For evaluators

Where the control sits decides what it can prove

Your team is already using AI. For whoever has to answer for it, the question is not which tool has the longest feature list. It is where the control sits and what it can prove. A control's position decides what it can see, what it can stop, and whether you can show what happened afterward.

The hardest case/ 01

The exposure is the AI you did not approve

The hardest case is not the AI you approved. It is shadow AI: the personal accounts, browser sessions, and command-line clients that never touch a sanctioned path. A control that governs only what was wired to it cannot see this. Enforcement means deciding where AI traffic leaves the device, before it leaves, no matter which tool sent it.

Enforcement
Does it decide on the device, before anything leaves, across every tool and account rather than only the ones configured to cooperate?
Evidence
Does it produce evidence you can show was not altered, verifiable on its own terms without taking anyone's word for it?
Custody
Do the keys and the content stay with you, so no outside operator becomes the holder of what your staff sent?
Data provenance
Does the evidence span every provider and every account, showing what was sent, what was redacted, and where it went?

the four questions a control's position decides

The approaches/ 02

The common approaches, and where each leaves a gap

Each approach below does something real. The gap is what its position cannot reach.

An AI acceptable use policy alone
A written policy about what staff may and may not do with AI. Gap: a document does not enforce anything. It cannot see use, redact a prompt, or produce evidence, so unsanctioned use continues unobserved.
Network or DNS blocking
A firewall or DNS filter that allows or denies whole destinations. Gap: the decision is all or nothing. Block a provider and staff route around it through another tool or a personal device; allow it and everything passes unseen. It cannot read inside an encrypted session, redact, or keep a usable record.
An API gateway that requires integration
A proxy that applications are configured to send their AI calls through. Gap: it governs only the traffic wired to it. A new tool, a personal account, a browser, or a command-line client that was never configured passes around it. It also tends to terminate the session centrally and see plaintext, which makes the operator a holder of your data.
A closed or walled-garden assistant
An enterprise AI suite that governs its own sanctioned assistant. Gap: it governs one tool. The moment a user opens a different provider, it is blind. Coverage equals a single application, not the institution.
A browser extension or per-app plugin
A control installed into one surface, usually the browser. Gap: it covers that one surface. Desktop apps, IDEs, command-line clients, and other browsers pass by, and a user can often turn it off.
Data-centric DLP or CASB
Tools built to watch files and SaaS usage, often by sampling. Gap: they are not aware of the AI decision itself. They observe data movement, often after it has already happened, rather than deciding before content leaves the device.
Provider-side controls
Relying on the model provider's own settings and logging. Gap: by the time those controls apply, the data has already left your boundary. The record belongs to the provider, not to you. It is not independent or tamper-evident, and it does not span the other providers your staff use.
Side by side/ 03

The same questions, answered side by side

One row per approach. The columns break the four questions into the specific capabilities they imply.

ApproachSees shadow AINo integration neededDecides before egressRedacts, not just blocksYou hold tamper-evident evidenceProvider-agnostic
AI acceptable use policy
Network or DNS blocking
API gateway (integrated)
Closed assistant
Browser or app plugin
DLP or CASB
Provider-side controls
Verillian
meets it partial or conditional does not
Where Verillian sits/ 04

AI policy enforcement at the device, before egress

Verillian intercepts AI traffic on the device, before it leaves. Because the control sits where traffic leaves the device, it can answer all four questions rather than assume the rest away.

Enforcement
It sees the AI traffic leaving the device regardless of the application, the provider, or whose account it is. Nothing has to be wired up to be seen, and policy is applied at the moment of execution: allow, redact, or block. When a decision is uncertain it fails closed, and a blocked request does not leave the device.
Evidence
Every captured interaction is Ed25519 signed and appended to a SHA-256 hash chain, a tamper-evident audit trail your institution holds. Any change to an entry breaks the chain, so the evidence can be checked on its own terms rather than taken on trust.
Custody
Content is encrypted under your institution's key. The server stores ciphertext it cannot read, so no outside operator becomes the holder of what your staff sent.
Data provenance
One control spans providers, from cloud services to air-gapped deployments, so the chain accounts for what was sent and what was redacted across the tools your staff actually use, not one of them.
The point/ 05

Where a control sits decides what it can catch

Sit downstream of the decision and you inherit every blind spot upstream of it. Most approaches govern the AI you already approved. The exposure lives in the AI you did not. A control at the device, deciding before egress, with evidence you hold and can verify, is the position that answers all four questions instead of one. The model proposes. Verillian decides. And you hold the receipt.

See it on your own traffic

Watch a live AI request intercepted on a device, decided against real policy, and sealed into a tamper-evident chain you can verify.