AI Tools Monitoring

IBM Security offers a useful set of monitoring policies for AI Tools through the Application Monitoring - AI Tools Config Feed. These policies will gather information on the executions of common AI tools in your environment that are not satisfied by other Verify Privilege Manager policies.

Application Monitoring - AI Tools is offered as a Config Feed. AI tools monitoring is not offered as an out-of-the-box policy.

Tools detected - Windows: ChatGPT, Claude, Claude Code, Microsoft Copilot, Cursor, Windsurf, Ollama, LM Studio, Antigravity, OpenAI Codex

Tools detected - macOS: ChatGPT, Claude, Claude Code, Microsoft Copilot, Cursor, Windsurf, Ollama, LM Studio, Antigravity

These monitoring policies do not detect AI applications running via Docker, WSL, or NPM; they only detect those with native executables. MacOS Agent version 12.0.5.184+ is recommended to reduce the amount of false positives reported.

Getting Started

  1. Log in to the Verify Privilege Manager console as an Admin user.

  2. From the left navigation panel, select Admin | Config Feeds.

  3. Select Privilege Manager Product Configuration Feeds, then Application Control Solution.

  4. Select Application Monitoring – AI Tools to install.

Specific components installed include policies, filter categories, and computer groups.

  • Policies installed: AI Tools - Windows Monitor Mode, AI Tools - macOS Monitor Mode

  • Filter categories installed: Chat Interfaces, Coding Assistants, Local LLM Runners

  • Computer Groups installed: AI Tools - Windows Computers, AI Tools - macOS Computers

  1. Navigate to new AI Tools computer groups, scope the filter rules of the computer groups to target machines.

Computer groups are delivered with filter rules that do not match any machines by default. Customers must adjust the computer group filter rules to target their desired endpoints before monitoring will begin. See Creating Filter Rules and Collections.

  1. View the AI Tools monitoring policy, within the new computer groups, enable policy as-is, or duplicate and adjust to customize filters.

  2. Navigate to Admin | Reports and observe the new AI Discovery reports or re-use the existing Specific Policy Events report to start monitoring the use of AI in your environment.

    These policy events can also be viewed on the Policy Events tab (Computer Groups | Applications Policies). Here, you can easily create stronger filtering for discovered AI applications if you would like to block or otherwise control AI Applications in your environment.