Connectors
Arrakis governs agents across four surface categories — Local Assistants, Coding Agents, Autonomous Agents, and LLM Foundation. The placement rule is what data plane sits between the user and the model, because that determines where Arrakis can observe or intervene.
For every platform, four capability pillars are scored: how an agent is configured, what happens at runtime, the reasoning behind each action, and whether Arrakis can act preventively. Each cell in the coverage tables that follow names both the support level and the vendor mechanism in use; each category also documents the customer-side integration requirements needed to unlock that coverage.
Capability pillars
| Pillar | What it covers | Typical signal |
|---|---|---|
| Configuration | Blueprint or system prompt, model backbone, tools and connectors, credentials and scopes, version history, owner. | Vendor admin API; governance metadata. |
| Runtime | Execution history, tool calls with arguments, timestamps, errors, retries, run identifiers. | Audit and events APIs; webhooks; invocation logs; OpenTelemetry spans. |
| Reasoning | Prompts, responses, conversation turns, chain-of-thought, function-call traces, data read or written. | Content and compliance APIs; model invocation logs; proxy or endpoint capture; OpenTelemetry events. |
| Preventive | Inline block or rewrite, vendor-side guardrails, and webhook-triggered auto-remediation. | Proxy; endpoint agent; vendor guardrails; webhook-driven actions. |
Cell legend
- Full — supported via documented vendor surface or Arrakis-side integration.
- Partial — enterprise tier required, in active development, or limited fidelity.
- Customer-specific — gated documentation or per-customer data feed; coverage confirmed at onboarding.
- Unavailable — vendor does not expose this surface.
Delivery mechanisms
Each cell is delivered via one of the mechanisms below. Knowing which is in play tells you the cost, latency, and deployment shape of the integration.
| Mechanism | What it delivers | Preventive-capable |
|---|---|---|
| Admin / Audit API | Configuration; partial runtime metadata. | No — observe-only. |
| Content Logs API | Reasoning (prompts, responses, tool args). | No — observe-only. |
| Webhooks / Event Stream | Runtime, near-real-time. | Limited — enables fast auto-response. |
| OpenTelemetry / OTLP Collector | Runtime and reasoning (spans, events, prompts, tool calls, token usage) — emitted by the agent runtime itself. | No — observe-only. |
| Network Proxy (PAC + MITM CA) | All three pillars. | Yes — inline rewrite or block. |
| Endpoint Agent | All three pillars. | Yes — inline block or process control. |
| Vendor Guardrails | Preventive only. | Yes — vendor enforces the policy. |
Local Assistants
Desktop AI agents running on user machines. Vendor admin APIs cover configuration and (where available) audit metadata; deep content inspection and inline enforcement require managed proxy or endpoint agent deployment.
| Platform | Configuration | Runtime | Reasoning | Preventive |
|---|---|---|---|---|
| Claude Cowork (Enterprise) | Full — Anthropic Admin API; MCP & OAuth inventory | Partial — Enterprise tier | Partial — Enterprise tier; deep content via proxy or endpoint | Full — proxy or endpoint; vendor safety classifiers |
| ChatGPT Desktop (Enterprise) | Full — OpenAI Admin; GPTs; Custom Connectors | Full — Compliance API | Full — Compliance API (prompts, responses, tool args) | Full — Moderation API; proxy or endpoint |
| Gemini Desktop (Enterprise) | Full — Workspace Admin SDK | Partial — Workspace audit (metadata-heavy) | Partial — limited; deep content via proxy or endpoint | Full — Vertex safety filters; proxy or endpoint |
| Microsoft Copilot Desktop | Full — Microsoft Graph + Purview | Full — Purview audit | Full — Purview eDiscovery | Full — Purview DLP; proxy or endpoint |
| Perplexity Comet | Partial — vendor surface emerging | Partial — via proxy or endpoint | Partial — via proxy or endpoint | Full — proxy or endpoint only |
| Ollama | Partial — endpoint inventory | Partial — endpoint telemetry | Partial — endpoint telemetry | Full — endpoint only |
| LM Studio | Partial — endpoint inventory | Partial — endpoint telemetry | Partial — endpoint telemetry | Full — endpoint only |
Integration requirements
Claude Cowork (Enterprise). Anthropic Console Enterprise plan; Admin API key with read scope; org-managed SSO. Optional: managed proxy with corporate CA, or Arrakis endpoint agent, for prompt and response capture and inline enforcement. Endpoint deployment, MDM payloads, and Admin API rotation: see Deployment → Claude Cowork.
