AI your security review board will actually approve.
Zirah protects enterprise AI by sanitizing prompts and enforcing document-level permissions within secure hardware, enabling sensitive data use without compromising privacy or security.
Enterprise AI security is two problems, not one.
Your employees are sending data out to public AI. Your business units are trying to build AI over data staying in. Different threats, different controls. Most vendors solve one and gesture at the other.
The model is not the risk. The retrieval layer is. Most vendors never look there.
Your AI projects are stuck in security review.
Your business units want internal copilots over board strategy, patient records, legal drafts,and financial models. The security review board keeps blocking deployment. The standardcloud AI stack cannot prove the cloud provider is excluded from the data path. Documentpermissions do not survive the move into a vector database. And the audit trail a regulatorwill accept does not exist.
Learn More
Data is leaving with every prompt.
Your employees are pasting customer records, financial projections, patient notes, sourcecode, and M&A materials into ChatGPT, Claude, and Gemini. Your DLP stack was notdesigned for prompt content. Your BAA with Microsoft does not extend to OpenAI'sconsumer product. Your SOC has no visibility, and your auditor has no evidence.
The problem is not that employees use AI. The problem is that you cannot see, sanitize, or prove what they sent.
Your AI projects are stuck in security review.
Your business units want internal copilots over board strategy, patient records, legal drafts,and financial models. The security review board keeps blocking deployment. The standardcloud AI stack cannot prove the cloud provider is excluded from the data path. Documentpermissions do not survive the move into a vector database. And the audit trail a regulatorwill accept does not exist.
The model is not the risk. The retrieval layer is. Most vendors never look there.
Learn More
Two products. One NLP engine. One audit pipeline. One policy language.
Zirah Gateway faces outward. Zirah Sovereign RAG Shield faces inward. They share theentity detection models, the compliance logging, and the policy definitions. They deployindependently. Deploy one. Deploy both. Both feed the same SIEM.
Learn More
< 150ms proxy overhead ·
< 1 hour to deploy
3 log formats
Zirah GatewayOne-line:
The outbound forward proxy. Redacts, forwards,rehydrates.
Intercepts API calls to OpenAI, Anthropic, and Gemini. Tokenizes PII, PHI, PCI, and customterms using format-preserving, semantically-linked redaction. Receives the LLM response,rehydrates the tokens, returns the answer. Deploys inside your VPC via Docker Compose,Helm, or Terraform. Logs every transaction to your SIEM in CEF, JSON, or webhook —HMAC-signed
Three specs:
Learn More
Zirah Sovereign RAG Shield One-line:
The inbound enclave. Permission-scopedretrieval, attested inference.
Runs your RAG pipeline inside an AMD SEV-SNP confidential VM. Enforces document-levelpermissions at the vector retrieval layer — before any chunk enters the LLM's context. Usesout-of-band citation architecture, so the model cannot reveal filenames of documents theuser is not authorized to see. Produces cryptographically verifiable audit evidence. Plug-and-play with open-source models, vector databases, and orchestration frameworks.
Three specs:
AMD SEV-SNP attestation
Pre-filter at retrieval layer
Out-of-band citations
Zirah Sovereign RAG Shield One-line:
Three specs:
Pre-filter at retrieval layer
The inbound enclave. Permission-scopedretrieval, attested inference.
Runs your RAG pipeline inside an AMD SEV-SNP confidential VM. Enforces document-levelpermissions at the vector retrieval layer — before any chunk enters the LLM's context. Usesout-of-band citation architecture, so the model cannot reveal filenames of documents theuser is not authorized to see. Produces cryptographically verifiable audit evidence. Plug-and-play with open-source models, vector databases, and orchestration frameworks.
Out-of-band citations
AMD SEV-SNP attestation
Learn More
Trust verified, not granted.
Trust Verified, Not Granted.
Four architectural commitments. Each onebacked by hardware, cryptography, or auditable code. Not by our good intentions.
Cryptographic guarantees, not contractual promises.
A BAA is a promise that your cloud provider will not look at your data. A Trusted ExecutionEnvironment is a guarantee that they cannot. Zirah's Sovereign RAG pipeline runs inside anAMD SEV-SNP confidential VM. Memory is hardware-encrypted with keys that exist onlyinside the silicon. Every piece of software loaded into the enclave is cryptographicallymeasured at boot, and the attestation quote is independently verifiable against AMD's publicroot certificates.
Proof line:AMD SEV-SNP · independently verifiable quote chain · runtime payload hashing ·customer-supplied verification keys
Your permissions follow your data into the model.
SharePoint RBAC blocks Carol from opening board_strategy.pdf. It does not block the vectorindex from chunking that document and surfacing its content to her RAG query throughsemantic similarity. This is the Ghost Key problem: unauthorized content reaching the modelnot because permissions were ignored, but because the retrieval layer never checked them.Zirah enforces identity-scoped access at the vector retrieval layer, before any chunk entersthe LLM's context window.
Proof line:Pre-filter against Entra ID · webhook-driven cache invalidation · 30-secondpropagation · out-of-band citation architecture
Bring your own AI. We attest the boundary around it.
Zirah attests the security orchestration code — the pre-filter pipeline, the citationarchitecture, the audit logging, the output validation. The AI payload is yours. Open-sourcemodels (Llama, Mistral, Phi, or your fine-tune). Open vector databases (Weaviate, Qdrant,Milvus). Standard orchestration (LangChain, LlamaIndex, or your own). The hardwarehashes the loaded payload and binds that hash to the audit record — proving the exact modelyou audited is what is running in memory.
