Tether's security model assumes adversarial conditions — including developers who want to work around controls. Every layer is designed with that assumption in mind.
When the enforcement agent cannot verify a current policy — due to network unavailability, policy expiry, or integrity failure — it defaults to blocking AI egress. An agent that fails open is not a control. Tether never fails open.
Policy is only applied after cryptographic verification of its integrity and origin. A policy that hasn't been verified is treated the same as no policy — the agent blocks until it can confirm it's enforcing an authentic, current rule set.
Rules and intent classification both run on the developer machine. The raw content of an AI request is never transmitted to a third-party analysis platform for evaluation. When the on-device judge isn't confident and escalates to the cloud judge, the payload is redacted first — and in air-gap mode the cloud judge is unreachable, so every decision stays local.
Tether does not rely on a single control. The controlled IDE, the system-wide intercept, the cryptographic policy verification, the deterministic rule layer, the on-device intent judge, and the cloud judge escalation are independent layers — each capable of catching what the others miss.
Pattern-matching has a known failure mode against a generative input surface: it misses what it wasn't told to look for, and it over-fires on things that share surface features with risk but carry none of the substance. The reasoning layer in Tether exists to close that gap on the AI-usage axis specifically.
Cryptographically signed, versioned, fast. Credential signatures, blocked destinations, allowlisted domains, hard policy floors. Rules are how Tether handles the cases where there is no ambiguity to reason about — and how the system stays predictable in incident review.
A local model evaluates the request body — payload, destination, application context, recent history — and classifies what the developer appears to be trying to do. Output is a classification (e.g. code-review-with-secret-exposure, public-reference-lookup, internal-context-extraction) plus a confidence score. Payload never leaves the machine.
When the on-device judge isn't confident, a redacted version of the request is sent to a larger cloud-side model for a second opinion. Configurable per tenant. Off entirely in air-gap mode — the on-device judge then handles every decision under your configured fail-safe policy.
Intent classifications don't decide the response by themselves — your policy does. Each classification is mapped to one of the six enforcement modes (Allow / Warn / Coach / Request / Watermark / Block). The judge tells you what's happening. Your policy decides what to do about it.
We're direct about the trade-offs. Reasoning models are probabilistic; rules are not. That's why both layers exist — and why rule decisions are always logged separately from judge decisions in the audit trail. You can see at any point which control fired, why, and what the response was.
Honest security posture requires a clear threat model. Tether is purpose-built for a specific set of risks — and we're direct about its scope.
Developers unknowingly pasting proprietary code, credentials, or PII into AI completions or chat interfaces. Tether intercepts and evaluates before transmission.
Covered System-wide intercept catches this regardless of which application generates the request.
Developers installing browser extensions, desktop apps, or CLI utilities that make AI API calls outside the approved toolchain.
Covered System-wide intercept operates below the application layer — it sees all HTTPS egress, not just IDE traffic.
A developer attempting to modify, downgrade, or disable the policy running on their machine.
Covered Cryptographic policy verification means the agent will only apply policy it can authenticate. Modified policy is rejected.
Inability to demonstrate technical controls over AI usage to auditors, regulators, or enterprise customers.
Covered Immutable audit log captures every decision with timestamp, risk classification, and full context.
Agent-to-agent AI calls made from cloud infrastructure, CI/CD pipelines, or server-side processes — not developer endpoints.
Out of Scope Tether is an endpoint product. Server-side AI governance requires a complementary solution.
AI tools accessed entirely within the browser without making direct API calls — for example, using ChatGPT via web browser without any local component.
Partial Browser-based access can be addressed through complementary network controls or policy.
A developer with physical access to the machine and significant technical capability who is specifically motivated to circumvent controls.
Partial Tether raises the cost of bypass significantly but is not designed as a deterrent against a highly motivated, technically sophisticated insider.
Policy distribution is a potential attack surface. Tether is designed so that a compromised distribution channel cannot result in a weakened or malicious policy being applied.
Policy is not distributed as plain configuration. Before distribution, the admin console produces a cryptographically signed package that the enforcement agent verifies before applying. A policy that fails verification is discarded — the agent continues enforcing the last verified policy or, if none is available, blocks egress entirely.
Each policy bundle carries a version counter that agents track. Agents reject any policy bundle with a counter value lower than or equal to the current applied version. This prevents an attacker who has obtained an older, less restrictive policy from replaying it to a developer machine.
When an agent loses connectivity to the policy distribution server, it continues enforcing the last verified policy for a configurable grace period. After the grace period expires without a successful policy refresh, the agent moves to a restrictive fallback posture. The last-known-good policy is cached to disk so the agent doesn't need to fetch on every startup.
Tether's audit trail and policy controls are designed to provide evidence relevant to leading security frameworks. Tether Connect is not itself SOC 2 or ISO 27001 certified — your organization's certification program will assess controls in your full environment.
Tether produces evidence relevant to Common Criteria and Availability principles. Controls apply within the developer endpoint scope.
Policy controls and audit trail produce evidence relevant to multiple Annex A control domains. Scope limited to developer endpoint activities.
Designed to support emerging AI governance requirements. The regulatory landscape is evolving — consult your legal and compliance team for applicability.
CISA's Zero Trust Maturity Model 2.0 is a framework — not a certification — for measuring how far your organization has moved from perimeter-based to zero-trust security across five pillars. Tether covers the AI-usage slice: the Data, Applications & Workloads, and Devices pillars where developer AI flows live. Use the mapping below in your ZTMM self-assessment.
SCIM provisioning, continuous user re-authorization, IdP risk-signal ingestion. Pair with your existing Okta / Entra deployment for those.
Hardware attestation (TPM-bound identity), native EDR integration (CrowdStrike, Defender for Endpoint). Surface device posture to your EDR or IdP via the audit feed.
Network-layer micro-segmentation, ZTNA tunneling. Tether is endpoint-side by design — pair with your Cloudflare Zero Trust / Zscaler / Netskope stack for the network half.
Workload identity for east-west service traffic, application discovery beyond AI. Tether's app scope is AI-usage specifically.
Native data classification taxonomy (tags), integration with enterprise DLP (Microsoft Purview, Symantec). Use Tether's classifications as upstream input to your existing DLP.
Stage · Advanced — per-decision audit with risk classification, fleet posture in real time, evidence-ready exports.
Stage · Initial — policy distribution and rollback are automated; SIEM, SOAR, and webhook integrations are on the roadmap.
Stage · Advanced — cryptographically signed policy, full version history, multi-tenant separation, fail-closed defaults.
We'll walk through the architecture in detail and answer questions about your specific threat model and compliance requirements.