Q01
What is SanctumShield?
SanctumShield is an AI governance platform for mid-market organizations of 50–2,000 employees. It generates a regulation-anchored AI Acceptable Use Policy and an Executive Risk Report from a guided security assessment (5–10 minutes of questions about your industry, frameworks, AI tools, and optional network log paste). The AI synthesis step then renders the deliverables in under 30 seconds. The free Shadow AI Risk Calculator runs without an account; the full platform is $99/month, month-to-month, cancellable anytime.
Q02
What is shadow AI?
Shadow AI is any generative AI tool that an employee uses in their work without the knowledge or approval of IT, security, or procurement. The phenomenon is defined by invisibility, not intent — employees are usually trying to be productive, not malicious. Approximately 80%+ of enterprise AI tools are unmanaged today, and roughly 59% of employees admit to hiding their AI usage from IT.
Q03
How is shadow AI different from shadow IT?
Shadow IT moved files — employees using Dropbox instead of SharePoint, Slack instead of email. Shadow AI moves reasoning, context, and proprietary intelligence to unmonitored external systems. An employee pasting a contract into ChatGPT exports the actual IP of the business, not just a document. The data exposure is structurally larger and the legal consequences are more severe.
Q04
Who founded SanctumShield?
SanctumShield was founded by Lindsay Hiebert, a CISSP-credentialed cybersecurity executive with 15+ years at Cisco Systems and 7+ years at Intel Corporation, where he led the Intel Network Builders program with 550+ partners. He currently also serves as Chief Marketing & AI Officer at Nybsys. Lindsay specializes in Agentic AI security governance, Agentic AI, end-to-end network security, shadow AI discovery, and regulation-anchored security policy. SanctumShield is operated by PIGENAI LLC, a Missouri limited liability company.
Read Lindsay's full bio →Q05
How much does SanctumShield cost?
Two pricing tiers: the Shadow AI Risk Calculator is free with no account, no email, and no credit card required. The full platform — Executive Risk Report, AI Acceptable Use Policy, AI Tools Registry, network log analysis, and all seven compliance frameworks — is $99 per month, billed month-to-month and cancellable anytime. Business and Scale tiers are in active development.
Q06
Does SanctumShield install software on employee laptops?
No. SanctumShield is browser-based and requires no agent, extension, or endpoint installation. The Shield enforcement layer ingests firewall, proxy, or DNS exports that you upload directly. There is nothing to deploy, nothing to maintain, and no impact on user workstations or corporate device images.
Q07
What size company is SanctumShield built for?
SanctumShield is purpose-built for organizations of 50 to 2,000 employees — the segment underserved by enterprise tools like Palo Alto AI Access Security and Cisco AI Defense, and overserved by Big 4 consultancies. Smaller organizations can use the free Shadow AI Risk Calculator. Larger enterprises typically already have dedicated security teams and prefer enterprise procurement-style platforms.
Q08
Can a department inside a larger organization use SanctumShield?
Yes. Many large organizations — 2,000 employees and above — use SanctumShield at the department or line-of-business level. A 500-person clinical operations group inside a 12,000-person hospital system, a 300-person legal team inside a Fortune 500 financial services firm, a 200-person engineering line of business inside a global manufacturing company. Each unit gets its own customized AI Acceptable Use Policy and Executive Risk Report scoped to its industry context, jurisdictions, and tool inventory — at the same $99/month price. This pattern works because most large organizations manage AI use semi-autonomously across business units. Central security teams cannot reasonably author a single AUP that covers every department's industry-specific obligations — a clinical operations group has HIPAA exposure a corporate engineering team does not; a legal team has privilege concerns marketing does not. Department-scoped artifacts produce more defensible governance than a one-size-fits-all corporate document.
Q09
Does SanctumShield support HIPAA compliance?
Yes. The generated AI Acceptable Use Policy maps to HIPAA §164.502(e) (business associate agreements with sub-processors) and §164.312 (technical safeguards for ePHI). The Executive Risk Report cites the specific clauses governing your AI use, not boilerplate. Healthcare organizations using SanctumShield receive HIPAA-anchored language that legal counsel can review without rewriting.
Q10
What firewall and proxy log formats does SanctumShield support?
SanctumShield accepts firewall, proxy, and DNS exports from major vendors via paste or CSV upload — including Palo Alto Networks, Fortinet, Cisco, Zscaler, Netskope, and Cloudflare. The Shield enforcement layer matches outbound traffic against a registry of 64 AI API endpoints (OpenAI, Anthropic, Google AI, Cohere, Mistral, and dozens more) to produce real hit counts rather than self-reported usage.
