Blog

Analysis on enterprise AI governance, inline policy enforcement, agentic AI security, and regulatory compliance.

Shadow AI Discovery Quiz: A 12-Question Tool to Score Your Organization Against the Six-Week Discovery Framework

Most organizations that decide to address shadow AI start by buying a tool. The tool fires alerts on day one and produces a report nobody can act on. A working discovery program is a sequenced six-week path that begins with what the organization already has and adds inspection only after the surface is mapped. This 12-question quiz scores your organization against each step of the framework and tells you where the next two weeks of work belongs.

Problem-Awareshadow-aidiscoveryai-inventoryself-assessmentfree-toolai-governance
Read post →

AI Prompt Risk Scanner: A Free Tool to Check Prompts for PII, PHI, Secrets, and Injection Patterns

Most production AI applications send prompts to vendor LLM endpoints without an inspection layer. The prompt content carries PII, PHI, secrets, and prompt-injection vectors at rates the application teams underestimate. This page walks through the free prompt risk scanner the DeepInspect team built, the four classifiers it runs, and the report format that tells you what your traffic actually carries.

AI Security Solutionsprompt-riskprompt-scannerpii-detectionphi-detectionprompt-injectionfree-tool
Read post →

EU AI Act Classifier: A Free Tool to Score Your AI System Against Annex III High-Risk Categories

The EU AI Act assigns AI systems to four risk tiers (prohibited, high-risk, limited-risk, minimal-risk). The classification determines which obligations apply and when they take effect. This page walks through the classifier the DeepInspect team built to score your AI system against the Annex III high-risk categories, the supporting articles, and the inputs the classifier needs to produce a defensible verdict.

Compliance & Regulationeu-ai-actclassifierannex-iiicompliancerisk-assessmentfree-tool
Read post →

Audit Log Validator: A Free Tool That Checks Your AI Audit Records Against EU AI Act and NIST Field Requirements

AI audit records that look complete in a Kibana dashboard often fail an Article 19 field check. The validator takes a sample of your AI audit records and reports which fields are present, which are absent, and which are present in a form that will not survive a regulator's read. The check runs against EU AI Act Article 19, NIST AI RMF MANAGE 1.3, and Fannie Mae LL-2026-04 evidence requirements.

Problem-Awareaudit-logseu-ai-actnist-ai-rmflog-validatorcompliancefree-tool
Read post →

Setting Up AI Policy Enforcement: From the First Rule to a Production Deployment

AI policy enforcement is the runtime control point that turns a written policy into a per-request decision. This guide walks through how to set up enforcement: the policy schema, the decision-point placement, the per-route and per-role rules, the audit format that proves the policy was applied, and the deployment sequence that gets a production-ready enforcement layer live in 8 to 12 weeks.

AI Security Solutionsai-policyenforcementimplementation-guideai-governanceinline-policyai-security
Read post →

OpenAI API Gateway Setup: An Implementation Walkthrough for Enterprise Deployments

A production OpenAI deployment that satisfies EU AI Act Article 12, NIST AI RMF MANAGE 1.3, and HIPAA audit obligations needs a gateway between the application and api.openai.com. This guide walks through the gateway's request path, the TLS handling, the identity model, the four classification stages, and the audit-record format that holds up under a regulator read. Code samples included.

Platform & Architectureopenaiai-gatewayimplementation-guideenterprise-aiai-securityapi-proxy
Read post →

Implementing EU AI Act Article 12 Logging: An Architectural Walkthrough

Article 12 of the EU AI Act takes effect August 2, 2026 for high-risk systems. The text requires automatic event recording over the system lifetime, identification of the natural persons involved, and retention for at least six months. This guide walks through the architecture that satisfies the mandate, the four decisions that have to be made at the request layer, and the audit-record schema that survives a regulator review.

Compliance & Regulationeu-ai-actcomplianceaudit-logsimplementation-guideai-governancearticle-12
Read post →

Anthropic API Gateway Setup: An Implementation Walkthrough for Enterprise Claude Deployments

Direct integrations with api.anthropic.com terminate TLS at Anthropic's edge, which leaves the deployer with no inspection point and no audit record. This guide walks through the gateway architecture that sits between the application and Anthropic's API, with attention to Claude-specific patterns: system prompts, tool use, prompt caching, and the message-completion streaming format. Code samples for the Anthropic Python SDK included.

Platform & Architectureanthropicclaudeai-gatewayimplementation-guideenterprise-aiapi-proxy
Read post →

AI Policy Generator: A Free Tool That Produces a Defensible Internal AI Use Policy in 15 Minutes

A shadow AI policy is the document a regulator reads first when something goes wrong. Most copy-paste templates fail because they list rules without the enforcement architecture behind them. The DeepInspect AI policy generator takes 12 questions about your organization and produces a defensible policy document with the seven sections an EU AI Act reviewer or a HIPAA auditor will recognize. The output is a markdown file your legal team edits and your CISO signs.

Compliance & Regulationai-policypolicy-generatorcomplianceai-governancefree-toolemployee-policy
Read post →

NIST AI RMF Mapping for AI Gateways: How the Four Functions Land on Request-Layer Controls

The NIST AI Risk Management Framework (AI RMF 1.0, released January 2023) organizes AI risk controls into four functions: Govern, Map, Measure, Manage. The framework is voluntary, but US federal procurement, Fannie Mae LL-2026-04, and the GSA AI Acquisition Resource Guide all reference it directly. This guide walks each of the four functions to the request-layer control on an AI gateway that satisfies it.

Compliance & Regulationnist-ai-rmfcomplianceai-governanceai-gatewayauditcontrols-mapping
Read post →

Prompt Injection in Production: Where It Happens, What It Costs, and How To Prevent It at the Request Boundary

Prompt injection is the class of attacks where adversarial content in a prompt overrides the application instructions or extracts data the model was not authorized to reveal. The attack surface includes direct user prompts, indirect injection through retrieved documents and tool results, and chained injection through agent loops. OWASP has consistently ranked prompt injection as the top LLM vulnerability. This piece walks through the attack mechanisms in production, the failure modes of model-side defenses, the request-boundary controls that produce a defensible posture, and the audit record format that holds up after an attempt is detected.

Problem-Awareprompt-injectionllm-securityai-securityinline-enforcementowasp-llmai-governance
Read post →

OWASP LLM01 Prompt Injection: The 2025 Update and What the Inspection Layer Enforces

OWASP LLM01 captures both direct and indirect prompt injection in a single category in the 2025 update. The architectural reason is that the control point is the same: the request boundary. Application-side defenses fail by construction because the application cannot tell which spans of the prompt the model treats as instructions. Model-side defenses fail because refusal training is probabilistic. This piece walks through the LLM01 attack surface, the inspection-layer controls that produce a defensible posture, the audit record that survives review under EU AI Act Article 12 and DORA Article 19, and the deployment pattern that fits a production AI stack.

Problem-Awareowaspllm01prompt-injectionllm-securityinline-enforcementaudit-logs
Read post →