DeepInspect vs Aim Security: where the enforcement boundary sits

The EU AI Act high-risk requirements take effect on August 2, 2026. Article 12 requires automatic recording of events across the lifetime of the system. Article 19 specifies the data fields. Article 99 sets the penalty tier at €15 million or 3% of global annual turnover. With ~45 days to the deadline, deployers are choosing between two architecturally different categories of tooling. DeepInspect operates as a policy gateway in the HTTP path. Aim Security operates primarily as a browser and DLP extension layer.

I want to walk through where each tool can enforce, what each produces as an audit artifact, and which deployment profile fits a deployer that needs to satisfy a regulator rather than a security checklist.

Enforcement boundary

DeepInspect sits in the HTTP path between an authenticated user or agent and any LLM. Every request is intercepted, identity-resolved, policy-evaluated, and either passed, masked, or blocked. Responses come back through the same path and get the same treatment. The boundary is the AI request layer.

Aim Security's primary architecture covers two surfaces. The browser extension inspects what a user types into a SaaS LLM tab. The DLP layer hooks into endpoint controls to catch sensitive data leaving the device. Both are pre-network surfaces. Neither sits in the HTTP path of the request once it leaves the user's machine.

The architectural difference matters when the same employee uses Claude inside a corporate SaaS app, then calls OpenAI from a Python script on a build server, then routes a vendor's embedded LLM through a third-party integration. Three different exit points. The browser extension covers one of them. The HTTP gateway covers all three because it terminates the call regardless of which client initiated it.

Identity context

Identity context is the field most enterprise AI deployments fail to attach. The application calls the model with a static service credential. The credential identifies the application, not the human or the agent on whose behalf the application is acting. EU AI Act Article 19 explicitly requires "identification of natural persons involved in result verification" inside the log.

DeepInspect resolves identity at the gateway. The HTTP request carries an OAuth or SSO token. The gateway exchanges or validates the token, attaches the resolved principal to the request metadata, and writes it to the audit record before the model call returns. The principal is a real user, agent identity, or service account with a known owner.

Aim Security's browser extension can capture the logged-in user's email from the browser session. That works for browser-mediated traffic. It does not cover machine-to-machine calls, scheduled jobs, or vendor SaaS calls that round-trip through an embedded LLM. The identity field on those records is the service account, not the human.

Audit log granularity

For high-risk AI under Article 12, an audit log that lacks the prompt, the response, the identity, the policy version, and the decision timestamp is not a compliance log. It is an operational log.

DeepInspect writes a per-decision record. Each entry includes the resolved principal, the model and endpoint, the policy version evaluated, the inputs after redaction, the response after policy treatment, the decision outcome (allow, mask, block, escalate), and the timestamp. The log is append-only and signed.

Aim Security's reporting layer focuses on the user-facing event: "User pasted credit card data into ChatGPT." That is useful for analyst review. It does not produce the per-decision artifact a regulator asks for when they trace a specific risk situation back through the AI system that handled it.

Coverage of vendor and embedded AI

A significant share of AI usage in enterprises flows through vendor SaaS tools that embed LLM calls. The lender's quality-control vendor uses a model to flag loan defects. The customer-support platform uses an LLM to summarize tickets. The pricing engine scores risk with a third-party model. The lender's environment never sees the prompt or the response. The Article 12 obligation applies anyway because the lender is the deployer.

DeepInspect can be placed in front of the vendor's API or the vendor's egress, depending on how the vendor exposes its LLM-backed surface. Where the vendor calls a model on the lender's behalf using the lender's keys, the call is in the lender's HTTP path and the gateway captures it.

Aim Security's browser and DLP coverage does not extend to vendor SaaS that calls models on the back end. The data never crossed the user's browser. The vendor traffic is invisible to the extension.

Regulatory fit

Article 12 and Article 19 are explicit about the artifact required. The deployer must produce, on regulatory request, an immutable record showing which requests touched a specific decision, who initiated them, what data classification applied, and what policy state governed each decision at the moment it was made. Six-month minimum retention. Financial institutions are covered by their existing record-keeping obligations on top.

DeepInspect's per-decision log is the artifact the Article expects. The log is the system of record.

Aim Security's reports are designed for SOC review. They flag risky behavior. They do not produce a per-decision system of record across all AI traffic including vendor-embedded usage.

What each tool is the right answer for

Aim Security is a strong fit when the primary concern is user-pasted data leakage into browser-based SaaS AI. The browser extension and DLP integration give SOC analysts visibility into that specific surface. For organizations with a Microsoft-heavy stack and a fully managed endpoint estate, the integration cost is low.

DeepInspect is the right fit when the obligation is to produce an immutable per-decision audit log across all AI traffic, when identity context must be attached at the request layer, when vendor and embedded AI usage must be covered, and when policy must be enforced inline at sub-50ms latency. That profile matches a deployer chasing the EU AI Act August 2 deadline, a HIPAA-covered entity running clinical LLMs, or a financial institution under DORA's third-party register requirement.

DeepInspect

DeepInspect is a stateless policy gateway. The deployment pattern is a proxy or sidecar in front of model APIs. Identity travels with the request. Policy is evaluated at the gateway. The decision and the data shaping happen in the request path, not after the fact. The audit log is per-decision, append-only, and signed. End-to-end overhead measures under 50ms in production tests.

For a deployer that needs to satisfy Article 12 across browser, programmatic, scheduled, agent-driven, and vendor-embedded AI traffic with a single audit trail, that is the architecture the regulation expects.

If you are facing the August 2 deadline and your current tooling stops at the browser, let's talk today.