ChatGPT Desktop (Enterprise). OpenAI Enterprise plan; Admin API and Compliance API access; org SSO or SCIM. Optional: managed proxy or endpoint agent for inline enforcement beyond the Moderation API.
Gemini Desktop (Enterprise). Google Workspace Enterprise; Admin SDK access; domain-wide delegation for the Arrakis service account. Optional: Vertex AI safety filters configuration; managed proxy or endpoint agent for deep content.
Microsoft Copilot Desktop. Microsoft 365 E5 (Purview, eDiscovery, DLP); Microsoft Graph app registration with audit and DLP scopes. Optional: endpoint agent.
Perplexity Comet. Managed forward proxy with corporate CA trusted on endpoints — provided Comet honors the OS trust store. If the Comet desktop client implements TLS certificate pinning, a standard MITM proxy will break the application and the Arrakis endpoint agent is required to instrument the process (or to selectively bypass pinning). Cert-handling behavior is confirmed with Perplexity at onboarding; an enterprise flag for accepting custom root CAs, if available, is the cleanest path.
Ollama and LM Studio. Arrakis endpoint agent on the developer machine. No central admin surface exists for these self-hosted runtimes; all coverage is host-level.
Coding Agents
IDE plugins, autonomous coding agents, and developer CLIs. Vendor-hosted IDE agents (Claude Code, Cursor, Copilot, Codex, Q Developer, Windsurf, Tabnine, Sourcegraph Cody) phone home for inference but execute in the developer’s IDE — they’re instrumentable via admin API and the network path. Cloud-only agents (Cursor Cloud, Devin, Replit Agent, Bolt.new) run entirely in the vendor’s cloud — admin API only, no proxy or endpoint surface.
| Platform | Configuration | Runtime | Reasoning | Preventive |
|---|---|---|---|---|
| Claude Code (Anthropic Enterprise) | Full — Anthropic Admin; workspace inventory; OTel resource attrs | Full — OTel spans; tool calls; session telemetry | Full — OTel events (prompts, responses, token usage) | Full — proxy or endpoint; vendor safety |
| Claude Code (over Bedrock) | Full — IAM + CloudTrail; OTel resource attrs | Full — CloudTrail + EventBridge; OTel spans | Full — Bedrock Invocation Logging; OTel events | Full — Bedrock Guardrails; proxy or endpoint |
| Cursor | Full — Cursor admin dashboard | Partial — Enterprise tier; privacy-mode dependent | Partial — Enterprise; deep content via proxy or endpoint | Full — proxy or endpoint |
| Cursor Cloud | Full — Cursor admin dashboard | Partial — Enterprise audit | Partial — limited (runs in vendor cloud) | Partial — vendor-side controls only |
| OpenAI Codex | Full — OpenAI org admin | Full — Compliance API | Full — Compliance API | Full — Moderation API; proxy or endpoint |
| GitHub Copilot | Full — GitHub Audit Log + Copilot admin | Full — Audit Log + webhooks | Partial — Enterprise full; Business limited | Full — content exclusions; PR-check gating |
| Devin | Partial — vendor portal API | Partial — vendor portal API | Partial — runs in vendor cloud | Partial — vendor-side controls only |
| Amazon Q Developer | Full — Identity Center + CloudTrail | Full — CloudTrail + EventBridge | Full — Q invocation logs | Full — vendor guardrails; proxy or endpoint |
| Windsurf (Codeium) | Full — Enterprise admin | Partial — Enterprise tier | Partial — Enterprise tier | Full — proxy or endpoint |
| Tabnine | Full — Enterprise admin | Partial — Enterprise tier | Partial — Enterprise tier | Full — proxy or endpoint |
| Sourcegraph Cody | Full — Sourcegraph admin | Full — Sourcegraph events | Partial — Enterprise tier | Full — proxy or endpoint |
| Replit Agent | Full — Replit Teams admin | Partial — vendor admin | Partial — runs in vendor cloud | Partial — vendor-side controls only |
| Bolt.new | Partial — vendor admin | Partial — vendor admin | Partial — ephemeral, in vendor cloud | Partial — vendor-side controls only |
Integration requirements
Claude Code — Anthropic Enterprise. Anthropic Console Enterprise plan; Admin API key with read scope. Recommended: enable Claude Code’s built-in OpenTelemetry exporter (OTLP/HTTP or gRPC) pointing at the Arrakis collector — this captures prompts, model responses, tool calls with arguments, latency, token usage, and session and workspace context per agent invocation. Configured via OTEL_EXPORTER_OTLP_ENDPOINT and CLAUDE_CODE_ENABLE_TELEMETRY=1 at the user environment or MDM-managed config level. Optional: managed proxy or endpoint agent for additional inline enforcement. Endpoint deployment, MDM payloads, and OTel configuration: see Deployment → Claude Code.
