Bifrost is an open-source AI gateway; paired with Bifrost Edge, it pushes AI endpoint security all the way to every laptop, covering desktop apps, browser AI, coding agents, and MCP servers.
When AI runs straight on the machines your employees use, governing it is what we call AI endpoint security. That surface includes desktop chat apps, AI inside the browser, coding agents, and any MCP servers those tools reach out to. The trouble is that the controls most enterprises rely on are anchored at the gateway or inside the data center, so they only ever touch traffic that someone deliberately routed through them. Whatever an employee opens on a laptop, drops customer data into, or wires a tool into tends to bypass the policy layer entirely. That is the gap Bifrost was built to close: it is the open-source AI gateway Maxim AI wrote in Go and runs as the control plane for AI traffic, while Bifrost Edge carries the same governance out to each endpoint so the AI on every device falls under it too.
We will walk through three things below: how the endpoint gap opens up, the ground that AI endpoint security has to cover, and the way the Bifrost AI gateway and Bifrost Edge together seal that gap with no tool reconfiguration on anyone's part.
What is AI endpoint security?
Think of AI endpoint security as the controls that bring governance down to the device itself, so that every prompt, response, and tool call leaving a machine is first authenticated, inspected, logged, and checked against policy before any sensitive data goes out. The premise is that policy has to be enforced on the laptop, not only at the gateway.
Older endpoint security products were designed around files, processes, and network connections. Inspecting a prompt someone typed into a browser tab, stripping a secret out before it hits a model, or surfacing which MCP servers a developer has bolted onto a coding agent was simply never part of their job. Three capabilities, working together, are what close that gap in AI endpoint security:
- Visibility: a real-time inventory showing which AI apps and MCP servers are present across the fleet, and on how many machines each one appears.
- Control: enforced-on-device allow or deny decisions for individual AI apps and MCP servers, so a policy is acted on rather than merely suggested.
- Protection: guardrails that scan prompts and responses for secrets, PII, and unsafe content before any of it leaves the machine, while logging an audit trail behind every request.
The endpoint gap: why shadow AI exists
Traffic that nobody pointed at the gateway is traffic the gateway never governs. Day to day, that means people install Claude Desktop, pull up ChatGPT in a browser tab, fire off coding agents from the terminal, and hook MCP servers into their tools, with nothing sitting in between to apply policy. Shadow AI is the name for exactly that ungoverned activity: company data flowing out through tools the security team has no view into, leaving behind no audit trail, no budget ceiling, and no guardrails.
How big the gap has grown is now something we can put numbers on. According to IBM's Cost of a Data Breach Report 2025, 20% of the organizations studied (one in five) suffered a breach tied to shadow AI, and those events tacked on as much as $670,000 to the average cost of a breach. That same study also found 97% of organizations hit by an AI-related breach were missing proper access controls, and that customer PII turned up far more often in shadow AI incidents (65%, against a 53% global average). Separately, a Menlo Security analysis cited by Proofpoint put 68% of employees on free AI tools via personal accounts, and 57% of that group typing sensitive data into them.
This rhymes with the shadow IT surge a decade ago, when staff sidestepped sluggish procurement to spin up unsanctioned cloud apps. The payload is where it diverges: rather than parking files somewhere, AI tools ship source code, customer records, and contracts off to third-party model providers that live wholly beyond the company's reach. Sealing this gap is precisely what governing AI at the endpoint is for.
The gateway is the control plane; Bifrost Edge is the reach
Two layers are what make endpoint AI governance actually work. One is a control plane that defines and enforces policy. The other is a delivery mechanism that pushes that policy to every machine so it lands on the AI people genuinely reach for. Both come from Bifrost.
The AI gateway and the policy engine are one and the same: Bifrost. Inside it you set up virtual keys, budgets and rate limits, routing rules, guardrails, and audit logs a single time, and they hold for every request that crosses it. For teams that already run Bifrost as a central governance layer, those controls are already live.
What Bifrost Edge adds is the same governance, now reaching the endpoint. Running natively on macOS, Windows, and Linux, it sends every machine's AI traffic through Bifrost, which means security and compliance controls land everywhere rather than only on traffic somebody hand-pointed at the gateway. None of the policy changes in the process: the virtual keys, budgets, guardrails, and audit logs you set up in Bifrost are precisely what Edge applies on each device. At present Bifrost Edge is in alpha, and teams are signing up to be onboarded.
The split is easy to describe. Bifrost plays the brain, holding policy and enforcing it on configured traffic. Bifrost Edge plays the last mile, delivering that very policy to the AI sitting on every desk.
Visibility: see every AI app and MCP server on the fleet
Control depends on visibility coming first. AI tools you cannot see are AI tools you cannot govern, and the reality is that most organizations hold no inventory at all of the MCP servers their people have plugged into coding agents and chat apps.
That blind spot is what Bifrost Edge eliminates. On each machine it inventories the MCP servers configured inside each AI app and assembles a live, fleet-wide picture: which servers are set up, on which machines, and across how many devices. A security team can finally respond to "what MCP servers are running on our fleet?" with hard data rather than a guess. The MCP discovery reaches the major AI apps that currently support it, Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor among them.
Every machine running the Edge agent shows up in the admin devices dashboard, which pairs a fleet summary with per-device detail: hostname, owner, platform, agent version, installed AI apps, and configured MCP servers. Filtering is available by host, owner, platform, installed app, or approval status. Every control and protection decision rests on this inventory as its base.