Q11
How long does it take to generate an AI Acceptable Use Policy?
Under 30 seconds for the AI synthesis step itself, after you've completed a 5–10 minute guided assessment. The wizard captures your industry, organization size, jurisdictions, applicable compliance frameworks, AI tools in use, and (optionally) a paste or upload of firewall, proxy, or DNS hostnames. The platform then synthesizes a ~3,500–4,500 word, 14-section AUP customized to those inputs. The output is downloadable as Microsoft Word, Markdown, plain text, or HTML for direct review by your legal counsel — no consultant engagement required.
Q12
How does SanctumShield compare to Palo Alto AI Access Security?
Palo Alto AI Access Security is built for the Global 2000, starts at approximately $80,000 per year, and requires a dedicated security team and weeks of deployment. SanctumShield is built for the mid-market (50–2,000 employees), starts at $99 per month, and is fully self-serve in under 10 minutes. The two are complementary at scale; for organizations under ~2,000 employees, SanctumShield is one of very few options — and likely the only one purpose-built for the mid-market segment.
Q13
How does SanctumShield compare to Cisco AI Defense?
Cisco AI Defense is a runtime agent governance product designed to protect AI agents enterprises deploy. SanctumShield is a discovery and policy product designed to surface unmanaged AI use that governance hasn't reached yet. The two are complementary: Cisco AI Defense protects agents you deployed; SanctumShield finds the shadow AI you didn't know existed.
Q14
What is the difference between SanctumShield and a SIG questionnaire?
SIG (Standardized Information Gathering) questionnaires are vendor self-attestations — point-in-time claims a vendor makes about their own controls, with no observation. SanctumShield uses observation over attestation: matching observed network traffic against a 64-domain AI endpoint registry. Evidence rather than promise. See the /beyond-sig page for a full structural comparison.
Q15
Does SanctumShield train AI models on customer data?
No. SanctumShield uses paid API tiers from its underlying AI providers (Google Gemini), which contractually commit to not training models on paid-API inputs. Customer prompts, uploaded logs, and generated reports are not used to train models. The full sub-processor list is published at /trust.
Q16
Where is SanctumShield data hosted?
SanctumShield is hosted on Vercel with Cloudflare DNS and SSL. Inference runs on Google Gemini paid API. Payment processing is handled by Stripe. Transactional email is sent via Resend. The complete sub-processor list, including data residency notes, is published at /trust.
Q17
Can SanctumShield generate evidence for SOC 2 audits?
Yes. The generated AI Acceptable Use Policy maps to SOC 2 Common Criteria CC6.1 (logical access controls) and CC7.2 (system operations and monitoring). The Executive Risk Report provides documented findings, regulatory citations, and a 90-day action plan that auditors accept as evidence of an active AI governance program. Continuous evidence (log analysis re-runs) is supported by re-uploading current exports.
Q18
Is there a free version of SanctumShield?
Yes. The Shadow AI Risk Calculator is permanently free, with no account, no email, and no credit card required. It is a 12-question self-assessment that produces an instant departmental risk score (0–100) and three headline findings tailored to your answers. You can run it as many times as you want.
Q19
How can my cyber insurance underwriter or external auditor verify a SanctumShield report is genuine?
Every paid SanctumShield report — both the AI Acceptable Use Policy and the Executive Risk Report — carries a unique verification URL printed in the document footer (something like sanctumshield.com/verify/abc123xyz). When you submit the report as part of a renewal application or audit packet, your underwriter or auditor pastes that URL into a browser and immediately sees a confirmation page: when the report was generated, which AI model produced it, which AI endpoint registry version was used, and the company name it was generated for. The report's contents are never exposed — verification only confirms the document is genuine and unaltered. Records are kept for five years so the same URL works across multiple renewal cycles. No other tool in this space offers this. Vendor risk platforms (Vanta, Drata, Secureframe, OneTrust, BitSight, SecurityScorecard), AI-SPM tools (Wiz AI-SPM, Palo Alto AI Access Security, Cisco AI Defense, CrowdStrike, Netskope, Microsoft Purview AI), enterprise AI governance platforms (Credo AI, Holistic AI), Big 4 PowerPoint deliverables (Deloitte, PwC, EY, KPMG), and outside privacy counsel all ship static documents that can't be queried — there's no system to verify against.
See an example verification page →