Try Bifrost Enterprise free for 14 days. Request access

How to Govern AI Desktop Apps Like Claude Desktop

How to Govern AI Desktop Apps Like Claude Desktop
AI desktop apps like Claude Desktop run on laptops with no policy layer in between. Govern AI desktop apps by extending Bifrost, the AI gateway, to the endpoint.

IBM's 2025 Cost of a Data Breach Report found that shadow AI, the unsanctioned use of AI tools without employer oversight, was a factor in 20% of breaches and added roughly $670,000 to their average cost. Much of that risk lives on employee laptops, where AI desktop apps like Claude Desktop, the ChatGPT app, and coding agents send prompts, source code, and customer data straight to model providers with no policy layer in between. Governing AI desktop apps means bringing that endpoint traffic under the same controls a security team already applies to sanctioned systems. Bifrost, the open-source AI gateway built by Maxim AI, is the control plane for that governance, and Bifrost Edge extends it to every machine so the AI people actually use is governed too.

Why AI Desktop Apps Like Claude Desktop Escape Governance

AI desktop apps escape governance because they run directly on employee machines and connect to model providers on their own, outside any gateway or proxy the security team controls. A tool like Claude Desktop is installed per user, authenticates with its own account or key, and sends every prompt straight to the provider, leaving no enforcement point and no audit trail.

This pattern is shadow AI, and it is now closer to the norm than the exception. More than 80% of workers, including nearly 90% of security professionals, report using unapproved AI tools at work, according to a 2025 UpGuard survey covered by Cybersecurity Dive. Roughly half of employees admit to adopting AI tools without approval, and many leaders prioritize speed over privacy rather than reining the practice in.

For desktop apps specifically, the exposure is concrete:

  • Data leaves the machine. Secrets, PII, and source code pasted into a desktop app reach a third-party model with no inspection.
  • There is no audit trail. The organization cannot show what was sent, by whom, or to which provider.
  • There is no budget or rate control. Usage and cost are invisible until an invoice arrives.
  • Blocking backfires. Banning tools outright pushes employees toward personal accounts and hidden workarounds.

This is the gap endpoint AI governance is built to close.

What It Takes to Govern an AI Desktop App

Governing an AI desktop app means applying four controls to the AI traffic leaving a machine, without depending on the user to configure anything:

  • Visibility: know which AI apps and which MCP servers are installed across the fleet.
  • Access control: decide which apps are allowed on company machines and enforce that decision on the device.
  • Guardrails: inspect prompts and responses for secrets, PII, and unsafe content before they leave the endpoint.
  • Audit: record every request so the organization can demonstrate compliance.

Bifrost already provides these controls for traffic routed through it. Virtual keys scope access and budgets per user or team, guardrails inspect content, and audit logs capture every call. The same governance layer is what Bifrost Edge enforces on the endpoint, so governing AI desktop apps does not require a second, separate policy model.

The AI Gateway Is the Control Plane; the Endpoint Is the Gap

An AI gateway is a single entry point that routes, authenticates, observes, and governs traffic to multiple model providers from one place. In Bifrost, this is the control plane: administrators set budgets and rate limits, attach guardrails, and capture audit logs for every request. Any traffic routed through the gateway inherits these controls automatically.

The limitation is structural. A gateway only governs the traffic that is configured to flow through it. When an employee installs Claude Desktop and signs in with a personal or team account, that app talks to the provider directly, so the request never reaches the gateway and none of its policies apply. That is the difference between having governance and having governance everywhere, and it is exactly where the combined "AI gateway plus Bifrost Edge" model comes in.

How Bifrost Governs AI Desktop Apps at the Endpoint

Bifrost governs AI desktop apps by extending the gateway to the endpoint with Bifrost Edge, an agent that runs on every machine and routes all AI traffic through Bifrost. The virtual keys, budgets, guardrails, and audit logs configured in the gateway are what Edge enforces on the laptop. There is nothing new to learn on the policy side and nothing to reconfigure inside each app.

Edge is designed to be invisible after a one-time setup. The first time it runs, the user signs in through the browser with the organization's existing single sign-on, which links the machine to their identity and syncs their assigned policies. From then on Edge lives in the menu bar or system tray and routes traffic at the machine level, covering desktop apps, browser AI, and coding agents with no base URL changes and no SDK swaps.

