Frequently asked questions

RenLayer Discover captures at the two points every shadow LLM call must pass through: your corporate network egress and the browser itself. Deploy a Docker container for egress and push a Chrome/Edge MV3 extension to laptops, and within 24 hours you see every provider, model, user and department — including ChatGPT.com, Claude.ai, Gemini and Copilot usage that never shows up in expense reports or SaaS inventories.

Yes. That is why we ship a Chrome/Edge MV3 browser extension alongside the corporate egress proxy. The extension captures inside the page, so streamed responses, conversation IDs and full multi-turn conversations come through — not just domain hits like a CASB or SWG would surface.

Yes. Every captured request is mapped to a user identity (from the browser session or egress auth) and joined to your org structure. The org structure is managed in the console with CSV import; SSO group sync is supported for Okta, Azure AD and Google Workspace.

CASB/SWG tools see the domain (chatgpt.com) but not the content. Cloudflare AI Gateway only sees calls you explicitly route through it — it cannot discover shadow usage you don't already know about. Discover parses the actual prompt and response inside the browser, runs 47+ DLP detectors on the content, reconstructs multi-turn conversations, and computes a human-vs-agent behavioral fingerprint. They see who visited; we see what was said.

Yes. The browser extension shows a status icon, and an employee transparency portal lets each user see exactly what was captured about them, with GDPR-grade delete requests. Discovery is built for compliance and visibility — not surveillance.

Most teams have the egress node running in under a day and the browser extension distributed via Intune/Jamf/GPO the same week. First shadow findings typically appear within hours of the extension reaching the first laptop.

RenLayer is an enterprise control plane for both shadow AI discovery and AI agent governance. Discover surfaces every LLM call your employees make through ChatGPT.com, Claude.ai, Gemini, Copilot or any corporate egress — attributed to user, team and department. Govern then applies policies, DLP, audit trails and cost optimization across both shadow traffic and your registered agents from the same dashboard, all without changing your application code.

RenLayer is built for enterprises, SMBs, and startups running AI agents in production. Typical users are security engineers, platform and DevOps teams, ML/LLM leads, and finance teams that need to audit, control, and budget agent usage across OpenAI, Anthropic, Google, AWS Bedrock, Azure, and other LLM providers.

Observability tools passively record what your agents do. RenLayer is an inline governance layer: it blocks policy violations, redacts PII, enforces cost caps, and optimizes prompts in real time during the request, instead of just reporting on them afterward. You get observability and enforcement in a single layer.

No. RenLayer does not replace your agent framework. It works alongside LangChain, LlamaIndex, CrewAI, Mastra, the Vercel AI SDK, the OpenAI Agents SDK, and any custom implementation. RenLayer sits between your agents and the LLM API to govern what they send and receive.

Yes. RenLayer ships with a built-in Data Loss Prevention engine that scans every request using 47+ detectors (credit cards, SSNs, email addresses, phone numbers, Stripe keys, AWS access and secret keys, GCP service accounts, GitHub and Slack tokens, private RSA/EC keys, and unknown secret patterns) and blocks or redacts sensitive data before it reaches the LLM provider. Custom regex detectors are supported.

Yes. RenLayer inspects agent inputs and outputs in real time, detecting injection patterns, jailbreak attempts, and tool-call anomalies. Suspicious requests are blocked before they reach your models or downstream business services.

It depends on the deployment tier you choose. In fully managed SaaS, request bodies transit the proxy but full payloads are not persisted; only a short body preview and cryptographic hashes are kept. In Hybrid mode, full bodies stay on your infrastructure and only metadata (token counts, costs, policy matches, severity levels) crosses the network to RenLayer over mutual TLS. In fully on-premises deployments, nothing leaves your VPC.

RenLayer uses a bring-your-own-keys model. Your LLM provider API keys transit through the proxy to the provider (in SaaS mode) or stay entirely on your infrastructure (in Hybrid and on-prem modes). RenLayer API keys are stored as salted hashes (never plaintext) and support agent scoping, expiry, and revocation.

