calls. Its permissions are limited to the S3 and SQS resources it uses to submit cases and retrieve output.| IAM permission | justification |
|---|---|
s3:PutObject | Upload case documents to the designated S3 input bucket |
s3:GetObject | Read structured output JSON from the designated S3 output bucket |
sqs:SendMessage | Submit a new case intake event to the SQS intake queue |
sqs:ReceiveMessage, sqs:DeleteMessage | Poll the SQS completion queue for case status updates |
kms:GenerateDataKey, kms:Decrypt | Encrypt uploads to and decrypt output from S3 using the designated CMK |
Access control — who can reach the dashboard
The Internal ALB in front of the dashboard container is configured with no public listener. Access is restricted to principals within your VPC — which in practice means:- Users on your corporate VPN that is peered or connected to your VPC
- Users connected via AWS Client VPN or AWS Site-to-Site VPN
- Users on the same AWS Direct Connect path as your VPC
When to deploy the dashboard vs. direct integration
The decision is driven by your integration readiness, not by a permanent capability constraint. Most deployments start with the dashboard and progressively move toward direct integration as downstream system connections are established.| scenario | recommendation |
|---|---|
| No existing system integration work completed; team wants to begin using the agent immediately | Deploy dashboard — immediate access for your underwriting team with zero integration dependencies |
| Existing policy admin system can consume structured JSON from S3 or via webhook | Deploy agent only; connect your system directly to the SQS completion queue and S3 output bucket |
| Line of business has complex UI requirements beyond the standard review screen | Evaluate building a custom UI that calls the agent’s internal API directly — your Layerup team can provide the API spec |
| Piloting across two lines of business with different integration maturity | Deploy dashboard for the less-integrated line; queue-based direct integration for the mature line |
| Production deployment at scale with full system integration | Dashboard optional — often retained as an audit review and manual override interface even when automation is primary |