
Compliance Layer for AI Risk and Accountability.
See AI adoption. Set policy. Build audit-ready evidence.
Keep content private.
The problem
AI adoption has moved. Governance has not caught up.
Employees already use ChatGPT, Copilot, Claude, Gemini and Perplexity inside real workflows. Most organisations still rely on policy documents and self-reporting rather than a reliable operating view of what is actually happening.
Unseen adoption
Unknown tools enter daily work through workflow convenience, not formal procurement, faster than annual policy reviews can track.
Unclear policy
Teams interpret risk on their own. There is rarely a clear action at the point of use: allow, warn or block.
Weak evidence
Reviews begin without a reliable record. When legal, security or audit asks, organisations reconstruct AI use from memory.
The visibility gap
The real question is not whether AI is being used. It is whether leadership can see it well enough to govern it.
Which AI tools are being used today?
Which departments or roles are using them?
Which tools are approved, warned or blocked?
Which usage is governed and which is unmanaged?
Where do policy interventions actually happen?
What evidence exists if legal, security or audit asks?
The regulatory context
The obligation is already here.
Three frameworks. Active enforcement. No grace period for missing records.
EU AI Act
Phased application is underway. Organisations using AI in professional workflows must document usage, classify risk and demonstrate oversight. The evidence standard is not retrospective. It must be built in real time.
GDPR
Enforcement now reaches AI data flows. Regulators scrutinise which tools employees use, what data enters them and whether a policy existed. The absence of a record is itself a finding.
NIS2 Directive
For organisations in scope, NIS2 requires documented controls over the tools used in operations. Unmanaged AI use, including Shadow AI, is an uncontrolled surface in that picture.
Organisations that govern AI use now will enter audit cycles with evidence. Those that don’t will reconstruct from memory.
Why C.L.A.R.A.
One control layer. Visibility, policy and evidence.
C.L.A.R.A. gives teams a practical way to govern AI use without turning governance into surveillance.
See
Know which AI tools are in use.
Adoption and Shadow AI become visible.
Control
Apply clear action at the point of use.
Allow, warn or block by policy for behaviours such as sharing API keys, uploading confidential files, sharing confidential company data, pasting source code, uploading sensitive documents, or sharing credentials and secrets.
Prove
Create a record teams can review.
Metadata supports audit and reporting.
From browser to control
A clear path from interaction to oversight.
Detection and policy decisions happen locally in the browser. The backend receives structured metadata only.
Browser extension
Enrolled user context for each session.
Local detection & policy
Risk category and action decided in the browser.
Metadata-only flow
A structured event record moves forward.
Dashboard & controls
Review, report and govern across the organisation.
Content stays local: only tool, timing, category, severity & action move forward.
Privacy architecture
Privacy is architecture, not a setting.
The differentiation is not “collect everything and analyse later.” Detection runs locally; only structured metadata is recorded.
Local
Inside the browserClassify risk category.
Apply allow, warn or block for risks such as sharing API keys, uploading confidential files, sharing confidential company data, pasting source code, uploading sensitive documents, or sharing credentials and secrets.
Never collected
What’s in the product
Seven surfaces, one governance layer.
The core platform is live in pilot: a Google Chrome and Edge browser extension, a Fastify API and a Next.js dashboard, all built around the metadata-only boundary.
Google Chrome and Edge browser extension
A quiet control point for enrolled users.
- Persistent enrollment
- Health and policy status
- Active session awareness
Warning overlay
A clear intervention before a risky action.
- Explain the policy action
- Let the user acknowledge
- Record metadata only
Policy controls
Simple rules that teams can apply.
- Allow, warn or block risky behaviours
- Flag sharing API keys, uploading confidential files, sharing confidential company data, pasting source code, uploading sensitive documents, or sharing credentials and secrets
- Apply group overrides
Shadow AI discovery
Bring unknown AI tools into view.
- Find unapproved tools
- Review each discovery
- Approve or block
Risk activity & dashboards
A clear view of risk signals across the organisation.
- See risk categories
- Review severity and action
- Move from signal to policy
OIDC access & roles
Organisation access and role controls for secure deployments.
- OIDC sign-in today
- IT, CISO and employee access gates
- SAML and SCIM on roadmap
Reporting & audit trail
Structured evidence ready for review.
- Event log and CSV export
- Report summaries
- Admin audit trail
Structured evidence for governance reviews and audit readiness.
A working platform today, with scale, identity and assurance layers maturing on the enterprise roadmap.
What C.L.A.R.A. can show today
Adoption, posture and evidence in one operating view.
Organisation administration, policy controls, Shadow AI review, leadership pages and an employee self-view. Every figure is metadata-derived.
Overview: adoption, governed vs unmanaged usage and policy posture at a glance.
What AI-visible organisations look like
From no visibility to governed AI adoption.
Most mid-sized companies sit between Level 1 and Level 2. The practical goal is to reach Level 3, organisation-wide observability, before promising full enterprise governance.
No visibility
AI is being used, but the organisation has no dependable view.
Basic awareness
Leadership knows some tools are in use, but the picture is incomplete.
Organisation-wide observability
Adoption, policy posture and unmanaged usage all become visible.
Governed AI adoption
Visibility, controls and evidence work together as an operating system.
Pilot readiness
Ready for focused pilot deployments and structured rollout planning.
The core product is live. Scale, identity and assurance layers continue to mature. We say clearly what C.L.A.R.A. does and does not yet claim.
What runs today
- Google Chrome and Edge browser extension with local detection
- Fastify API and metadata-only event flow
- Next.js dashboard with multi-role views
- OIDC sign-in and organisation roles
- Policy, Shadow AI discovery and reporting
What’s coming next
- Production database (Postgres) and retention
- SAML and SCIM
- Managed extension distribution
- Desktop and proxy coverage for AI app usage beyond the browser
- Trust-optimised Web Store packaging
- Formal SOC 2 programme
Pilot programme
Request a C.L.A.R.A. pilot.
Turn AI usage from speculation into a measurable operating picture: a visibility assessment, policy posture setup, extension rollout and findings review.
- Scope & rollout
Focused deployment to a defined group with Shadow AI discovery, policy review and live warn or block flows.
- Structured onboarding
Guidance for IT, calibration for security and compliance, and employee transparency framing from day one.
- Governance review at close
Leadership-ready summary of usage posture, policy outcomes and next-stage recommendations.
We received your request. The C.L.A.R.A. team will contact you within 24-48 hours.
A better governance model
Govern AI use.
Keep people trusted.
Visibility, policy and evidence without collecting interaction content.