See, control, and prove every AI request.
Your company already runs on Claude, GPT, Gemini, and MCP tools — billed to one shared account you can't see into. Marshal is the gateway that puts an identity, a policy, and an audit trail on every request. Live in an afternoon.
The governed request path
Identity
Sasha Chen
Claude Code · engineering
POST /v1/messages
key mk_live_••••7Q
Control point
Provider
Anthropic
api.anthropic.com
credential ← vault
native API unchanged
Models from every major lab, behind one governed gateway
Provider dashboards see accounts. Marshal sees people.
Security cannot govern what it cannot attribute. Marshal connects every request to the person, team, tool, cost, and policy decision behind it — across Anthropic, OpenAI, Google, AWS Bedrock, Azure OpenAI, and remote MCP servers.
One request in. Complete control out.
Teams keep the tools and provider APIs they already use. Marshal adds governance around each request — not abstraction inside it. Four operations, one pass, twelve milliseconds.
Authenticate
Resolve each Virtual Key to a user or service account and its current groups — on every request.
Evaluate
Apply model, budget, MCP, and content policies inline, with a recorded Policy Verdict.
Forward
Inject the vaulted provider credential and preserve the provider's native API unchanged.
Record
Meter tokens and cost, then write one searchable, exportable Audit Event.
Control it inline — before it happens, not after.
Four policy dimensions evaluated in the request path, each with its own monitor → warn → block dial, per group, user, or service account. Start in monitor mode on day one; turn up enforcement team by team as confidence grows.
per policy · per group
Model access
Allow or deny providers and models by group, user, or service account. New models are denied by default until you approve them.
engineering → opus allowed
Budgets & rate limits
Soft alerts and hard caps with real-time token and cost metering — per identity, group, provider, or model.
research → 80% monthly budget
MCP permissions
Control remote MCP access at both server and individual tool level. Read-only for contractors, write access for owners.
contractors → jira.read only
Content & DLP
Inspect requests inline for secrets, PII, and organization-defined patterns — before they reach the provider.
api key detected → block
Answer who used what, what it cost, and what policy decided.
Security, FinOps, and compliance work from one shared source of truth — the identity-attributed usage graph.
Audit without sampling
Every LLM request and MCP tool call produces one immutable Audit Event — who, from which tool, to which model, at what cost, under which verdict.
Spend with an owner
Roll cost up by identity, group, provider, model, and MCP tool — not just an organization total on next month's invoice.
Evidence where you need it
Search and export directly, or stream metadata into your SIEM and the security workflows you already run.
Spend, with owners
Attributed this month, by team
$42,118
2 budgets warningInline, not in the way
Policy runs at the edge with no control-plane calls in the request path. Streaming responses stay at native speed — your teams never feel the gateway.
12ms
Enforcement that holds when it matters.
A proxy only governs traffic sent through it. Marshal closes that gap by keeping real provider credentials out of employee hands — and giving the organization a practical path to block bypasses.
Vault the real credentials
Bring your provider keys once. Marshal encrypts them at rest, injects them only when forwarding, and never returns them to users.
Issue identity-bound Virtual Keys
Users and service accounts receive revocable, expiring Marshal credentials tied to their identity and current policies.
Make the governed path the only path
Use Marshal's egress allowlist playbook to block direct provider access and sweep raw keys from CI and employee machines.
Real provider credentials
injected on forward only · never returned to users
Identity-bound Virtual Keys
Live in an afternoon. Not a quarter.
No agents to install, no SDKs to adopt, no proxies to host. Three steps, and every AI request in the company is governed.
Connect your providers
Bring your Anthropic, OpenAI, Google, Bedrock, and Azure keys once. They're encrypted in Marshal's vault and never handed out again.
Issue Virtual Keys
Sync users and groups over SSO and SCIM. Every person and service account gets a revocable, identity-bound key.
Point tools at Marshal
Claude Code, Cursor, agents, CI — swap one base URL. Native APIs are preserved, so nothing else changes.
Team
Volume tiers available
Governance is never metered: pay for people, not policy decisions or Audit Events.
- All five LLM providers and remote MCP servers
- All four policy dimensions
- Unlimited enforcement and metadata Audit Events
- Search, export, dashboards, budgets, and alerts
- SSO, SCIM, and identity lifecycle controls
The only usage meter
Optional payload capture
Metadata is always included. If you opt into storing prompts, responses, or tool arguments for forensics, you pay only for ingestion and storage beyond the pooled allowance.
capture: org-owner controlled · retention + redaction configured before storage
Enterprise adds negotiated seats, SIEM streaming, custom DLP patterns, longer retention, SLA, and support.
The questions your engineers will ask.
Governance only works if the people being governed don't route around it. Marshal is built to be invisible to them.
Does it slow requests down?
No. Policy evaluation runs inline at the edge in around 12 milliseconds, with no control-plane calls in the request path. Your teams keep streaming responses at native speed.
Do developers have to change their code?
No. Marshal preserves each provider's native API. Teams swap a base URL and an API key — every SDK, tool, and agent keeps working exactly as before.
What stops someone from going straight to the provider?
Key custody. Real provider keys live only in Marshal's vault; employees hold revocable Virtual Keys. Pair that with Marshal's egress allowlist playbook and the governed path is the only path.
What data does Marshal store?
Metadata — identity, model, tokens, cost, verdict — is always recorded. Prompts and responses are stored only if your organization explicitly opts into payload capture, with retention and redaction you control.
Put every AI request under control.
We're onboarding a small cohort of security and platform teams as design partners — teams that already own this problem and want to shape the answer.