Human AI Governance
Human AI Governance is included on the Professional and Enterprise plans.
What this is
Most Behavry features govern registered AI agents — Claude Code, Cursor, CrewAI, custom MCP clients. But the largest AI-related risk in most organizations is neither a rogue agent nor a malicious vendor. It's employees pasting customer data into ChatGPT.
Human AI Governance extends Behavry's policy + DLP + audit layer to every human using AI in a browser. Same policies, same DLP patterns, same audit schema — the difference is the subject of the audit row is a user, not a registered agent.
How it works
The Human AI Governance layer piggybacks on the Browser Extension across all 12 supported AI services. On every submit, paste, or file drop into a supported surface, the extension:
- Identifies the user from the SSO identity the extension carries (same Clerk / OIDC session as the dashboard)
- Scans the content with the local DLP scanner and local Browser Injection Scanner
- Applies policy — the extension queries the backend with a minimal fingerprint of the content (hash, detected patterns, destination service) and gets back allow / warn / block
- Enforces — warn shows a chip, block prevents submission, allow lets it through
- Audits — writes a
human_session.*event viabackend/behavry/audit/human_session_routes.py
Because the scan runs in the browser, content never leaves the device for evaluation. Only the fingerprint (hashes, pattern IDs, destination) is sent to the backend. The content itself is only uploaded if the tenant has opted into full-content capture for forensics — which is off by default.
What gets governed
| Surface | What's governed |
|---|---|
| ChatGPT, Claude, Gemini, Copilot, Perplexity, etc. | Prompt text, pasted content, uploaded files |
| AI-enabled SaaS (Notion AI, Google Workspace AI, etc.) | Prompt fields, AI-assist dialogs |
| Browser-embedded AI (sidebar assistants) | The prompt handed to the assistant |
A total of 12 AI services are covered at the time of writing — see the Browser Extension page for the current list.
Policies that apply
Same Rego policies as MCP agents, with input.subject.type == "human" and input.subject.user_id populated. This means a policy written to protect customer PII from an MCP agent protects it equally from a human paste into ChatGPT:
deny[reason] {
input.content.dlp_findings[_].category == "pii"
reason := "customer PII is not allowed in public AI services"
}
Sessions
Human activity is rolled up into sessions (human_session_service.py). A session groups all events from one user on one surface over a time window. Sessions carry:
- Total submissions and pastes
- DLP findings by severity
- Policy hits
- Time on surface
- The user's role and tenant
Activity → Human Sessions in the dashboard shows the list, filterable by user, surface, severity.
Break-glass
In rare cases a legitimate workflow needs to submit content that would otherwise be blocked — a lawyer uploading a contract to an AI summarizer for internal review, with the client's consent. The extension supports a Break-glass action: the user clicks "I need to do this," provides a justification, and the submission proceeds while writing a human_session.break_glass event that requires a reviewer sign-off after the fact.
Break-glass is policy-gated (not everyone gets the button) and expires after a configurable window.
API
Routes: backend/behavry/audit/human_session_routes.py.
| Method | Path | Purpose |
|---|---|---|
GET | /api/v1/human-sessions | List sessions with filters |
GET | /api/v1/human-sessions/{id} | Session detail with events |
POST | /api/v1/human-sessions/break-glass | Extension submits a break-glass justification |
POST | /api/v1/human-sessions/{id}/review | Reviewer acks or rejects a break-glass event |
Related
- Browser Extension — where the governance layer runs
- DLP Scanner — the same patterns power the extension scan
- Outbound / Browser Injection Scanner — runs in the same pipeline