Reference · Security model

How Guardian sees every request.

Two pipelines, one safety model. Both run through the same six inspection points. Mode 2 fires all six because Guardian owns the full path. Mode 1 has two blind spots — the vendor controls the prompt and the final answer — which we close with contracts and endpoint controls, not with Guardian.

Doc · security-model Audience · CISO · security · procurement Companion · platform-architecture
Caught here — fully mitigated at this gate Partial / conditional — tool available, depends on model to use it Passes through — gate is blind, risk is not mitigated R1–R5 · five risk categories. A category can appear at multiple gates when it has multiple attack paths.
Mode 1 · BYOAI Vendor owns the conversation. Guardian sees tool-call legs and egress — the prompt and the AI's final answer are invisible.
Two blind spots by design. In BYOAI, the user's prompt and the AI's final answer bypass Guardian entirely — they flow directly to and from the vendor. We close those gaps with enterprise contracts (BAA · DPA · zero-retention) and endpoint DLP, not in code.
01 Prompt review blind in BYOAI
R1Pasted data — unseen
R3Hidden prompt — unseen
02 User identity on every tool call
R2Exceeds user authority
03 Policy & approval enforcement
R3Unapproved plugin
04 Data & tool access both legs scanned
R1Data via tool
R3Hidden in tool data
R5Atlas available as toolreachable — model must choose to call it
05 Answer verification blind in BYOAI
R5Cannot enforce Atlas use
model may skip grounding
06 Execution control code & egress
R3Code via Guardian tools
local code → endpoint MDM/EDR
Across all gates · Audit Mode 1 audit covers tool-call legs and egress. Conversation audit lives with the vendor and varies by SKU and contract terms. R4Audit trail (partial)
Mode 1 residuals · outside Guardian Four exposures remain in BYOAI that the pipeline can't reach. Each is addressed by contracts, endpoint controls, or policy — not by Guardian.
Vendor sees the conversation Prompts and answers transit the vendor; safety logs retained ~30 days for abuse review. AddressedEnterprise SKU · BAA · DPA · zero-retention.
Shadow AI · personal accounts Employees sign in with personal accounts, bypassing the enterprise SKU entirely. AddressedSSO enforcement · network egress filtering · AUP.
Desktop & extension privileges Desktop / browser AI apps run with user-level OS access — files, clipboard, screenshots. AddressedMDM · EDR · application allow-listing.
Residency & model drift Vendor may process data in unapproved jurisdictions or swap models without notice. AddressedRegional SKU · residency clause · model-pinning.
Mode 2 · Jubi agents Guardian owns the full path. All six gates fire; every step has full replay.
01 Prompt review scan · redact · block
R1Pasted data in prompt
R3Injection in user input
02 User identity on every call
R2Exceeds user authority
03 Policy & approval budgets · approvals
R2Runaway agent
R3Unapproved plugin
04 Data & tool access both legs scanned
R1Data via tool
R3Injection in tool data
05 Answer verification atlas-grounded
R5Hallucinated answer
06 Execution control sandbox · no egress
R3Unsafe code / egress
Across all gates · Audit Full session replay — every prompt, response, tool call, code run, and network call. SIEM export, tenant-scoped storage, no-training contracts upstream. R4Audit trail (full)
Continue → Platform architecture. The full reference — how Studio, Guardian, and Atlas slot together; user surfaces, control plane, exit enforcement, identity, audit. Read the platform architecture →