FAQ

Frequently asked questions.

Everything about Govern360, the AI Exposure Score, and how the platform works.

What is AI governance, and why do I need a platform for it?
AI governance means knowing which AI tools, agents, and models touch your company, controlling what data flows to and from them, and proving to auditors that you have it under control. Govern360 brings discovery, data protection (in both directions), policy enforcement, security-architecture review, behavioral risk scoring, and compliance evidence into one platform — instead of stitching together spreadsheets, browser extensions, and screenshots.
What makes Govern360 different from other AI DLP tools?
Govern360 is not another inline DLP tool. It is a vendor-neutral AI control plane that orchestrates the enforcement tools you already own, including Microsoft Purview, Intune, SASE, and AI gateways. It governs discovery, policy, data protection, token usage, agent activity, and compliance evidence from one platform.
How does Govern360 discover shadow AI?
Discovery combines SaaS and OAuth-grant analysis, identity-provider sign-in signals, SIEM telemetry, and — for tenants who roll out the managed browser extension via Deploy — endpoint-level visibility. Every detected tool is classified as sanctioned, under review, or shadow, with the users and risk level attached, so you know exactly where to focus first.
What is the Govern360 AI Exposure Score™?
The Govern360 AI Exposure Score™ is a single 0–100 executive KPI that measures how well-governed your AI estate is across Discovery, Governance, Protection, Control, and Compliance. Every point is explainable and traceable to specific findings, so the score becomes a prioritized action plan — not a black box.
How does Architecture Review work?
For each AI system in your inventory, Architecture Review scores the security architecture across eight domains — data flow & isolation, input and output guardrails, access boundaries, monitoring, supply chain & model provenance, and more — mapped to NIST AI RMF, OWASP LLM Top 10, and MITRE ATLAS. The framework score is deterministic; an AI-generated expert review then walks through the gaps and recommended fixes.
Can Govern360 detect risky user or session behavior?
Yes. Behavioral Risk baselines normal AI usage for each user and peer group, then anomaly-scores sessions in real time — surfacing the riskiest AI sessions and users and wiring high-risk findings into Incidents and Architecture Review.
Can I stream Govern360 events to my SIEM?
Yes. SIEM streaming delivers every governance event — detections, policy actions, posture changes, incidents — to Splunk, Datadog, Microsoft Sentinel, and other SIEMs, so your existing security operations stack stays the single source of truth.
Where does Govern360 see sensitive data, and does it need agents?
For Microsoft 365 environments, Data Posture pulls classifications from Microsoft Purview via the Graph API — SharePoint, OneDrive, Exchange, Teams — with no agents required. We map those labels (PII, credit cards, SSNs, secrets, source code) to the same detector vocabulary used by enforcement, then show a "data → AI exposure" view so you see exactly which classified data is being prompted into which AI tools. The honest carve-out: API-only covers cloud data at rest; data flowing into an AI tool from the browser is covered by the Govern360 browser extension (already built into Deploy).
How does Token Governance work?
Govern360 ingests token telemetry from your AI applications, AI gateways, and provider monitoring (Azure OpenAI diagnostics, OpenAI usage, Bedrock CloudWatch). Events are normalized into one schema, attributed to user/team/app/agent/model, and evaluated against your policies — quotas, budgets, model restrictions, and anomaly thresholds. Enforcement happens through the gateway or provider you already use (alert, throttle, block, downgrade to cheaper model, require approval). Govern360 doesn't proxy your model calls.
What is the Agent Action Control Plane?
As autonomous agents and MCP tool calls multiply inside enterprise environments, governance has to follow the agent — not just the user. The Agent Action Control Plane treats every AI agent as a first-class identity in your registry, enforces per-agent token budgets under the same phased modes used for humans, and — critically — attributes consumption across agent-to-agent delegation chains so that when one agent invokes another, the budget enforces at any node in the tree. Tool calls made via the Model Context Protocol (MCP) are captured and governed alongside direct model calls, as a single unit.
Why call yourselves a "control plane" instead of an AI firewall?