Point your LLM client at the RenLayer proxy URL and add three headers: X-Target-URL for the upstream provider, X-Agent-ID, and X-Session-ID. There is no SDK to install and no client code to rewrite. Most teams are integrated end-to-end in under 24 hours with guidance from our engineering team.

RenLayer supports OpenAI, Azure OpenAI, Anthropic, Google Vertex AI and Gemini, AWS Bedrock, Cohere, Mistral, and HuggingFace. Because the proxy forwards requests at the HTTP layer rather than wrapping an SDK, new providers can be added without changes on the client side.

Yes. RenLayer is framework-agnostic. Any agent framework that lets you configure the base URL of the LLM API (LangChain, LlamaIndex, CrewAI, Mastra, the Vercel AI SDK, the OpenAI Agents SDK, or a custom client) can route through RenLayer with a base URL change.

Single-digit millisecond overhead per request in production deployments. The proxy performs enrichment, logging, and optimization asynchronously after the response is streamed, so clients never wait on governance logic.

Yes. RenLayer offers three deployment models: fully managed SaaS, Hybrid (proxy on your infrastructure, control plane hosted by RenLayer), and fully on-premises (proxy, API, console, and database in your VPC) for air-gapped environments. Signed Docker images, a Helm chart, and Terraform modules for AWS, GCP, and Azure are provided.

RenLayer is fail-open by design. If the proxy is disabled or removed, your agents keep working; they simply stop being governed until it is re-enabled. This lets platform teams roll out RenLayer with zero production risk.

RenLayer applies automatic, lossless request compression (JSON minification, whitespace normalization, and empty-field removal) plus prompt cache optimization. For Anthropic it inserts ephemeral cache_control markers on long system messages; for OpenAI and Azure it reorders messages to maximize prefix cache hits. Each request logs original bytes, optimized bytes, and the savings percentage so you can measure impact per agent and per model.

No. All optimizations are lossless. Compression removes formatting characters and empty fields without altering semantic content, and prompt cache markers only change how the provider caches the request. You can disable any optimization per agent or per request if you want to run A/B comparisons.

Yes. Policies can block, alert, or throttle based on estimated request cost, provider, model, agent ID, or response size. You can set daily and monthly caps to prevent runaway spend from misconfigured agents, and allocate budget per team or per environment.

RenLayer is built to help your AI agents comply with GDPR, CCPA, and the EU AI Act. Built-in features include structured audit trails for every request, data residency in Europe, mutual TLS with per-tenant certificates rotated regularly, configurable retention, and DLP detectors that block or redact personal and sensitive data before it reaches the LLM provider.

Every request produces a structured JSON log with rich structured metadata: execution ID, agent ID, provider, model, input and output token counts, estimated cost, latency breakdown, policy matches, PII findings with severity, anomaly scores, and session context. Logs can be exported to your data warehouse, OpenTelemetry (Datadog, Grafana, Jaeger, Splunk, New Relic, AWS X-Ray), Prometheus, or via webhooks to SIEM systems.

Log retention is configurable per deployment. In Hybrid and on-premises setups you can match retention to your internal policies. In managed SaaS, retention is set per plan and discussed during onboarding with our team.

Yes. All control-plane traffic uses mutual TLS with per-tenant certificates rotated regularly. Data at rest is encrypted in managed storage.

Yes. A self-hosted Community edition is free to run. The Scan tier (fully managed SaaS) is free for small volumes. Paid plans start with Team and scale to Enterprise with annual agreements and on-prem options.

RenLayer is priced primarily by governed requests, not by seat. Team plans bundle a monthly request volume with overage pricing; Enterprise plans are annual contracts with usage-based billing, dedicated support, and optional on-premises deployment.

Apply to the RenLayer Design Partner Program. Design partners get free deployment in Shadow Mode (log-only, zero production impact), integration in under 24 hours, direct access to our founders, and early access to every feature we ship.