Claude Code — over Bedrock. AWS account; IAM role with bedrock:InvokeModel and CloudTrail read; Bedrock Model Invocation Logging enabled (S3 or CloudWatch destination); EventBridge rule. Recommended: enable Claude Code’s OTel exporter to the Arrakis collector for prompt, response, and tool-call telemetry not present in CloudTrail metadata. Optional: Bedrock Guardrails configured per agent. Endpoint deployment, MDM payloads, and OTel configuration: see Deployment → Claude Code.
Cursor and Cursor Cloud. Cursor Business or Enterprise plan; admin dashboard access; audit-log export. Cursor (the IDE) additionally supports managed proxy or endpoint agent; Cursor Cloud does not. Endpoint deployment of the Arrakis Cursor hook and egress verification: see Deployment → Cursor.
OpenAI Codex. OpenAI Enterprise plan; Admin API and Compliance API access; org SSO. Optional: managed proxy or endpoint agent. Endpoint deployment of the Arrakis wrapper, MDM payloads, and Admin API rotation: see Deployment → OpenAI Codex.
GitHub Copilot. GitHub Copilot Business or Enterprise; GitHub Audit Log API access; webhook configured at the org level; PR-check app installed on protected branches. Copilot Enterprise is required for full content-log fidelity.
Devin. Cognition team plan; vendor portal API credentials. Cloud-only — no proxy or endpoint surface.
Amazon Q Developer. AWS account; Identity Center; CloudTrail and EventBridge enabled; IAM role for Q. Optional: managed proxy or endpoint agent.
Windsurf (Codeium), Tabnine, Sourcegraph Cody. Vendor Enterprise plan; admin dashboard and audit-log export. Optional: managed proxy or endpoint agent.
Replit Agent and Bolt.new. Vendor Teams or Business plan; admin API credentials. Cloud-only ephemeral execution — no proxy or endpoint surface. Coverage is vendor-side only.
Autonomous Agents
Production agents inside business platforms. Integration is typically an admin API for configuration plus an executions or events feed for runtime telemetry. Preventive coverage relies on vendor guardrails (where exposed) and webhook-driven auto-remediation.
| Platform | Configuration | Runtime | Reasoning | Preventive |
|---|---|---|---|---|
| Salesforce Agentforce | Full — Setup Audit + Tooling API (planners, plugins, bots) | Full — Platform Events + Einstein Bot logs | Partial — Bot transcripts only | Full — Einstein Trust Layer; webhook auto-remediation |
| ServiceNow | Full — Now Platform admin | Full — Now audit + Flow Designer events | Full — table logs include payloads | Full — webhook auto-remediation |
| Make.com | Full — Admin API (scenarios, AI agents, connections) | Partial — Executions API; active expansion | Partial — Executions API; active expansion | Full — webhook auto-remediation |
| n8n | Full — Admin API (workflows, credentials) | Partial — Executions API; active expansion | Partial — Executions API; active expansion | Full — webhook auto-remediation |
| Workday | Full — REST API + audit | Full — Workday Audit | Partial | Full — webhook auto-remediation |
| Glean AI | Full — Glean Activity API | Full — search + agent activity | Full — query and response payloads | Full — access controls; webhook auto-remediation |
| Microsoft Copilot Studio | Full — Power Platform admin | Full — Power Platform audit + Dataverse events | Full — Power Platform audit (full content) | Full — Purview DLP; webhook auto-remediation |
| Microsoft Foundry Agent Service | Full — Azure AI admin | Full — Azure Monitor + Event Grid | Full — Azure Monitor (prompt and response) | Full — Azure AI Content Safety; webhook auto-remediation |
| AWS Bedrock AgentCore | Full — IAM + CloudTrail; AgentCore APIs (agents, action groups, knowledge bases, aliases) | Full — CloudTrail + EventBridge; AgentCore session events | Full — Bedrock Model Invocation Logging; AgentCore Trace API (planner steps, tool-call rationale) | Full — Bedrock Guardrails; webhook auto-remediation via EventBridge |
| Taktile (AI Agent) | Customer-specific (gated docs) | Customer-specific | Customer-specific | Customer-specific |
| Decagon | Customer-specific (sales-gated) | Customer-specific; warehouse export | Customer-specific; conversation feed | Customer-specific |
Integration requirements
Salesforce Agentforce. Connected App with OAuth client-credentials flow; API and audit-trail permissions (read); Platform Events subscription. Optional: Einstein Trust Layer policy access.
