AI use control, upload protection, and audit evidence for institutions.
Register institutions, generate secure deployment kits, inspect AI use, and export audit evidence without storing raw sensitive content.
Loading system status…
Command Ledger
Ready to refresh.
Loading…
Create institution
No institution action yet.
Invite the first institution administrator
Create the institution workspace first, then send password-setup instructions to its verified administrator. Public self-signup remains disabled.
No administrator invitation sent.
AI Tool Registry
The approved inventory for websites, desktop applications, local model runners, APIs, and browser extensions.
Tool
Type
Decision
Coverage
Refresh the registry to load tools.
Technical result
No registry action yet.
Discovery Queue
New websites and applications reported automatically by managed browsers, endpoints, gateways, DNS, proxies, and firewalls.
Default action: an unknown AI destination is blocked and held for review. Only destination and application metadata is stored.
Discovered item
Source
Status
Action
No discoveries loaded.
Review selected discovery
Controlled discovery simulator
Use synthetic metadata only. Managed devices normally report this automatically.
Technical result
No discovery action yet.
Managed Devices
Enroll institution computers and monitor Browser Guard, Endpoint Agent, application discovery, and policy status.
One-time enrollment secret
Copy it directly into the approved device configuration. It cannot be displayed again and is never stored in raw form.
Device
Platform
Status
Last contact
No managed devices loaded.
Technical result
No device action yet.
Policy Control
Review the effective tool and data policy, then publish a numbered release for managed gateways, browsers, and endpoints.
Unknown AIBlock and review
External uploadsInspect all destinations
Raw sensitive storageDisabled
Effective policy details
Preview or publish a policy release.
Institution Deployment Center
Generate institution-specific gateway, endpoint, browser guard, policy bundle, installation docs, checksums, and a downloadable ZIP package.
No deployment kit generated in this session.
Operator access
Allowlist an existing Authentication user and assign one controlled role. Institution-scoped roles require at least one institution ID.
No operator action yet.
Approvals
Request
Subject
Status
Action
Refresh approvals to load requests.
Record a decision
No approval action yet.
Incidents
No incident action yet.
Prompt Guard
No prompt inspected yet.
Document Upload Guard
Managed browsers detect the destination automatically. Operators do not maintain URLs during normal use.
Automatic coverage: every available external file selection is paused and inspected before the destination page receives it. Some external services disable attachments for signed-out or restricted accounts; use this controlled simulator when their file picker is unavailable.
No upload inspected yet.
Developer Guard
No code scanned yet.
Evidence Export
No evidence action yet.
How to use TekuBase AIGuard
1. Create the institution workspace
Open Institution Setup, enter the official institution ID, name, sector, and risk tier, then save. This creates the operating workspace used by Prompt Guard, Upload Guard, Developer Guard, deployment kits, and evidence exports.
Use stable IDs such as ministry-office-name or financial-institution-name.
Use risk tiers such as critical, high, medium, or standard.
Use controlled non-sensitive test data until production data handling is approved.
2. Generate the deployment kit
Open Deployment Center and generate a secure deployment kit for the institution. The kit contains policy, gateway files, endpoint/browser deployment materials, installation documentation, and checksums. Enrollment secrets are issued only through a separate controlled workflow.
Record the displayed ZIP SHA-256 with the approved change record.
Deliver kits through a secure internal channel only.
Complete enrollment through an approved operator workflow.
3. Install the enforcement gateway
The gateway is installed on an institution server or VM. It receives AI-use inspection requests from the browser guard, endpoint agent, proxy/DNS/firewall integrations, and approved AI workspaces.
Keep the gateway inside the institution network or secured data center.
Connect DNS/proxy/firewall policy so users cannot bypass approved AI controls.
Test /health, /policy, and /inspect before staff rollout.
4. Enroll browsers and endpoints
Install the Browser Guard on managed Chrome/Edge browsers and the Endpoint Agent on approved staff computers. These components detect risky AI websites, file upload attempts, sensitive text, clipboard leakage, code secrets, and unapproved AI tools.
Start with an approved controlled device group.
Use managed browser policy or IT device management.
Block direct access to unapproved AI websites at DNS/proxy/firewall level.
5. Inspect AI use
Use the guard modules for daily checks and controlled validation.
Prompt Guard: checks text before it is sent to an AI tool.
Upload Guard: checks documents and file contents before upload.
Developer Guard: checks AI-generated or pasted code for secrets, unsafe queries, and risky patterns.
6. Export evidence and verify audit chain
Open Evidence to verify the tamper-evident audit chain and export regulator-ready evidence. Evidence should include institution, deployment kit, guard decisions, blocked events, hashes, and executive summary.
Use evidence exports for internal audit, INSA readiness, board reporting, and regulator review.
Keep raw sensitive data out of reports; use hashes and redacted snippets only.
Export evidence after each approved review cycle.
Operational rollout checklist
Step
Owner
Output
Approve operating scope
Executive sponsor + security office
Institution, users, risk scope, and success criteria
Create workspace
National or institution operator
Institution record and policy context
Generate kit
AIGuard operator
Signed ZIP, SHA-256 sidecar, installation guide
Install gateway
IT/network team
Gateway service reachable and health checked
Enroll devices
IT endpoint team
Browser/endpoint guards active on approved computers
Enforce network policy
Network/security team
Unapproved AI bypass paths blocked or monitored
Run acceptance tests
Security + department users
Allowed public prompt, blocked restricted upload, blocked risky code
Export evidence
Auditor/operator
Evidence ZIP and verified audit chain
Security rule: Do not email deployment kits or enrollment-token files. Do not upload real citizen, customer, credential, or confidential data during first validation. Use controlled test data until the institution security office approves production traffic.