Share
Share
Share
Share
Enterprise software security has long been built around a familiar model: monitor infrastructure, detect anomalies, investigate incidents, and respond. But as organizations integrate generative AI into core workflows, that model is being stretched in ways traditional tools were never designed to handle. The “user” is no longer just a person interacting with systems; it is increasingly a combination of human and AI agents acting together across data, code, and workflows.
This is the context in which Daylight is expanding its Managed Detection and Response (MDR) platform into Claude Enterprise, aiming to give security teams a structured way to detect and respond to AI-native threats rather than simply observe AI activity.
The shift: AI is now an active system layer, not just a tool
Organizations adopting AI platforms like Claude Enterprise are no longer using them for isolated tasks. They are embedding them into software development pipelines, data analysis workflows, internal knowledge systems, and automation layers that interact with sensitive enterprise environments.
This shift has created a new category of operational risk. AI systems introduce behaviors that don’t map neatly to traditional security categories: model interactions, tool calls, plugin usage, and autonomous workflows can all generate actions that are difficult to classify using legacy monitoring approaches.
While Claude Enterprise provides audit logs that surface usage across Claude chat, Claude co-work, and Claude Code, those logs alone do not answer the questions security teams need to resolve incidents: what happened, why it happened, and whether it represents risk.
The gap: logs without context are not security signals
The challenge is the lack of interpretation. AI platforms now generate detailed activity records, but security teams still need to translate those records into meaningful security events.
That includes identifying when new MCPs are introduced without authorization, when Skills or plugins behave unexpectedly, when prompt injection attempts occur, or when AI-driven processes access or move sensitive data in unusual ways.
Without contextual analysis, these signals remain isolated events rather than actionable intelligence.
The response: MDR built for AI-native behavior
Daylight’s approach is to treat AI activity as a first-class security domain inside MDR workflows. By integrating directly with Claude Enterprise via its Compliance API, the platform builds detection rules on top of AI audit logs and correlates them with identity systems, SaaS applications, endpoints, cloud environments, and business context.
When suspicious activity is identified, it is not treated as a standalone alert. Instead, it is routed into a full investigation workflow where analysts reconstruct the sequence of events and determine whether the behavior represents real risk or expected usage.
This includes tracing which user initiated the action, what systems were accessed, what data was involved, and whether the activity deviates from normal AI usage patterns.
“Visibility is only the starting point”
“AI adoption is moving faster than traditional security monitoring was designed to support,” said Hagai Shapira, co-founder and CEO of Daylight. “Claude Enterprise gives organizations important visibility. Daylight’s MDR service turns that visibility into detection and response.”
The framing highlights a broader shift in enterprise security thinking: visibility into AI systems is necessary, but insufficient without automated interpretation and response capabilities.
Early adoption: embedding AI into security operations, not around it
One of the early adopters of the integration is Miro, which has been expanding its use of Claude Enterprise across internal teams while simultaneously evolving its security posture around AI usage.
As AI tools were rolled out more broadly, Miro’s security organization prioritized ensuring that AI activity would not become an unmonitored layer within the company’s infrastructure.
“As we adopted Claude Enterprise, we wanted to make sure AI usage didn’t become a new blind spot for our security team,” said Mark Strande, CISO of Miro. “Daylight helped us bring Claude activity into our MDR workflow, giving us visibility into AI-native risks and the context to investigate them.”
A key use case has been monitoring newly introduced MCPs and evaluating their behavior within the broader system context to determine whether they introduce security or compliance risks.
What changes when AI becomes part of MDR
The integration of AI platforms into MDR workflows represents more than an incremental improvement in visibility. It reflects a structural change in how security operations are defined.
Instead of treating AI systems as external tools generating logs, they are becoming integrated components of enterprise infrastructure, systems that must be continuously monitored, correlated, and investigated alongside traditional digital assets.
In this model, MDR is no longer just a response layer for infrastructure threats. It becomes the control layer for AI behavior itself.
The road ahead: expanding AI telemetry across platforms
Daylight expects AI observability to continue expanding as platforms mature. Future developments are likely to include richer telemetry across prompts, tool calls, Skills, and agent-based workflows, potentially standardized through frameworks such as OpenTelemetry.
The company also anticipates that similar auditability models will extend beyond Claude Enterprise to other major AI systems, including ChatGPT and Gemini, as enterprises push for consistent security coverage across their AI ecosystems.
As that happens, the distinction between traditional software security and AI security is expected to continue narrowing, until AI behavior becomes a standard part of enterprise threat detection, investigation, and response.
