Controlled Unclassified Information (CUI) // Official Use Only // FED-ID: 882-01
Network Status: Authorized (FedRAMP Moderate)

Shadow AI Sentinel — Federal-grade governance for shadow AI

Secure agency-wide LLM orchestration and zero-trust governance. Enforce FIPS 140-3 encrypted data boundaries and NIST AI RMF compliance across federal, defense, and regulated enterprise environments.

Standard
NIST AI RMF 1.0
Encryption
FIPS 140-3 L3
Hardening
DISA STIG

Intercept Stream

AUDIT_KERNEL_V4.2

#SV-10294
14:22:01.082[INTERCEPT_SUCCESS]
ACTION: PII_REDACTION_SVC
SIG: FED-772-B-001 · ACTOR: AI_ENCLAVE_12
14:21:44.291[VERIFIED]
ACTION: ENCLAVE_ROUTING
SIG: ROUTE-OK-200 · ACTOR: ZERO_TRUST_GATE
14:21:12.915[THREAT_TERMINATED]
ACTION: UNAUTH_ACCESS_ATTEMPT
SIG: MAL-AI-403 · ACTOR: EXTERNAL_USER_91
Mitigations
12,842
Latency
42ms
Security Posture Matrix
Optimal
00:00HR UTC24:00HR UTC
§ 00 / Live Pipeline

Compose a shadow prompt. Watch the verdict change in real time.

Pick a preset or tune the tool, department, sensitivity signals, and prompt volume below. The composite risk score, policy decision, and enforcement verdict recompute instantly — every weight is shown.

Interactive sandbox · synthetic data
Preset:
Parameter Controls
Sensitivity signals · toggle to recompute
STG_01
Ingest
POST /api/public/discoveries/ingest
STG_02
Classify
DLP + entity recognition
STG_03
Score
Multi-factor risk 0–100
STG_04
Policy
Policy-as-code evaluation
STG_05
Enforce
Allow · Redact · Block
STG_06
Audit
Tamper-evident ledger
Event Payload · EV-88420
HTTPS · 200 OK
{
  "actor":   "kareem.osei@agency.gov",
  "dept":    "Finance / Treasury",
  "tool":    "ChatGPT (consumer)",
  "channel": "browser-extension/v1.4",
  "tokens":  820,
  "prompt":  "Summarize Q3 vendor wire instructions: SSN ███-██-████, routing █████████, acct ████-██████",
  "ts":      "2026-06-28T14:22:01.082Z"
}
Inline DLP applied · entities masked at the edge
Risk Signals · weighted contribution
Σ 5 signals
PII · SSN / DOB
High-confidence entity match
+28
Financial · ABA / PAN
FFIEC + PCI pattern
+22
Unsanctioned tool
Not on allowlist · no DPA
+18
Context · Finance / Treasury
Regulated · SOX scope
+8
Volume · prompt size
820 tokens
+8
Composite Score
84
tier: critical
Policy Decision
POL-014 · Block PII / financial to unmanaged LLM
verdict: block
LEDGER_APPENDsha256:ev-88420-84-block
✓ COMMITTED
§ 00.5 / Technical Specification

Built for security engineers, not slide decks.

API v1 · stable
POST /api/public/discoveries/ingest
idempotent · HMAC
$ curl https://sentinel.gov/api/public/discoveries/ingest \
    -H "Authorization: Bearer sas_live_8f2a1b9c…" \
    -H "Content-Type: application/json" \
    -d '{
      "tool_name":  "ChatGPT",
      "user_email": "kareem.osei@agency.gov",
      "department": "Treasury Ops",
      "prompt":     "redacted by extension",
      "signals": {
        "pii":      ["ssn","aba_routing"],
        "agentic":  false,
        "egress":   "consumer_endpoint"
      }
    }'

# 200 OK
{
  "id":         "disc_01HZX9P…",
  "risk_score": 92,
  "risk_tier":  "critical",
  "verdict":    "block",
  "policy":     "POL-014",
  "ledger":     "sha256:a1b2c3…"
}
p99 latency
42 ms
throughput
18k req/s
SLO
99.95%
Control Plane Topology
EDGEBrowser ext · Network tap · IdP webhook
GATEWAYmTLS · HMAC verify · rate-limit · WAF
CLASSIFYDLP · entity recog · embedding similarity
SCOREWeighted ensemble · explainable (SHAP)
POLICYOPA / Rego · versioned · dry-run
ENFORCEAllow · Redact · Block · Page on-call
LEDGERAppend-only · Merkle root · WORM export
Risk Formula
score = Σ(wᵢ · sᵢ) + dept_modifier
        + agentic_bonus − allowlist_credit
tier = bucket(score, [25, 50, 70])
§ 01 / Capability Matrix

Aligned to NIST AI RMF 1.0

Ref: NIST.AI.100-1
GV-1.1
Function
GOVERN

Workspace-scoped RBAC, immutable audit logs, policy-as-code with versioned rollback.

MP-2.3
Function
MAP

Continuous discovery across IdP, SaaS, browser, and network telemetry. Full AI BOM export.

MS-2.7
Function
MEASURE

Multi-factor 0–100 risk scoring with explainability for every signal.

MG-3.1
Function
MANAGE

Auto-deny, require approval, block-at-egress. SOAR/SIEM webhooks built-in.

§ 02 / Regulatory Alignment

Evidence-grade compliance, exportable on demand.

Every discovery, policy intercept, and operator action is hashed, timestamped, and chained into a tamper-evident audit log. Generate framework-mapped evidence bundles in a single action.

ShadowAI Sentinel is engineered for FedRAMP-pathway deployments, with separation-of-duties, key custody, and operator attestation built into the control plane.

Mapped
NIST AI RMF 1.0
Mapped
NIST SP 800-53 r5
Pathway
FedRAMP Moderate
Ready
StateRAMP
Validated
FIPS 140-3
Audited
SOC 2 Type II
Aligned
ISO/IEC 42001
High-Risk Ready
EU AI Act
§ 03 / Deployment Modes

From multi-tenant SaaS to air-gapped enclave.

IL2 / IL4
GovCloud SaaS

Managed multi-tenant control plane in US-Gov regions. Operator attestation and CAC/PIV SSO.

IL4 / IL5
Private Tenant

Single-tenant deployment inside your VPC. Customer-managed KMS, dedicated audit ledger.

IL5 / IL6
Air-Gapped

Self-hosted enclave with no external egress. Offline catalog sync via signed bundles.

Govern shadow AI before adversaries weaponize it.

Brief your team on the platform, request the security whitepaper, or stand up an evaluation tenant in under an hour.