§ Plain-English Field Guide · 2-minute read

Envelopes, not letters: seeing AI use without reading your data

You share destination addresses, never the contents. Why that's both trustworthy and private.

By Lindsay Hiebert · Founder · CISSP

Here’s the question that stops people: if SanctumShield can help spot AI you didn’t tell it about, is it reading your data? No. And the difference is everything.

First, the part people get wrong: SanctumShield doesn’t watch your network. It has no connection to your systems. What it can check is a list you export and share — the outside destinations your computers connected to, pulled from your own firewall, proxy, or DNS logs.

Now the mail. Every envelope has an address on the outside and a letter on the inside. SanctumShield reads the address — “this went to a known AI service” — and never opens the envelope. Or think of an itemized phone bill: it shows you called a number, when, and for how long. It does not record the conversation. SanctumShield reads the bill, not the call.

Modern traffic is scrambled as it travels, so the destination is usually all that’s visible anyway. You decide exactly what to share; only the destination hostnames you paste are ever sent. (A client-side connector that keeps even that list on your side is on the roadmap.) That’s what makes the result both trustworthy and private: it can surface the AI you forgot to mention without anyone opening the letter to do it.

You answer plain questions. SanctumShield turns them into proof you can show.

Go deeper: How we handle data

Free Shadow AI Risk Audit

See what your current stack is missing — in 12 questions.

The SanctumShield free Shadow AI Risk Calculator runs in your browser. No account, no email, no credit card. Twelve questions, instant risk score, three primary findings tailored to what you submit.

Envelopes, Not Letters: Seeing AI Use Without Reading Your Data | SanctumShield