# Limitations Honest scope. What AiEGIS captures, what it does not, and where each gap is on the roadmap. Compliance teams can plan defense-in-depth knowing exactly where the boundary is. ## Network capture limits AiEGIS sensors capture TLS connection metadata via OS-level hooks (Schannel on Windows, NetworkExtension on macOS). The capture surface depends on what the OS exposes at the TLS handshake layer. Limitation 1 — Encrypted ClientHello (ECH) ### Browsers with ECH enabled hide the SNI hostname Modern browsers (Firefox stable, Chrome experimental flags, Safari 17+) increasingly support ECH, which encrypts the SNI extension in the TLS ClientHello. When a user runs an ECH-enabled browser to an ECH-supporting server, our network sensor sees the connection IP and timing but not the destination hostname. Vendor matching by SNI fails for that connection. **What still works:** the AiEGIS browser extension captures prompts at the DOM layer before TLS encryption happens. For ECH coverage today, deploy the extension alongside the network sensor (belt-and-braces). **What does NOT work:** network-sensor-only deployments on machines where users run ECH-enabled browsers without the extension installed. v0.6 roadmap: ASN-based fallback against published AI-vendor IP ranges (OpenAI, Anthropic, Google AI, Microsoft Azure AI). Lower precision than SNI matching but recovers ~80% of the gap. Limitation 2 — Custom-tunneled traffic ### VPN, SSH-tunnel, and corporate proxy traffic is flagged but not decrypted Users running their AI traffic through a VPN, SSH local-forward, or non-corporate proxy will surface in capture events with a `tunnel_active` or `proxy_active` flag. The sensor records that the bypass exists but cannot read the destination SNI behind a tunnel terminator under the user's control. **Defense pattern:** the flag itself IS the audit signal. Auditors and compliance officers see "this endpoint had unverified tunnel traffic during the audit window" and can require remediation. v0.7: tunnel-process correlation — flag attempts to start known VPN client processes alongside AI-vendor traffic patterns. Limitation 3 — Kernel rootkit attacker ### An attacker with kernel-level privilege can disable our sensor AiEGIS sensors run as a privileged service (LocalSystem on Windows, root LaunchDaemon on macOS). An attacker who has already achieved kernel-level code execution can stop the service or feed it false events. We document this as out of scope for v0.5. **What still works:** a SYSTEM-level service is harder to disable than a user-level process. The watchdog detects soft-disable scenarios (process running but not capturing) and flags them in the audit log. Stale-detect alerts surface in the customer dashboard within 30 minutes. v1.x: optional kernel-driver integrity attestation (Windows ELAM + macOS System Integrity Protection cooperation). Requires Microsoft / Apple kernel-publisher status. ## Content capture limits Limitation 4 — Prompt content ### We hash, not log, prompt snippets By default the sensor stores a SHA256 of the first 500 bytes of each captured prompt. The raw plaintext is never stored locally and never leaves the customer's infrastructure. This is a privacy choice, not a capability gap — but it means AiEGIS cannot retroactively show an auditor "the exact text of prompt X". It can show "prompt with hash H was sent to vendor V at time T by process P". For full-content capture (regulated verticals that require it) the customer can opt-in to plaintext storage at deployment time. The default remains hash-only. Limitation 5 — Air-gapped or offline endpoints ### License-check + audit-pack upload requires network connectivity The sensor runs offline-first: capture continues with no network access. License-validation grace period is 30 days. Audit-pack manifests sign locally and queue for upload when connectivity returns. For truly air-gapped deployments (defense, industrial control), see the sovereign-tier deployment which ships with on-premises license + audit infrastructure. ## Why we publish this Compliance teams plan defense-in-depth. Knowing where AiEGIS stops lets them deploy the right complementary controls (DLP, CASB, network segmentation) at the boundary. A vendor who claims complete coverage is either wrong or hiding the gap. We would rather lose a deal to a more honest pitch than win one we cannot defend in an audit. Found a limitation we have not documented? Email [travisanthonygerber@gmail.com](mailto:travisanthonygerber@gmail.com) or open an issue on our public Grid repo. Empirical falsification is the fastest way to make this list better.