Skip to content

What We Do

Our Vision at Knostic is to be the leader in need-to-know based access controls, enabling enterprises to safely adopt AI.

What We Do

Knostic enables enterprises to safely adopt AI, through setting need-to-know based access controls.

Enterprise AI search tools like Copilot for Microsoft 365 and Glean lack the in-depth access controls required to ensure that query responses align with the user’s need-to-know boundaries.

Without proper controls, these tools accelerate the discovery of improperly secured sensitive files within the organization’s M365 environment.

what we do - AI
Knostic security Team

The risk of data leakage from enterprise AI search tools impedes the deployment and widespread adoption of tools like Copilot.

Enterprise security teams need certainty that Copilot won’t overshare when deployed across the user base.

Knostic addresses that challenge and transforms your security team from the Department of No to the Department of Know.

Knostic’s Copilot Readiness Assessment enables organizations to proactively understand what sensitive business content is exposed through Enterprise AI search tools, providing a safety net for deployment. 

Our assessment process covers:

list number-1
Visibility of enterprise AI search oversharing
list number icon - 2
Monitoring for ongoing oversharing and policy violations (drift)
list number icon - 2
Remediation of oversharing through permissions and labels
The Knostic Process step by step:
what we do - iconVisibility

If you’re using Microsoft M365, you probably have overshared content. Copilot for Microsoft 365 can be used proactively to discover overshared content, whether or not the company intends to roll out Copilot.

What we do - iconPolicy Creation and Management

These policy creation decisions form the basis for defining the Need-to-Know policy of the organization.

What we do - iconRemediation

Knostic works at the knowledge layer and addresses oversharing at the file-level. Sensitive information is labeled and classified, enabling automated remediation. File owners of discovered content can also manually determine if their file is overshared.

What we do - iconMonitoring

Our continuous monitoring of user interactions flags policy drift and violations that lead to oversharing or data leakage. The Need-to-Know policies can be used for detecting unusual interactions in past Copilot transactions where oversharing may have occurred. This validates that the policy is correct or whether there are gaps that need filling, and ensures the policy remains up to date.

What we do - iconProtection

This module can be used proactively by AI firewalls that can accept a per user/per topic ruleset. Think of this as discretionary access controls for LLMs, which will be needed across other LLMs such as Einstein AI or Slack AI.

Learn more 

Want to control and safely harness institutional knowledge through AI?
Let’s talk about your use case.

 Get Started With An Assessment

Knostic’ Copilot Readiness Assessment encompasses VISIBILITY and REMEDIATION. It focuses on identifying and remediating overshared information related to business topics that the organization considers sensitive.

The assessment is conducted from the perspective of individual user profiles or at the department level. For example, a standard user profile from someone in the Finance or Sales department. You can read more on our framework and methodology in our blog and the
accompanying Solution Brief.

These topics fall into three categories:

list number-1
Topics considered sensitive across most organizations (e.g., Legal, Finance, HR, Security)
list number icon - 2
Topics considered sensitive for a specific industry (e.g., for Healthcare, topics would include patient information, malpractice lawsuits, etc.)
list number icon - 2
Topics considered sensitive for that specific organization. We do not know these topics ahead of time, but we can incorporate them into the assessment.
Frequently Asked Questions

Purview helps with sensitivity classification, particularly around PII, but it doesn’t cover sensitive topics that are important to the business, for example, compensation information, M&A, legal disputes, etc.

In addition, Purview works primarily through fixed pattern matching. As such, Purview frequently flags content that is not actually sensitive. This fixed pattern matching approach will not be able to discover these sensitive business topics.

This does not replace Purview. You should continue to use Purview for data discovery and
sensitivity classification. The data discovery process using Purview (and other similar data
discovery tools) can take months to complete for a full scan of a large
enterprise’s entire file system.

Knostic’ Copilot Readiness Assessment takes a broad approach with prompts built on a corpus of sensitive business topics for specific user profiles. This approach can accelerate the discovery of sensitive business
content, uncovering 80% of the high priority findings in less than 20% of the time.

Knostic’s Copilot Readiness Assessment is more about preemptive data discovery rather than
real-time data loss prevention. Through this assessment, clients can map out where their
sensitive business content exists and where it might be overshared. By addressing the
oversharing problem, Knostic can minimise the risk of future data loss and oversharing.

A Readiness Assessment is a good first step towards implementing a data classification program.

We also support Glean and will be adding more Enterprise AI tools soon.

The client would need to be using Microsoft 365 and have a minimal number of Copilot licences active for testing, but does not need to have active Copilot licences for Microsoft 365 deployed to users. They don’t even need to have plans to deploy it. In other words, even if they are not intending to use Copilot, this approach can still help accelerate the discovery of sensitive content within Microsoft 365 itself.

The organization does not need to determine the topics before starting an assessment. Often, they won't know them in advance, and waiting to identify the topics to be scanned will unnecessarily prolong the process. Once they start seeing results, they can return with specific topics they want to explore in more depth.

We recommend leveraging the intended rollout plans for Copilot. The groups your organization plans to roll out Copilot to next should determine which profiles to scan first.

The enterprise does not need to have any defined roles to get started. The program owners often feel like they are not ready because they don’t have a robust Identity and Access Management program or fall short in defining roles. If they have Department level delineation of users, that’s sufficient to define a profile. Even if they don’t have that, we begin the assessment with a user profile that has no permissions at all, which is trivially easy to establish.

Customers can choose no data retention or to retain data for a limited time for greater visibility and insights. Data (answers to queries) is processed (in transit) then deleted according to the policy set by the customer. We can provide a data processing agreement (DPA) and a list of subprocessors on request. All processing is per client in an isolated silo, i.e. it is not multitennant.

Latest research

diamond
Review your
access control

Determine need-to-knows across your organization to end LLM oversharing.

triangle
Choose your
path

See what changes you need to make and if your tech stack needs a boost.

cube
Personalize the
journey

Reassess your updates at any time to confirm what's working and what is not.

 

Learn more 

For all digital transformation projects, LLM access is a top priority.
Let’s talk about your use case.