How it works

    One mechanism, end to end

    A request is identified by meaning, sensitive content is generalized on-device, compliant requests proceed, and every decision is recorded in a tamper-evident ledger. The same privacy, policy and audit apply across desktop, browser, server-side and the network edge.

    Everything below ships today.

    Privacy engine

    • Semantic detection by meaning, not patterns
    • Mathematical k-anonymity with configurable thresholds
    • Hierarchical generalization (city → region, age → range)
    • On-device intent analysis, zero prompt egress
    • Joint privacy evaluation across prompt + attachments
    Related FAQ →

    Agent governance

    • Mission binding per agent
    • Per-tool-call and per-data-access policy checks
    • Semantic mission-drift detection: flags an agent diverging from its mission across a session, beyond single-action checks
    • Out-of-scope action blocking with session severing
    • Kill-switch
    • Human-in-the-loop review of automated decisions (GDPR Art. 22)
    Related FAQ →

    Threat detection

    • Model-response inspection (injection echoes, data-probing, social engineering)
    • Document inspection (PDF, Office, spreadsheets, images) for embedded threats
    • Prompt-injection detection
    Related FAQ →

    Evidence & audit

    • Hash-chained, tamper-evident ledger
    • Forensic incident records
    • Evidence-pack generators for EU AI Act, GDPR, NIS2, ISO 27001, SOC 2, HIPAA, PCI-DSS
    Related FAQ →

    Fleet & operations

    • Central policy distribution, Ed25519-signed
    • Automatic coverage of new/changed AI provider endpoints in minutes
    • Per-tenant isolation
    • Fail-closed behavior on component degradation
    Related FAQ →

    Data protection & deployment

    • AES-256 at rest with independent key management
    • Encryption in transit
    • Customer-hosted NyxCommand
    • SaaS, on-premise/VPC, air-gapped and sovereign deployment
    • Coverage surfaces: desktop, browser, server-side, network edge
    Related FAQ →
    The Platform

    More that sets Nyx apart

    Capabilities that ship today, the parts most AI-security tools leave uncovered.

    Self-Updating Coverage

    When an AI provider changes or adds an endpoint, Nyx detects it from fleet telemetry and extends protection in minutes, not on your next release cycle.

    Response-Side Defense

    Most tools only watch the prompt. Nyx also inspects the model's reply for injection echoes, secret-probing and manipulation.

    Document Inspection

    Uploads aren't a blind spot. PDFs, Office files, spreadsheets and images are inspected for embedded threats and sensitive content.

    Defense in Depth

    Protection spans desktop, browser, server-side and the network edge, layered so a request that slips one control still meets the next.

    Encrypted at Rest

    Forensic data and sensitive originals are sealed on disk with AES-256 and independently managed keys.

    Fails Closed

    If a component degrades, Nyx defaults to protecting you, no silent bypass that quietly lets data through.

    Get a demo