Allow or block AI apps on company machines

Administrators decide which AI applications are permitted, and Edge enforces that decision on each device. Allowed apps like Claude Desktop run normally, fully governed through Bifrost. Unapproved apps are blocked before any data leaves the machine. When Edge detects a new app, it requests approval in the admin console, so the fleet stays under review as the tools people install change over time.

Apply guardrails to every prompt

Because Edge routes AI traffic through Bifrost, every guardrail already configured applies to endpoint AI automatically, with no extra setup on the device. A prompt typed into Claude Desktop or ChatGPT is evaluated before it reaches a model: native secrets detection catches leaked API keys and credentials, and a built-in PII template catches sensitive personal data before it leaves the endpoint. Guardrail coverage includes AWS Bedrock Guardrails, Azure Content Safety, Google Model Armor, CrowdStrike AIDR, GraySwan Cygnal, and Patronus AI.

Governing the MCP Servers Behind Claude Desktop

AI desktop apps rarely work alone. Claude Desktop and similar apps connect to MCP servers, external tools that can read files, call APIs, and take actions on a user's behalf. Most organizations have no visibility into which MCP servers employees have wired into their tools, and that blind spot is where sensitive data and unreviewed actions slip through.

Bifrost Edge closes it. Edge inventories the MCP servers configured inside each AI app and builds a live, fleet-wide inventory: which servers are configured, where, and across how many devices. Administrators make per-server allow or deny decisions, and each decision is enforced on the device rather than left advisory. A denied server cannot be used even by an app that had it configured before the policy existed. MCP discovery covers the major apps that support it today, including Claude Code, Claude Desktop, Gemini CLI, OpenCode, Codex, and Cursor.

For teams standardizing tool access more broadly, using Bifrost as an MCP gateway centralizes connections, auth, and tool filtering across every connected server, and Edge carries those decisions out to the endpoint.

Deploying Endpoint AI Governance Across the Fleet

Endpoint AI governance only works if it reaches every machine, which is why Bifrost Edge is built for fleet-wide deployment through the device management platforms teams already use. Rather than asking users to download and configure anything, organizations push Edge to every device with a managed configuration that points it at the organization's Bifrost. Supported platforms include Jamf, Microsoft Intune, Kandji, Omnissa Workspace ONE, and JumpCloud across macOS, Windows, and Linux.

The managed configuration carries only non-sensitive connection settings, so no secrets live on the device; identity and keys come from the user's SSO sign-in. That makes endpoint governance a natural extension of the enterprise controls teams already trust, fitting the same enterprise deployment story as in-VPC and air-gapped Bifrost. Bifrost Edge is currently in alpha, and teams register to be onboarded.

Frequently Asked Questions

Does governing Claude Desktop require changing the app?

No. Bifrost Edge routes traffic at the machine level, so there are no base URLs to change and no SDKs to swap inside Claude Desktop or any other app. Governance turns on the moment Edge is installed and the user signs in once.

What happens when an employee installs an unapproved AI app?

Edge detects the new app and requests approval in the admin console. Administrators can configure whether newly discovered apps are allowed or blocked while pending, and a blocked app is stopped on the device before any data leaves it.

How is this different from blocking AI tools outright?

Blocking every AI tool tends to push employees toward personal accounts and hidden workarounds. Endpoint AI governance takes the opposite approach: it lets approved apps run normally while bringing their traffic under the same governance controls as sanctioned systems, so security and productivity are not in conflict.

Which AI apps and surfaces can Bifrost Edge govern?

Edge governs a growing list that includes Claude Desktop, the ChatGPT app, Cursor, and Codex on the desktop; Claude Code, Codex CLI, and OpenCode as coding agents; and ChatGPT and Claude in the browser. Coverage expands over time, and teams can request support for a missing app.

Getting Started with Bifrost

Governing AI desktop apps like Claude Desktop no longer means choosing between security and the tools employees want to use. Bifrost, the AI gateway, defines and enforces policy; Bifrost Edge carries that policy to every endpoint, so shadow AI on employee machines comes under the same governance as the rest of the stack. To see how endpoint AI governance works for your fleet, book a demo with the Bifrost team, or explore the Bifrost resource library for deeper guidance on governance, guardrails, and enterprise deployment.