See, control, and prove every AI request.

Your company already runs on Claude, GPT, Gemini, and MCP tools — billed to one shared account you can't see into. Marshal is the gateway that puts an identity, a policy, and an audit trail on every request. Live in an afternoon.

The governed request path

Identity

SC

Sasha Chen

Claude Code · engineering

POST /v1/messages

key mk_live_••••7Q

Control point

Marshal gateway
Inline
Identitys.chen@acme.com
Model accessclaude-opus-4.6
Monthly budget42% used
Content policyno findings
Verdict · Allow12 ms

Provider

Anthropic

api.anthropic.com

credential ← vault

native API unchanged

audit_event evt_01JZ8F1S9A appended · $0.038 · 1,204 tokens
Every request. No sampling.

Models from every major lab, behind one governed gateway

Provider dashboards see accounts. Marshal sees people.

Security cannot govern what it cannot attribute. Marshal connects every request to the person, team, tool, cost, and policy decision behind it — across Anthropic, OpenAI, Google, AWS Bedrock, Azure OpenAI, and remote MCP servers.

SignalProvider viewMarshal view
IdentityOrganization-level usageEvery user and service account
ControlProvider-wide settingsInline policy on every request
SpendOne monthly invoiceCost attributed per person, team, and model
EvidenceAggregate totalsImmutable, attributable Audit Events

One request in. Complete control out.

Teams keep the tools and provider APIs they already use. Marshal adds governance around each request — not abstraction inside it. Four operations, one pass, twelve milliseconds.

01

Authenticate

Resolve each Virtual Key to a user or service account and its current groups — on every request.

02

Evaluate

Apply model, budget, MCP, and content policies inline, with a recorded Policy Verdict.

03

Forward

Inject the vaulted provider credential and preserve the provider's native API unchanged.

04

Record

Meter tokens and cost, then write one searchable, exportable Audit Event.

Control it inline — before it happens, not after.

Four policy dimensions evaluated in the request path, each with its own monitor → warn → block dial, per group, user, or service account. Start in monitor mode on day one; turn up enforcement team by team as confidence grows.

MonitorWarnBlock

per policy · per group

Model access

Allow or deny providers and models by group, user, or service account. New models are denied by default until you approve them.

engineering → opus allowed

Budgets & rate limits

Soft alerts and hard caps with real-time token and cost metering — per identity, group, provider, or model.

research → 80% monthly budget

MCP permissions

Control remote MCP access at both server and individual tool level. Read-only for contractors, write access for owners.

contractors → jira.read only

Content & DLP

Inspect requests inline for secrets, PII, and organization-defined patterns — before they reach the provider.

api key detected → block

Answer who used what, what it cost, and what policy decided.

Security, FinOps, and compliance work from one shared source of truth — the identity-attributed usage graph.

audit_events
identity=*window=24h
IdentityTargetCostVerdictTime
s.chen@acme.comanthropic / claude-opus-4.6$0.42allowed10:42:08
ci-deploy-botopenai / gpt-5.1$118.20warned10:41:52
j.lee@acme.commcp:jira / create_issue$0.00blocked10:41:11
research-agentgoogle / gemini-2.5-pro$1.17allowed10:39:47

Audit without sampling

Every LLM request and MCP tool call produces one immutable Audit Event — who, from which tool, to which model, at what cost, under which verdict.

Spend with an owner

Roll cost up by identity, group, provider, model, and MCP tool — not just an organization total on next month's invoice.

Evidence where you need it

Search and export directly, or stream metadata into your SIEM and the security workflows you already run.

Spend, with owners

Attributed this month, by team

$42,118

2 budgets warning
Engineering$26.1k
Research$10.1k
Support$3.8k
Contractors$2.1k

Inline, not in the way

Policy runs at the edge with no control-plane calls in the request path. Streaming responses stay at native speed — your teams never feel the gateway.

12ms

Enforcement that holds when it matters.

A proxy only governs traffic sent through it. Marshal closes that gap by keeping real provider credentials out of employee hands — and giving the organization a practical path to block bypasses.

1

Vault the real credentials

Bring your provider keys once. Marshal encrypts them at rest, injects them only when forwarding, and never returns them to users.

2

Issue identity-bound Virtual Keys

Users and service accounts receive revocable, expiring Marshal credentials tied to their identity and current policies.

3

Make the governed path the only path

Use Marshal's egress allowlist playbook to block direct provider access and sweep raw keys from CI and employee machines.

Real provider credentials

Anthropic
OpenAI
Google
Bedrock
Azure
marshal_vaultEncrypted at rest

injected on forward only · never returned to users

Identity-bound Virtual Keys

Sasha Chen · Claude Codemk_live_••••7Q
ci-deploy-bot · Service Accountmk_live_••••2B
j.lee@acme.com · revokedmk_live_••••9X

Live in an afternoon. Not a quarter.

No agents to install, no SDKs to adopt, no proxies to host. Three steps, and every AI request in the company is governed.

1

Connect your providers

Bring your Anthropic, OpenAI, Google, Bedrock, and Azure keys once. They're encrypted in Marshal's vault and never handed out again.

2

Issue Virtual Keys

Sync users and groups over SSO and SCIM. Every person and service account gets a revocable, identity-bound key.

3

Point tools at Marshal

Claude Code, Cursor, agents, CI — swap one base URL. Native APIs are preserved, so nothing else changes.

Team

$50per active governed identity / month

Volume tiers available

Governance is never metered: pay for people, not policy decisions or Audit Events.

  • All five LLM providers and remote MCP servers
  • All four policy dimensions
  • Unlimited enforcement and metadata Audit Events
  • Search, export, dashboards, budgets, and alerts
  • SSO, SCIM, and identity lifecycle controls

The only usage meter

Optional payload capture

Metadata is always included. If you opt into storing prompts, responses, or tool arguments for forensics, you pay only for ingestion and storage beyond the pooled allowance.

capture: org-owner controlled · retention + redaction configured before storage

Talk through your rollout

Enterprise adds negotiated seats, SIEM streaming, custom DLP patterns, longer retention, SLA, and support.

See detailed pricing and the cost calculator →

The questions your engineers will ask.

Governance only works if the people being governed don't route around it. Marshal is built to be invisible to them.

Does it slow requests down?

No. Policy evaluation runs inline at the edge in around 12 milliseconds, with no control-plane calls in the request path. Your teams keep streaming responses at native speed.

Do developers have to change their code?

No. Marshal preserves each provider's native API. Teams swap a base URL and an API key — every SDK, tool, and agent keeps working exactly as before.

What stops someone from going straight to the provider?

Key custody. Real provider keys live only in Marshal's vault; employees hold revocable Virtual Keys. Pair that with Marshal's egress allowlist playbook and the governed path is the only path.

What data does Marshal store?

Metadata — identity, model, tokens, cost, verdict — is always recorded. Prompts and responses are stored only if your organization explicitly opts into payload capture, with retention and redaction you control.

Put every AI request under control.

We're onboarding a small cohort of security and platform teams as design partners — teams that already own this problem and want to shape the answer.