AIDR Capabilities

AI Detection and Response (AIDR) provides enterprise security teams with centralized visibility, threat detection, and policy enforcement for the use of generative AI. It also supports compliance efforts by helping monitor and control AI activity across the environment.

Visibility into AI activity

Through its sensors, AIDR provides visibility into AI activity across your environment, helping to surface risks, enforce usage policies, and support governance of generative AI.

• Shadow AI - Discover both sanctioned and unsanctioned AI usage across applications, agents, and cloud services. Visibility into AI usage from user devices is supported through browser telemetry. AIDR log forwarding enables AI-related threats to be monitored and managed through SIEM workflows.

  Examples include:

  • Detecting unmanaged AI usage via browser telemetry.
  • Identifying unapproved use of AI providers through gateway logs.
  • Monitoring AWS Bedrock usage across corporate cloud accounts to surface unauthorized or untracked AI activity.

• Data correlation - Map AI activity to user identities, devices, agents, applications, and organizational context using sensor-based telemetry.

  Examples include:

  • Linking sensor activity from browsers, applications, and other clients to specific employees or teams.
  • Correlating cloud-based AI API calls with workload identities and source environments.
  • Associating MCP agent behavior (such as prompt orchestration or autonomous function calling) with AI service providers and application context.
  • Optionally, when AIDR logs are forwarded to a SIEM, they could be correlated with endpoint, network, or identity logs to uncover hidden AI usage patterns.

• Risk context from content and usage patterns - Understand the nature and potential impact of AI activity, including behavioral trends and measurable enforcement outcomes.

  Examples include:

  • Detecting repeated submission of sensitive data (for example, PHI or financial documents), even within approved AI tools or internal applications - using either direct sensor integration or look-aside OpenTelemetry instrumentation.
  • Identifying high-risk usage patterns, such as large-volume prompt activity, jailbreak attempts, or the generation of executable code.
  • Measuring the frequency and type of policy violations detected or blocked by AIDR, providing tangible metrics for security reporting and compliance tracking.

LLM threat detection

AIDR leverages the Pangea AI Guard service to detect and block threats in generative AI activity across your environment. When telemetry is available through sensors or integrations, AIDR can:

• Detect and block prompt injection and jailbreak attempts with high efficacy, using detection patterns refined through real-world usage.
• Identify and prevent the exposure of sensitive content - such as credentials, financial data, and over 50 types of personally identifiable information (PII) - with support for custom pattern definitions.
• Flag and block toxic, violent, or harmful content, including indications of self-harm or abuse in AI inputs and outputs.
• Detect and defang references to known malicious links, IP addresses, or domains using integrated threat intelligence.
• Enforce language-based policies with allowlist and denylist controls covering 100 spoken languages.

Policy enforcement

• Define and apply trust policies per model, user, agent, or application.
• Restrict access to specific providers or model types based on compliance and risk posture.
• Enforce real-time content policies such as redaction, blocking, or detailed logging.

Telemetry collection via sensors

AIDR relies on sensors to collect AI-related telemetry from across the enterprise environment. Each sensor type supports a different layer of visibility or control.

• Browser - Detect user interactions with known AI tools using the AIDR Chrome browser extension, capturing prompts, responses, and related metadata from browser sessions. Useful for identifying shadow AI usage and data exposure risks originating on user devices.
• Cloud - Ingest AI-related logs and events from supported cloud platforms.
• Gateway - Enforce policies and log traffic at network-layer API proxies. Supported gateways include Kong, LiteLLM, and custom infrastructure integrations (for example, with F5).
• Agentic - Instrument AI agents to capture prompt activity and model responses. Current support includes MCP Proxy for capturing telemetry from autonomous agents.
• Application - Integrate AI policy checks into internal applications via the Pangea SDKs or APIs, enabling in-line detection and enforcement in internally developed systems.
• OTel - Use OpenTelemetry to instrument applications and services for AI telemetry, providing a standardized way to collect AI-related data across diverse environments.

Response and remediation using AIDR data

• Export AIDR findings to external SIEMs such as CrowdStrike Next-Gen SIEM or Splunk for triage and correlation.
• Use SIEM rules or SOAR playbooks to generate alerts and trigger response workflows.
• Common follow-up actions include:
  • Blocking or restricting access to specific models or endpoints
  • Investigating users or devices involved in policy-violating activity
  • Assigning training or access reviews for affected employees
  • Scanning endpoints for sensitive documents or unauthorized tools

Flexible deployment and coverage

Different types of sensors provide varying levels of visibility and control. AIDR can be used as a SaaS solution or deployed on-premises, depending on your needs.

Log forwarding to external SIEMs

AIDR supports log forwarding to external security platforms, enabling you to enrich investigations, reporting, response workflows, and compliance efforts by correlating AI activity with broader security telemetry.

Forwarded logs include AI-related events collected by AIDR sensors and can be consumed by external SIEM platforms.

• CrowdStrike Next-Gen SIEM - Forward AIDR logs to CrowdStrike using the Falcon Next-Gen SIEM’s HEC-compatible endpoint. This enables correlation with host and endpoint activity already captured by CrowdStrike and supports integration with its dashboards, detections, and workflows. See CrowdStrike integration for setup details.

• Splunk - Use the Splunk HTTP Event Collector (HEC) to ingest AIDR logs and integrate them with observability pipelines, security detections, and reporting tools in your Splunk environment. See the Splunk log forwarding guide for configuration instructions.

Platform security and compliance

The AIDR platform is built on Pangea's secure infrastructure, which meets key industry standards for security and privacy:

• SOC 2 Type II
• HIPAA Compliant
• ISO/IEC 27001
• ISO/IEC 27701

These certifications ensure that data processed by AIDR is handled in accordance with industry-recognized controls for security, privacy, and availability.

Was this article helpful?

Contact us