JANUS: because "we saw it happen" doesn't fix anything

It was around 7 p.m. on a Friday. An engineer was chasing down a database error that had appeared the day before — one he’d never seen. To move faster, he pasted the whole error text into a chatbot. Straight Ctrl-C / Ctrl-V. The connection string was in there. And, somewhere in the middle, the email of a real customer.

No bad intent. Nothing stolen. He just wanted to finish and go home. But in that second, the data left: it crossed the internet, landed on a vendor’s infrastructure in another jurisdiction, was perhaps retained, perhaps folded into a training set. Nobody can say for sure.

The next day, if the organization had a good visibility tool, someone could see in the logs that it had happened. And then what? The data was already gone. You can’t un-send an email. You can’t recall an API secret once it’s out the door.

That’s the problem we built JANUS to solve.

The industry solved “seeing.” Not “stopping.”

To be fair: visibility is a real step. Good platforms show you which AI accounts exist across the organization, who has access, what projects are running, how it all connects. Useful for audits, indispensable in an investigation.

But visibility answers a question written in the past tense: what happened? And in the case of a data leak to a language model, “what happened” is already irreversible the moment it shows up in the log. OWASP has moved sensitive-info disclosure to LLMs into LLM02 in the 2025 Top 10, precisely because the pattern is so human and so common: someone pastes more than they should in order to get a better answer.

We like a simple comparison. A visibility tool is the security camera at the entrance: it shows you, after the fact, who came in and what they took. JANUS is the lock. One doesn’t replace the other — but a security camera has never, on its own, stopped a theft in progress.

We wanted the lock.

What JANUS does, briefly

JANUS is a layer that sits between the user and any AI on the internet — we don’t care whether Claude, Gemini, ChatGPT, Copilot, or a model that shipped last week is behind it. Every request passes through it before leaving the organization. It reads the request in real time, sees whether personal or sensitive data is leaving, and only then decides what happens.

And — because we’re CAI — the inspection itself runs on your infrastructure, in the EU. The filter that protects your data does not, itself, take your data out of the perimeter to analyze it. Sovereignty by architecture, not by addendum.

From there, you choose how it reacts. There are two modes.

Mode 1 — Anonymize and let the work happen

When JANUS finds sensitive data in a prompt, it replaces it with substitutes before the request leaves. Names, national IDs, contact details, technical secrets, confidential business information — all masked. The model on the other end gets a perfectly useful question but never sees the real data. On the way back, JANUS can restore the real values in the response, so the person never feels the friction.

This is the painless path. The Friday-evening engineer pastes his error, gets his answer, closes the bug — and the connection string simply never left the building. For a DPO, this is data minimization applied at the source, for real, not promised in an appendix.

Mode 2 — Block

For categories of data that aren’t allowed to leave, period, JANUS stops the request. And here too we left the decision to you, because an organization isn’t a single kind of risk. There are three policies:

a) Block and explain. The request is stopped, and the person gets a clear message: what triggered the stop, and why. No bare “Error 403.” The user understands the rule — and, over time, learns what not to send. The best firewall is still a person who understood why the rule exists.

b) Warn and let them decide. The request is stopped, the person is warned of the risk — but if they explicitly take responsibility, they can proceed. The acknowledgment is logged. We recognize a truth that rigid policies ignore: sometimes the person genuinely has a legitimate reason, and a conscious, auditable decision beats a blind block they’d circumvent anyway by pasting the prompt on their personal phone.

c) Block and escalate. The request is stopped, the user is blocked, and the responsible person — manager, security, DPO — is notified automatically. This is the mode for what’s truly critical, where a human in the loop is part of the policy, not an exception.

The key point: policies apply selectively. An API secret can be hard-blocked (c) while a customer’s name is merely anonymized (Mode 1), at the same company, at the same time.

The hard part is detection. That’s where our research goes.

A protection layer is worth exactly as much as its detection engine — the rest is plumbing. That’s where we put the effort, and where the necessary honesty lives too.

The whole challenge is a balance. If the engine misses sensitive data, the protection is just a comforting illusion. If it blocks innocent things too often, people route around it — and then the problem doesn’t disappear, it just goes invisible. (Anyone who has tried to enforce a too-strict DLP rule in a developer team knows this one.)

Our research targets exactly this balance. We’re in pilot and measuring continuously. We will publish recall, false-positive rate and p95 latency as fixed numbers once we exit pilot — not before. This article isn’t trying to lean on marketing numbers; it leans on principles you can verify yourselves, on your data.

What we can say about direction, without numbers: a national ID, an IBAN or an API key is caught by deterministic rules. The hard part is sensitive information with no fixed format — a commercial strategy buried in a paragraph, a vulnerability described in plain words, a patient’s name lost mid-sentence. For that we combine deterministic scanning with context-aware classifiers run locally. The combination is what makes the difference on unstructured text.

And because JANUS sits on the critical path of every request, it has to be nearly invisible in time. If it adds seconds, people feel it and look for shortcuts. That’s not a performance target — it’s an adoption target.

Who it’s actually for

For the security lead, JANUS moves the moment of decision out of the audit and back into the flow. Data no longer leaves “and then we’ll see” — it leaves only if policy allows, or it leaves masked. That covers the risk-management obligations under NIS2 (Article 21) at a point where most controls are absent today.

For the DPO, it’s technical proof, not intent: they can show that personal data does not leave the perimeter in identifiable form toward a processor outside the EU. That even changes the legal nature of the transfer — many GDPR obligations simply don’t trigger if identifiable data never left. Layer that over the EU AI Act transparency obligations and the NIST AI Risk Management Framework, and you have a control that aligns naturally with NIS2 and DORA.

For the person on the team, most importantly: they can keep using AI without becoming the compliance decision point themselves. They get a clear answer when something is stopped, not a vague ban on all AI — a ban that would have been circumvented by lunchtime anyway.

JANUS and AEGIS, together

In the CAI stack, the two complement each other naturally. AEGIS sees and understands — observability, detection, incident narrative. JANUS decides what is allowed to happen, the instant it happens. Visibility without enforcement is a camera with no lock. Enforcement without visibility is a lock with no log. You want both.

Where we are now

JANUS isn’t a slide. It’s already running in pilot with us, doing its job — catching, masking, and stopping exactly what it should, on real traffic. We’re opening access to a few organizations that adopted AI faster than they managed to govern it. Almost all of them did.

If that sounds like you, write to us for a pilot. We’ll show you on your data, not ours.