MCP clients, AI API proxies, browser-based AI services, vibe-coding platforms, SaaS admin APIs, identity providers, SIEM destinations. No agent code changes. Here's the full map.
// mcp proxy · inline governance
Agents point their MCP config at the Behavry proxy. Every tool call — identity, DLP, policy, audit — governed before execution. No agent code changes.
Plus fingerprints for Google Antigravity, OpenAI Codex CLI, and Amazon Kiro. Any MCP client supporting Streamable HTTP or stdio works — the proxy is protocol-agnostic.
// api proxy · model-level governance
Transparent reverse proxies for major AI model APIs. Identity, DLP, policy, and audit applied to every API call. Token extraction for cost attribution across all 6.
Cost attribution with 14 seeded model prices + tenant-configurable overrides. Aggregation API with CSV export.
// browser extension · manifest v3
DLP scanning on browser-based AI interactions. 26 patterns in real time. Shadow AI detection for unenrolled services.
// citizen coder governance
DOM fingerprinting + platform API connectors discover and govern apps built by non-developers. 7-signal risk scoring. OPA policy enforcement. Full story →
// ai asset discovery · 30 platforms
Four-state model: Licensed → Enabled → Active → Governed. Cross-references IdP apps, SaaS admin APIs, and browser fingerprints.
Identity Provider Connectors
SaaS Admin API Connectors
30 AI-capable SaaS platforms in the fingerprint DB. Browser extension adds 10 passive DOM fingerprint rules for admin page detection. Credentials encrypted via AES-256-GCM.
// siem · 4 native connectors
Structured, identity-attributed audit events in your existing SIEM. Better data in the glass you already have.
Plus webhook delivery to Slack, PagerDuty, or any custom endpoint. Configurable severity filtering. Signed payloads with retry and dead-letter queue.
// data protection · 26 patterns · byok
Four-stage pipeline: classification, redaction with pseudonymization, BYOK envelope encryption (AES-256-GCM + AWS KMS), and retention purge with decryption audit trail.
26 patterns total. Luhn validation, SSN structure checks, cross-session fragment reassembly detection. Critical-severity patterns auto-block before OPA evaluation. DB-managed with hot-reload — add custom patterns without restart.
// compliance
CC6.1 · CC6.7 · CC7.2 · CC7.3 · CC7.4
A.12.4.1 · A.12.4.2 · A.9.4.1
Art. 9 · Art. 13 · Art. 14
GOVERN · MAP · MEASURE · MANAGE
Art. 32 · Technical measures
§164.312 · Technical safeguards
OWASP ASI mapping + PDF export. Full framework-to-control mapping in dashboard.
// deployment
Behavry manages everything. Fastest start.
Control plane SaaS. Data plane in your VPC.
Full stack in your cloud. Helm + Terraform.
Air-gapped. No external dependencies.
All models share a single data plane image. Identical governance capabilities regardless of deployment.