An AI firewall sits inline in the request path — every prompt and response flows through it. That works, but it adds another chokepoint, another point of failure, and another vendor to depend on. Govern360 takes a different architectural approach: we sit one layer above your enforcement tools and compile policy into their native config (Microsoft Purview specifications, Intune profiles, SASE rules, AI gateway policies). The tools you already operate enforce; Govern360 directs and produces the evidence. You keep your stack. We bring the brain and the audit trail.
What is patent-protected in Govern360?
We have filed six U.S. patent applications covering the core architecture: (1) automated enforcement-plan generation that compiles policy intent into native config for multiple enforcement planes; (2) verified governance execution with a formal Compiled → Marked applied → Verified state machine; (3) multi-platform governance orchestration mapping a single policy intent simultaneously across Purview, Intune, SASE, and AI gateways; (4) runtime AI cost and usage governance covering provider-agnostic token telemetry, per-agent budgets, and agent-to-agent delegation chain attribution; (5) non-human identity privilege governance that compiles least-privilege configuration for AI agents across the identity planes you already run; and (6) MCP tool-call governance with signed tool-manifest pinning. Disclosure: pending applications do not grant exclusive rights until issued; timelines and outcomes vary.
Can Govern360 govern Microsoft 365 Copilot?
Yes — and this is the plane a browser extension can't reach, since Copilot runs server-side inside your tenant. Govern360 compiles each of your group-scoped policies into a Microsoft Purview specification: which Sensitive Information Types to use (including which detectors need a custom SIT), a recommended sensitivity label that gates Copilot, the DLP-for-Copilot action, and a step-by-step Purview portal runbook. You apply it in Purview; Microsoft enforces it on Copilot. Honest framing: Microsoft doesn't expose a REST API to create Purview DLP policies, so Govern360 compiles the spec and runbook — your admin applies it.
How does Govern360 enforce policy on endpoints?
For deeper enforcement, Deploy rolls out a managed browser extension via Microsoft Entra/Intune (with more managed-device paths on the roadmap). The extension applies Data Shield and Response Scan inline in the browser — but Govern360 still works without it for tenants who want to start with read-only network and SaaS-based discovery.
How does Govern360 assess AI vendors?
Vendor risk runs assessments against each AI vendor in your inventory — data retention, training on customer data, residency, certifications (SOC 2, ISO, HIPAA), and contractual terms — and scores them. You'll see a per-vendor rating, with flagged vendors (e.g. consumer tools that train on data, or systems with residency concerns) surfaced for action.
Can employees request access to AI tools?
Yes. Blocking everything fails, so Govern360 gives users a path to request the AI tools they need. A request lands in an admin approval queue; an admin approves or denies with a reason. Approving a tool auto-sanctions it in your inventory, and every request and decision is written to the same immutable audit trail as policy enforcement — so AI adoption is governed, not just blocked.
Which compliance frameworks does Govern360 support?
Continuous evidence is mapped to the EU AI Act, ISO/IEC 42001, SOC 2 Type II, NIST AI RMF, HIPAA, and GDPR. Each failing control links directly to the finding or policy that satisfies it, so a low score is an actionable list — and you can export audit-ready reports on demand or stream evidence to GRC platforms like Vanta.
Does Govern360 store my prompts or responses?
No. Data Shield and Response Scan evaluate prompts and AI responses in-line and retain decisions and metadata — not the raw content. You choose which detectors block, redact, warn, or flag for review. Your data is never used to train a model.
How long does it take to get value?
Read-only connection takes about five minutes per integration — no agents, no static keys. Your first AI inventory and risk surface appear within hours, and you can turn on policy packs and Data Shield detectors the same day. Architecture Review, Behavioral Risk, and SIEM streaming light up as you bring in more data.
Is there a free trial?
Yes — a 14-day free trial with no credit card. Connection is read-only and takes about five minutes per integration, so you can see your first AI inventory and risk surface within hours.

Still have questions?

Book a 30-min demo