Control: allow or deny apps and MCP servers, enforced on the device
Seeing what runs is only the start; endpoint governance then has to let you act on it. Which AI applications are sanctioned across the company is an administrator's call, and Bifrost Edge carries that call out on each device. Approved apps behave as usual and stay fully governed through Bifrost. Apps that are not approved get blocked before a single byte leaves the machine.
MCP servers follow the identical model. Administrators set per-server allow or deny decisions, and rather than staying advisory, the decision is enforced right on the device. Even an app that already had a given server configured before the policy existed cannot use it once that server is denied. Should Edge spot a fresh app or MCP server, it files an approval request in the admin console automatically, and admins can set whether such items run or stay blocked while they sit pending.
Central management of all of this happens through the approvals dashboard. Because catalogs are deduplicated fleet-wide, an MCP server present on many machines shows up just once: decide on it a single time, and at the next check-in that decision propagates everywhere. Rolling out a policy change touches no individual device.
Protection: your guardrails, applied at the endpoint
Guarding the actual content moving through AI traffic is the third pillar. Since Bifrost Edge passes AI traffic through Bifrost, every guardrail already configured applies automatically to endpoint AI. Nothing extra needs setting up on the device: the same rules and profiles that shield gateway traffic now shield prompts and responses coming from desktop apps, browser AI, and coding agents.
Each guardrail fires twice, once before a prompt reaches a model and again before its response comes back, so secrets, PII, and other sensitive content get caught before they can leave the machine. You configure guardrails in Bifrost out of reusable profiles and rules, and whatever coverage exists at the gateway flows straight through to the endpoint:
- Secrets detection backed by Gitleaks, catching leaked API keys, tokens, and credentials.
- Custom regex rules, with a built-in PII detection template included.
- AWS Bedrock Guardrails, Azure Content Safety, and Google Model Armor handling content filtering and prompt-attack prevention.
- CrowdStrike AIDR, GraySwan Cygnal, and Patronus AI providing inline AI threat detection and safety evaluation.
So a prompt someone types into ChatGPT in a browser gets measured against your guardrails before it ever reaches the provider, just the way a request through the gateway would be.
Compliance everywhere: audit logs reach the laptop
There is a compliance dimension to AI endpoint security as well. Regulators keep raising the bar on proving you control how AI handles sensitive data, and proving compliance for systems you cannot see is impossible.
When Bifrost is the control plane, each request through Bifrost Edge picks up the organization's audit logging, budgets, and guardrails right on the laptop, not only in the data center. SOC 2, GDPR, HIPAA, and ISO 27001 all lean on immutable audit trails, and those now stretch to cover endpoint AI usage too. Teams in regulated industries, or those running Bifrost Enterprise inside air-gapped or VPC-isolated environments, get their existing compliance posture extended to the very machines where AI actually gets used.
Rolling out AI endpoint security with MDM
Endpoint security is only as good as its reach to every endpoint. Bifrost Edge is built to deploy fleet-wide through a device management platform you already run, letting organizations push it to every machine instead of leaning on users to download and configure something themselves.
- Supported MDM platforms: Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud, spanning macOS, Windows, and Linux where applicable.
- Managed configuration: only the non-sensitive connection settings ship out (the gateway and management endpoints), so each machine shows up already pointed at the correct Bifrost. Nothing secret ever lives on the device.
- First-launch flow: MDM installs Edge silently, the user signs in one time in the browser with the single sign-on they already have, and governance switches on for every supported AI traffic stream. From there, Edge keeps its policy and configuration synced with Bifrost on its own.
Routing at the machine level is what lets Edge cover desktop apps, browser AI, and coding agents with zero per-app setup. Governance travels with the user rather than waiting around for an opt-in.
Frequently asked questions
How is AI endpoint security different from a network proxy or firewall?
Blocking a domain is about all a network proxy can do; it has no way to scan a prompt for PII, pull a secret before it reaches a model, or report which MCP servers an app has configured. Endpoint AI governance works at the AI-traffic layer instead, understanding prompts, responses, tool calls, and the apps producing them, and bringing the organization's guardrails and governance to bear on each of them.
Do employees have to change how they use their AI tools?
No. After a single browser sign-in, Bifrost Edge is meant to fade into the background. People go on using Claude Desktop, ChatGPT, Cursor, and coding agents exactly as they always did, with no base URLs to edit and no SDKs to swap out, while Edge quietly routes that traffic through Bifrost.
Does this replace the Bifrost AI gateway?
No. The control plane where policy gets defined and enforced is still the Bifrost AI gateway. Bifrost Edge is the endpoint layer that carries those same policies out to every machine, so rather than being alternatives, the gateway and Edge operate as a pair.
Bring AI endpoint security to every machine
With one in five breaches now tracing back to shadow AI and most AI-related incidents boiling down to absent access controls, treating AI endpoint security as optional no longer holds up. Closing the gap takes a single control plane that can reach every device: set up virtual keys, budgets, guardrails, and audit logs once inside Bifrost, then let Bifrost Edge enforce them on the AI people genuinely use. To see how Bifrost and Bifrost Edge can govern AI across your fleet, book a demo with the Bifrost team.
Top comments (0)