Executive summary
Enterprise AI adoption is running far ahead of enterprise AI governance. Every team that pastes a contract into a chatbot or wires a model into a workflow is borrowing against controls that were never put in place. That borrowing compounds. We call the accumulated liability the governance debt, and we believe closing it is one of the most underwritten opportunities in enterprise security.
The debt has a specific shape. Two structural gaps let sensitive data leave the perimeter unobserved and uncontrolled: a visibility gap, where security teams cannot see which tools their people actually use, and a data-control gap, where there is no granular control over what gets sent to a third-party API once a tool is in use. Intellectual property and regulated PII flow out through both.
The near-term answer is an interception layer: data-redaction gateways that sit on the path between the enterprise and the model provider, detect sensitive entities, and strip or mask them before the request crosses the boundary. We feature Hardshell as a high-conviction company building this layer. The longer arc is structural: moving inference onto local and on-device models inside a private VPC, so the most sensitive data never transits a third party at all.
Adoption is a decision teams make in an afternoon. Governance is a system the enterprise has to build. The gap between the two is the debt - and it accrues interest in the form of exposed IP and leaked PII.
What follows defines the governance debt, anatomizes the two gaps that create it, sets out the redaction-gateway approach we would underwrite, profiles Hardshell against that thesis, and closes on the on-device frontier that resets the problem entirely.
The governance debt
Technical debt is what you owe when you ship faster than you engineer. Governance debt is what you owe when you adopt faster than you govern - and enterprise AI is the most aggressive adoption curve most security teams have ever faced.
Adoption outpaces control
Generative AI entered the enterprise from the bottom up. An analyst drafts in a chatbot, an engineer pastes a stack trace into a coding assistant, a recruiter summarizes resumes with a browser extension. None of it waited for a policy. By the time governance is convened, the tools are load-bearing and the data has already been moving for months.
The interest is paid in exposure
Unlike technical debt, governance debt is not paid back in refactoring time - it is paid in IP exposure and PII leakage. Source code, deal terms, customer records, and roadmaps leave the perimeter in the body of a prompt and land in logs, fine-tuning sets, and retention systems the enterprise does not own and cannot audit. A single careless prompt can be unrecoverable.
It compounds quietly
The debt is invisible until it is a breach. There is no error message for sensitive data sent to the wrong place, no alert when a contractor routes client files through an unvetted model. The liability sits on no balance sheet and trips no monitor until a regulator, an auditor, or an adversary surfaces it. The longer adoption runs without governance, the larger the unobserved principal grows.
Illustrative gap
The distance between what is in use and what is governed is the debt. Figures are illustrative, drawn to make the shape visible.
The two gaps
The governance debt is built from two distinct failures. The first is not knowing what is happening. The second is not being able to control it even when you do. A serious program has to close both - one without the other leaves the perimeter open.
The visibility gap
You cannot govern what you cannot see
Security teams cannot reliably audit or identify shadow AI - the models, extensions, and embedded copilots that staff adopt without review. Usage is spread across personal accounts, browser plugins, and features quietly shipped inside tools already approved for other reasons.
- Shadow AI hides in approved SaaS and personal accounts
- No inventory of which models touch which data
- Discovery lags adoption by months
The data-control gap
Visibility without control still leaks
Even for sanctioned tools, there is no granular control over the sensitive data inside an outbound request. Policy lives in a PDF, not on the wire. The enterprise cannot enforce, per request, that a customer record or a secret is stripped before the payload reaches a third-party API.
- No per-request enforcement at the boundary
- Sensitive entities ride along inside prompts
- Third-party retention is opaque and unrecoverable
The gaps reinforce each other. Invisible usage cannot be controlled, and controls that only cover sanctioned tools miss everything the visibility gap is hiding. Closing the debt means an enforcement point that both sees the traffic and can act on it - which is exactly where the gateway thesis begins.
Data-redaction gateways
The primary solution we would underwrite is an interception layer we call the data-redaction gateway, or write-integrity layer. It sits inline on the path between the enterprise and any model provider, inspects each request, and strips or masks sensitive entities before the payload is allowed to leave the perimeter.
Intercept on the path out
The gateway terminates the request at the boundary rather than trusting the application to behave. Every prompt, function call, and document upload routes through one enforcement point, which gives the enterprise a single place to see traffic and a single place to act on it - closing both gaps at once.
Detect, then redact or tokenize
Inline classifiers identify sensitive entities - names, account numbers, secrets, source code, regulated identifiers - and the gateway masks them, tokenizes them with a reversible placeholder, or blocks the request outright. Reversible tokens let the model return a useful answer that is rehydrated on the way back in, so security does not cost utility.
Outbound request to model provider
Summarize the contract for [NAME_01], card [CARD_01], under [PROJECT_01]. Use key [SECRET_01] to pull the ledger.
Write integrity, not just read filtering
The layer is bidirectional. On the way out it enforces what may leave; on the way back it validates and rehydrates the response and logs an auditable record of exactly what was sent and what was withheld. That write-integrity property - a provable account of every boundary crossing - is what turns a filter into a control plane.
The defensible position is the chokepoint. Whoever owns the inline layer where every AI request is inspected, redacted, and logged owns the enterprise's AI security posture.
Company of interest: Hardshell
Hardshell is the company we hold highest conviction in against this thesis. It builds the robust interception and redaction layer the gateway argument calls for - a hardened perimeter for enterprise AI traffic rather than another policy dashboard.
Hardshell
Interception & redaction layer
The thesis-fit is direct: Hardshell occupies the inline chokepoint where the visibility and data-control gaps both close. It sees every request and can act on every request, which is the combination a policy-only tool can never offer.
Why it fits the thesis
- 01
Inline interception
Terminates AI traffic at the boundary as a transparent proxy, so every request is inspected before it leaves - no application changes required.
- 02
Entity-aware redaction
Detects IP, PII, and secrets in real time and masks, tokenizes, or blocks per policy, with reversible placeholders that preserve answer quality.
- 03
Write-integrity audit
Keeps a provable, per-request log of what was sent and what was withheld - the audit trail that turns AI usage from a liability into a governed flow.
The risk is the risk of any chokepoint: it must be fast enough to sit inline without taxing latency, accurate enough that redaction does not break the work, and trusted enough to be handed the keys to every request. Clear those bars and the position is durable - the enterprise does not casually re-architect the layer that every AI call already flows through.
The local frontier
The gateway controls the boundary. The secondary frontier removes it. As open-weight models close the quality gap, the most sensitive inference can move onto local and on-device hardware - private VPCs, dedicated GPUs, even the endpoint itself - so the data never transits a third party in the first place.
Capable open weights
Llama 3 and Mistral class models now handle a large share of enterprise tasks at quality, removing the reason to reach for an external API by default.
Inference in the VPC
Hosting the model inside the enterprise's own private network keeps prompts and outputs entirely within a controlled boundary the security team owns.
No third-party transit
When inference is local, there is no outbound request to redact - the data-transit risk the gateway manages is designed out rather than mitigated.
Gateway now, local next
These are complements, not rivals. The redaction gateway is the control for the world as it is, where most capable models live behind a third-party API. On-device inference is the control for the world as it is becoming, where the highest-sensitivity workloads run on private infrastructure. A mature program runs both: redact what must leave, localize what must never go.
The endgame is not a better filter on the wire. It is a perimeter the sensitive data never has to cross.
Research posture
We would track the interception layer as the near-term enforcement point and on-device inference as the structural endgame, with Hardshell as the lead example of the former. The governance debt is already on the books at most enterprises. The companies that let them pay it down without slowing adoption are the ones worth knowing early.