What is endpoint AI visibility?

Endpoint AI visibility is the capability to see, on an employee's laptop or workstation, which AI services that employee is using (ChatGPT, Claude, Gemini, Copilot, and the rest) and what data they are sending. It is the foundation of shadow-AI detection programmes and, increasingly, of EU AI Act inventory obligations.

How is this different from a DLP product?

DLP looks for sensitive data leaving the endpoint regardless of destination. Endpoint AI visibility looks specifically at AI-service traffic and surfaces the model, the prompt metadata, and the user/session context. DLP rules can sit on top, but the AI-specific telemetry is the prerequisite. Most US incumbents bolted AI visibility onto an existing DLP product; the AI-specific signal is often coarse-grained.

Why does EU-sovereign matter for endpoint visibility?

Endpoint sensors that route telemetry through a US-controlled cloud move every employee prompt into transatlantic data-transfer scope. GDPR Schrems II implications are direct. An EU-sovereign sensor logs to infrastructure the customer controls; the vendor never sees prompt contents.

What is aiegis Eye's biggest current gap?

A signed MSI installer for Windows fleet deployment is not yet shipped to a customer. The sensor itself is functional on macOS via Homebrew install for design-partner operators; large-scale Windows rollout requires the signed MSI, which is on the roadmap. Customers needing Day-0 large-fleet Windows visibility should evaluate aiegis Eye knowing this gap.

Does aiegis Eye see prompt contents?

By default the sensor captures metadata (service, model, user, timestamp, byte counts) and not prompt contents. The customer can opt in to prompt-content capture for compliance-required deployments; in that mode, contents are stored on the customer's own log substrate, never on aiegis Ltd infrastructure.

Endpoint AI Visibility, EU-Sovereign vs Cloud

An honest comparison — including the gap in aiegis Eye we have not yet closed. 2026-05-25.

The Question CISOs Are Actually Asking

"Which employees are using which AI tools, with what data, on which device?" Cloud Security Alliance reported in early 2026 that ~68% of security teams cannot answer this for their own organisation. The vendor category that answers it has many names — shadow AI detection, AI DLP, employee AI visibility, prompt-monitoring — and at least seven serious vendors. They split on two axes: where the sensor sits (endpoint vs network) and where the logs go (vendor cloud vs customer infrastructure).

The Vendor Landscape

Vendor	Sensor location	Log destination	EU residency
aiegis Eye	Endpoint (macOS today; signed MSI for Windows pending)	Customer infrastructure	Yes — logs never leave customer infra; aiegis Ltd never sees data
Cyberhaven	Endpoint + network	Cyberhaven cloud (US)	EU region available; data-plane US-headquartered
Forcepoint	Endpoint + network (legacy DLP roots)	Forcepoint cloud (US HQ)	EU region available; US-HQ data-processing
Nightfall AI	SaaS-integrated, API-based	Nightfall cloud (US)	Limited EU residency story
Kitecyber	Endpoint browser-extension	Kitecyber cloud	Region-dependent; not EU-sovereign by default
Netskope	Network + endpoint	Netskope cloud (US HQ)	EU region available; CASB-derived architecture
Microsoft Purview	Endpoint via Defender	Microsoft 365 tenancy	Tenant-region scoped; US disclosure obligations through Microsoft

The pattern: every vendor except aiegis Eye routes endpoint telemetry through their own cloud. "EU region available" usually means the storage layer is EU; the control plane, the support tooling, and the export pipelines are not always.

Why Cloud-Routed Endpoint Telemetry Is a GDPR Question

An employee using Claude or ChatGPT from an EU office types personal data, customer data, financial data into the prompt. If the visibility sensor routes the prompt or its metadata through a vendor's US cloud, the question is no longer "did the employee leak data" — it is "did the visibility tool itself create a transatlantic data transfer." Schrems II is the operative ruling. EU-sovereign endpoint telemetry — sensor on the endpoint, log to a customer-controlled store on EU infrastructure, vendor never sees contents — is the architectural answer.

AIEGIS EYE — What It Does

The Eye sensor sits on the endpoint and observes outbound traffic to a catalogue of AI services (currently 10 vendors covered, expanding). For each request it captures: service, model identifier, user, timestamp, byte counts, and (by opt-in) prompt content. The log writes to a destination the customer specifies — their SIEM, their own object store, their internal log lake. aiegis Ltd does not aggregate this data; we are not in the data path.

Identity binding: the sensor identifies the user via their workstation identity, not via a vendor account. The same identity model that anchors the agent passport at /identity anchors the endpoint sensor: the user is a principal_ref (RFC 8693) and the sensor's outbound observations are signed against the same key family.

The Honest Gap

The signed MSI installer for large-scale Windows deployment is not yet shipped to a customer. macOS install (via Homebrew, for design-partner operators) is functional. For an organisation that wants to roll out endpoint AI visibility across a 10,000-seat Windows fleet on Monday, the right answer today is to evaluate the existing US-headquartered vendors alongside aiegis Eye, knowing the installer maturity is the gap on our side and EU-sovereignty is the gap on theirs.

This honesty is policy. The /aiegis-eye page itself names the installer state as pre-customer. We would rather lose a deal on disclosed maturity than win it on undisclosed maturity.

The Comparison Frame for Buyers

If your fleet is mostly macOS and you have an EU data-residency mandate, aiegis Eye is the right shape today.
If your fleet is mostly Windows and you need Day-0 large-scale rollout, Cyberhaven or Microsoft Purview is the operational fit; lock in a contractual exit if your EU sovereignty requirements tighten.
If you are looking for AI-specific DLP-style content inspection, Nightfall and Forcepoint are the heavier-DLP options; their AI-specific signal is narrower than dedicated AI visibility tools.
If your primary concern is browser-level visibility, Kitecyber is the narrower fit.
If you are running an EU AI Act inventory obligation, the relevant requirement is that you can produce a list of every AI service in use, with retention. aiegis Eye's customer-infrastructure log destination satisfies the retention-locus question by default; vendor-cloud architectures require an additional contractual addendum.

What "Detection" vs "Enforcement" Means Here

Most vendors in this category detect. They surface a dashboard, send an alert, mail a CISO report. Few enforce at runtime. aiegis Eye is detection on the endpoint; the enforcement story (block the prompt before it leaves the device) is on the roadmap and requires the same MSI maturity as the basic install. The honest framing of what shipping looks like today is "tell you it happened" rather than "stop it from happening."

The CISO Reading List

EU AI Act Article 26 obligations: artificialintelligenceact.eu/article/26/; walkthrough at /article-26-walkthrough.
EU AI Act Article 12 audit retention: artificialintelligenceact.eu/article/12/; storage-layer enforcement explainer at /blog/eu-ai-act-article-12-retention.
How aiegis scores enforcement effectiveness against the proposed OWASP AIVSS dimension: /blog/owasp-aivss-fixture-walkthrough.