Proof line: No model lock-in · no vector DB lock-in · runtime payload measurement · cross-cloud TEE abstraction
Evidence your regulator will accept.
Every interaction produces tamper-evident, SIEM-compatible audit artifacts — HMAC-signed JSON, CEF over Syslog, and webhook. A pre-built Splunk dashboard ships with theproduct. Logs carry cryptographic integrity signatures, not just timestamps. When a GDPRsupervisory authority, a HIPAA auditor, or an ISO 42001 assessor asks for demonstratedtechnical controls, the evidence already exists — generated as a byproduct of normaloperation, not bolted on after the fact.
Proof line:AMD SEV-SNP · independently verifiable quote chain · runtime payload hashing ·customer-supplied verification keys
The vulnerability that every RAG copilot has. Most vendors never name it.
When an enterprise deploys an internal AI copilot over SharePoint, the ingestion pipeline chunks every document into small pieces stored as vectors. The document-level permissions that protected the file in SharePoint do not automatically propagate to those vectors. When a user queries the copilot, the semantic similarity search returns the most relevant chunks regardless of who had access to the source document — and by the time an application-layer filter runs, unauthorized content has already reached the model's context window.
This is the Ghost Key problem. The permissions look correct. The RBAC is in place. SharePoint blocks unauthorized access perfectly. And yet the AI copilot can produce answers that synthesize restricted content — because the enforcement happens at the wrong layer.
Zirah — unauthorized content never retrieved
USER QUERY + ENTRA ID GROUP MEMBERSHIPS
USER QUERY + ENTRA ID GROUP MEMBERSHIPS
runs before search
VECTOR SEARCH
only authorized chunks retrieved
LLM CONTEXT
[Source 1] [Source 2] — no filenames
RESPONSE
cannot reference unauthorized content
Standard RAG — unauthorized content reaches the model
USER QUERY
SEMANTIC VECTOR
SEARCH no permission check
RETRIEVED CHUNKS
board_strategy.pdf · patient_records.xlsx · M&A_draft.docx
LLM CONTEXT
restricted content visible to model
APPLICATION-LAYER
FILTER too late — model has seen the data
RESPONSE
RESPONSE may synthesize restricted content
The model is not the leak.
The retrieval layer is.
See the Ghost Key demo
Zirah is built for a specific kind of buyer.
If the following describes your organization, we should talk. If it does not, we probably are not the right fit — and we would rather tell you that before a procurement cycle than after.
You are a CISO, VP of Security, or Head of Security Engineering at an enterprise in a regulated industry — healthcare, financial services, legal, pharma, energy, defense-adjacent. You have at least 2,000 employees. You run multi-cloud or multi-region. Your compliance obligations include at least one of: GDPR, HIPAA, PCI-DSS, EU AI Act, DORA, or FedRAMP.
You have AI projects stuck in security review. Or you have evidence of shadow AI usage and no mechanism to see, sanitize, or log it. Your board is asking for an AI strategy and your review board is blocking one.
You are a mid-market or small business with under 1,000 employees, primarily in non-regulated sectors. Your AI use cases are low-sensitivity — internal knowledge base search, customer support drafts, public document summarization. You are single-cloud, fully committed to Microsoft's ecosystem, and comfortable with Microsoft as both your platform and your security boundary.
For your use case, Microsoft Purview, native Copilot governance, and the standard Azure BAA may be sufficient. Zirah's architecture adds a layer you do not yet need. Bookmark us.
Runs in your VPC. Inherits your controls.
Does not phone home.
Customer Hosted By
Design
The Gateway deploys inside your Azure VNet, AWS VPC, or on-premises Kubernetes cluster. The Sovereign RAG Shield deploys inside your Azure Confidential VM. Zirah never hosts customer traffic. No SaaS proxy. Your SIEM, your network policies, your operational controls — all apply
Verified By You, Not By Us
Every deployment ships withzirah verify— a scriptthat confirms the proxy is intercepting target endpoints, Syslog is......
Under One Hour To Deploy
Every deployment ships withzirah verify— a scriptthat confirms the proxy is intercepting target endpoints, Syslog is......
Where we are, honestly.
Zirah is early-stage. Three engineers. A 90-day plan to a working design-partner demo. Nocustomer logos on this page because we do not yet have customers we can name. SOC 2 TypeII observation window is active; we expect Type I in the next audit cycle. ISO 27001 runs inparallel.
What we have: a working architecture, documented and pressure-tested. A deploymentmodel that inherits your controls rather than extending a vendor's attack surface. Anengineering team that has published a red team methodology covering 18+ attack vectors,with zero Critical or High findings unresolved. A commercial model that does not require youto trust us — it requires you to verify.
If you are the kind of buyer who needs Gartner validation before engaging, we are too early. Ifyou are the kind of buyer who can evaluate an architecture on its merits and run your ownsecurity review against it, we would welcome the conversation.
Book A Security Briefing.
A 45-minute technical conversation with a Zirah engineer. No pitch deck. No pricing discussion. We walk the architecture, answer your questions, and run the split-screen demo if that is useful. If it is not a fit, we will say so in the first ten minutes and give you your time back.
Book A Briefing
Read The Architecture Deep Dive →