Auditability and Control
Nightfall uses two complementary mechanisms to protect AI agent activity:
Hooks - Real-Time Enforcement
Hooks intercept AI agent actions before they execute. When a developer submits a prompt, calls a tool, or runs a shell command, Nightfall scans the content against your policies and can block the action if a violation is detected.
Supported agents: Claude Code, Cursor, VS Code
Enforcement: Block or Monitor
OpenTelemetry - Async Monitoring
OpenTelemetry (OTel) captures a complete telemetry stream of AI agent activity after actions complete. This provides full session audit trails including cost tracking, model information, and tool activity.
Supported agents: Claude Cowork
Enforcement: Monitor only (no real-time blocking)
Additional data: Token usage, cost per prompt, model name, API errors
Prerequisites
Before AI Agent Security can function on your endpoints, ensure the following requirements are met:
Nightfall Endpoint Agent
Version 1.2.12.11 or later is required.
The agent must be installed and running on each endpoint where AI agents are used.
MDM Configuration Profile
Required: You must deploy the Nightfall MDM configuration profile (v3 or later) via your MDM provider (Jamf, Mosyle, Kandji, etc.). This profile grants the necessary system permissions for the Nightfall agent to monitor AI agent activity.
AI Agent Policy
At least one AI Agent Security policy must be active in your Nightfall console. SecOps or IT administrators must install hooks using an MDM script or the IDE console for Cursor, Claude Code or VS Code.
Next Steps
Setup & Installation - Verify your deployment and understand how hooks are installed
Hooks vs. Open Telemetry - Compare the two enforcement mechanisms
Policy management - Step-by-step policy creation guide
Policy incidents - How to review and respond to AI agent violations
MCP server collections - Discover and manage MCP servers across your fleet
Last updated
Was this helpful?