Control Zero Self-Managed

AI Governance for On-Premises Environments.

Both products, deployed within your network boundary. Docker Compose. No outbound internet required.

Developer Gateway + SDKIT Governance Scout + Enforcement

// 001

What We Solve

Four categories of AI risk that security teams face today. Control Zero Self-Managed addresses each one with a dedicated capability.

AI Coding Tools

AI Coding Tool DLP

MCP-level controls govern what tools AI coding assistants can invoke and what data they can access. Policy enforcement happens before any tool call executes, preventing source code, credentials, and proprietary logic from leaving your network.

Chat Applications

Chat Application DLP

An SSL-inspecting proxy sits between your users and browser-based AI chat services. It detects, blocks, or masks sensitive content before it reaches external AI providers. Configure DLP rules per domain with detect, block, or mask modes.

API Traffic

API-Level DLP

A transparent gateway proxy intercepts all LLM API traffic. PII detection and masking, model blocking, cost caps, and tool call interception happen inline with zero application code changes. Change your base URL and enforcement begins.

Discovery

Shadow AI Discovery

Endpoint and network agents discover unauthorized AI tools, exposed API credentials, and hidden model traffic across your fleet. Continuous scanning with dashboard visibility. No manual audits required.

// 002

How Deployment Works

Docker Compose is the only deployment method. Standard requirements: Docker 24+, 4 GB RAM, 2 CPU cores, 10 GB disk. Full control over networking, storage, and access policies.

Pull Images

Authenticate with the Control Zero container registry and pull the latest images. All images are signed and verified. Works on any Linux host with Docker 24+.

Configure

Set your license key, network bindings, and policy configuration in the compose environment file. Optional: TLS certificates, log destinations, proxy settings.

Deploy

Run docker compose up. Preflight health checks verify the environment automatically. All services start, connect, and report status. No outbound internet required after initial pull.

Air-gap tarball and hybrid deployment modes are planned for future releases.

Deployment Architecture

Self-Managed Deployment

Your Network (On-Premises)

Control Zero API

Go binary, policy management, audit

Gateway Proxy

Intercept, evaluate, enforce

Admin Dashboard

Policies, agents, audit logs

Transactional Database

Projects, policies

Analytical Store

Immutable audit logs

Secrets Management

Encrypted at rest

Caching Layer

Sessions, state

License Key

Offline validation. Seat + time enforcement. No phone-home.

Docker Compose

Container orchestration. Health checks. Single-command deploy.

// 003

Key Capabilities

Licensing

License Management

Seat-based, time-limited licenses with offline validation. No phone-home requirement. Grace period and read-only mode prevent disruption during renewal.

Monitoring

Health Checks

Preflight checks verify the environment before installation. Postflight checks confirm all services are operational. Run manually or integrate with your monitoring.

Diagnostics

Support Bundles

Generate diagnostic packages with automatic secret redaction. Includes service logs, container state, system info, and health check results.

Observability

Configurable Logging

Five log levels from error to trace. Structured JSON output compatible with Splunk, Elasticsearch, and Datadog. Separate audit and application log streams.

Security

Anti-Tampering

Policy bundles are cryptographically signed and verified on every load. Configuration integrity monitoring detects unauthorized changes. Binary checksums verified on startup.

Network

SSL Proxy

Chat DLP for browser-based AI services. Deploy a CA certificate to endpoints and configure detect, block, or mask modes per domain. Scoped inspection, no blanket interception.

// 004

Compliance

Every governance decision is recorded, queryable, and exportable. Built for environments where audit readiness is a requirement, not a feature request.

Audit

Immutable Audit Trails

Every policy evaluation is logged with timestamp, agent identity, action, resource, decision, and the policy that matched. Audit records are append-only.

Privacy

PII Detection and Masking

Detect personally identifiable information in prompts before they reach any AI provider. Configure masking rules to replace PII with placeholder tokens.

Transparency

Full Decision Logging

Every allow and deny decision includes the complete evaluation context: which policy matched, why it matched, and what action was taken. No silent decisions.

Integration

Export Capabilities

Export audit data in JSON or CSV format for integration with your existing compliance and reporting workflows. Filter by date range, agent, action, or decision.

See self-managed in action.

Both products available for on-premises deployment. Seat-based licensing with offline validation.

Get Started Self-Managed Documentation