A tenant-level gateway that gives CIOs complete visibility and policy control over all AI agent activity in their organization.
Thousands of employees using Copilot, ChatGPT, Claude, Cursor, and custom agents. No one knows what data is leaving the building.
Agents read documents, write code, access internal systems, and make decisions — with zero policy enforcement at the organizational level.
When compliance asks “what AI is doing in Legal?” the answer today is “we don’t know.” Every agent interaction is unlogged and invisible.
This is the “shadow IT” problem of the AI era — but with higher stakes. Agents don’t just access data, they act on it.
Palo Alto Networks’ foundational insight was that all network traffic flows through the network. Sit inline as a firewall — see everything. The agent equivalent: all agent work flows through LLM API calls.
From a single API call, the gateway can determine: WHO is using WHAT KIND OF AGENT with WHAT CAPABILITIES to do WHAT KIND OF WORK with WHAT DATA. No endpoint agent required.
Identity mapping — user, department, role via gateway API keys linked to Entra ID
System prompt reveals what the agent IS. Tool definitions reveal what it CAN DO.
Conversation history reveals what the agent HAS BEEN DOING — and with what data.
Amplifier-powered NL interface — CIO talks to an agent, not a dashboard
API proxy + Identity Mapper + Policy Engine + Event Store
Blocks direct LLM provider access via existing network infrastructure
Sanctioned traffic — full inspection, policy enforcement, structured logging of every request/response pair
Shadow AI — personal API keys, consumer-facing tools, agents pointing directly at providers
Natural language policy creation, analytics, compliance — “Block Anthropic for Legal” just works
Every agent — Copilot, ChatGPT, Cursor, Amplifier, custom — must call an LLM API to think. The gateway intercepts that call and extracts three layers of intelligence.
Extract gateway API key, map to organizational identity — user, department, role, groups. Sub-5ms via in-memory cache.
Extract provider, model, tool definitions, system prompt, conversation history, and content from the full API payload.
Fast path (<10ms, deterministic): provider allow/deny, model restrictions, rate limits, regex patterns, tool restrictions. Slow path (async): LLM-based content classification, queued — never blocks inline.
Allowed: forward to real LLM provider, log everything. Denied: return structured error with reason, policy ID, and guidance. Total overhead: sub-50ms.
<10ms evaluation · Deterministic · No LLM
Never blocks inline · Retrospective · LLM-powered
Policies are created in natural language via the Management Plane. “Legal can only use Azure OpenAI” compiles into a structured policy, previews impact against historical data, then deploys with an optional grace period.
The agent IS the attack surface AND the worker. Safeguard detects threats at the LLM API bottleneck.
Adversarial input hijacks agent behavior via documents, emails, or web content
Secrets, PII, trade secrets leaking through prompts to external LLM providers
A summarization agent that starts executing shell commands or accessing file systems
Agent acquires credentials or tool access beyond intended scope
Malicious MCP servers, tool packages, or agent bundles trusted and executed
rm -rf, git push --force to main, DROP TABLE — from hallucination or injection
Compromised sub-agents returning malicious context to parent orchestrators
Unlogged access to regulated data — GDPR, HIPAA, SOX violations
API proxy + event store + NL analytics. The CIO gets their “I had no idea” moment. Value in just seeing what’s happening.
Deterministic policy engine + NL policy creation + Entra ID integration. The gateway becomes a control surface, not just a telescope.
Config packages for Zscaler, Entra Internet Access, Palo Alto, corporate DNS. Full coverage — the gateway is no longer optional.
LLM-powered async content analysis, PII detection, sensitive data classification, review queue. Deep content awareness.
MDM-pushed agent for local visibility — tool execution monitoring, agent inventory, unified timeline across API and endpoint.
gateway/ — API proxy, caching, probespolicy/ — rule engine and compilationidentity/ — key-to-user mappingevents/ — structured event storecontent/ — PII, classification, scanningmgmt/ — 22 NL admin toolsdns/ — backstop config generatorsendpoint/ — device-level agentCloud Access Security Brokers gave CIOs visibility into SaaS. Amplifier Safeguard does the same for AI agents — a new security category for a new era of compute.
The insight is simple: all agent work flows through LLM API calls. Sit inline in that path, and you see everything agents think and do. No endpoint agent required. No framework integration required. No cooperation from the AI vendor required.
All data sourced directly from the repository and git history. No metrics were fabricated or estimated.
ramparte/amplifier-safeguard — first commit Feb 24, 2026git log --oneline --no-merges | wc -l → 2,324 total; --since="60 days ago" → 1,944find src -name '*.py' | xargs wc -l → 40,613 lines across 183 filesfind tests -name '*.py' | xargs wc -l → 71,178 lines across 201 test filesgit shortlog -sn --no-merges → Sam Schillace (2,091), Amplifier Dev Machine (168), Safeguard Monitor (65)docs/design/00-PRODUCT-VISION.md, 01-THREAT-MODEL.md, 02-ARCHITECTURE.md, 03-GATEWAY-DATA-PLANE.md, 05-DNS-BACKSTOP.md, 06-BUILD-PHASES.mdpyproject.toml dependencies — FastAPI, uvicorn, httpx, asyncpg, pydantic, PyJWT, cryptographyls src/safeguard/*/ → 12 packages: gateway, policy, events, identity, mgmt, content, dns, endpoint, client, portal, demo, plus classifiersteam_knowledge(search="safeguard governance gateway") → owner: ramparteGenerated: May 2026 · Category: Architecture & Philosophy · Story angle: “Trust at Scale”