ServiceNow. Service account with read role on agent and audit tables; Flow Designer event subscription; outbound webhook configured to the Arrakis ingest endpoint.
Make.com. Organization-admin API token; Make admin API enabled; per-scenario webhook subscriptions for execution telemetry.
n8n. API key with admin scope; executions access (self-hosted, or n8n Cloud Pro+); per-workflow webhook subscription for execution telemetry.
Workday. Integration System User; REST API and Reports-as-a-Service access; Workday Audit feed subscription.
Glean AI. Workspace admin token; Glean Activity API access. Optional: webhook subscription.
Microsoft Copilot Studio. Power Platform admin role; Microsoft 365 E5 (Purview and DLP); Dataverse audit access; service principal with audit-read scope. Capacity planning: high-volume conversational tenants should size Power Platform API capacity ahead of onboarding — Dataverse event consumption is bounded by service-protection limits, and full-transcript ingestion can consume request quotas quickly on chat-heavy deployments.
Microsoft Foundry Agent Service. Azure subscription; an Entra ID service principal with Reader at subscription (or management-group) scope and Foundry User (formerly Azure AI User; role ID 53ca6127-db72-4b80-b1b0-d745d6d5456d) on each Foundry project; Azure Monitor and Event Grid configured to the Arrakis ingest. Optional: Azure AI Content Safety policy. Step-by-step setup, including the Azure Portal walkthrough, az CLI script, credential rotation, and why Cognitive Services-prefixed roles are not a substitute: see Connectors → Azure AI Foundry.
AWS Bedrock AgentCore. AWS account; IAM role with bedrock:InvokeAgent, bedrock-agent:* read, and CloudTrail read; CloudTrail enabled; Bedrock Model Invocation Logging configured (S3 or CloudWatch destination); EventBridge rule subscribing to AgentCore session events. AgentCore Trace API is opt-in per agent — enable it to capture planner reasoning steps and tool-call rationale in addition to model invocation payloads. Optional: Bedrock Guardrails configured per agent or per alias.
Taktile. Customer-authorized API key (Taktile docs are user-gated). Coverage scope confirmed per customer at onboarding.
Decagon. Customer-negotiated data feed (warehouse export to S3 or Snowflake, or webhook with NDA). Partnership or enterprise contract required.
LLM Foundation
Pure-LLM products and infrastructure powering everything above. Governance happens at the org-admin and API-key layer; preventive coverage is vendor-side (guardrails) plus API-key posture management.
| Platform | Configuration | Runtime | Reasoning | Preventive |
|---|---|---|---|---|
| ChatGPT (Enterprise API & Admin) | Full — OpenAI Admin API (org, projects, keys) | Full — Compliance API (run history) | Full — Compliance API (prompts, responses, tool args) | Full — Moderation API; key revocation |
| Gemini (Workspace API & Admin) | Full — Workspace Admin SDK | Partial — Workspace audit (metadata-heavy) | Partial — metadata-heavy; Vertex is richer than Workspace | Full — Vertex safety filters |
| NotebookLM | Partial — via Workspace audit | Partial — metadata only | Unavailable — no first-class content log | Partial — rides on Gemini |
| Amazon Bedrock | Full — CloudTrail (model config) | Full — EventBridge + CloudTrail | Full — Model Invocation Logging (full prompts and responses) | Full — Bedrock Guardrails |
Integration requirements
ChatGPT (Enterprise API and Admin). OpenAI Enterprise plan; Admin API key and Compliance API access; SSO or SCIM configured at the org level.
Gemini (Workspace API and Admin). Google Workspace Enterprise; Admin SDK access; domain-wide delegation. Recommended: Vertex AI safety filters configured for higher-fidelity coverage than Workspace audit alone.
NotebookLM. Workspace Enterprise; Admin SDK audit access. NotebookLM does not yet expose a content-log surface; coverage is metadata-only.
Amazon Bedrock. AWS account; IAM role with CloudTrail and Bedrock read; Bedrock Model Invocation Logging enabled with S3 or CloudWatch destination; EventBridge rule. Optional: Bedrock Guardrails configured per application.
Protection modes
Preventive coverage is delivered in three modes. Per-platform support depends on which modes the vendor architecture allows; the Preventive column above names the mode in use for each platform.
| Mode | Mechanism | What it enforces | Latency | Customer-side requirement |
|---|---|---|---|---|
| Inline (proxy or endpoint) | Network proxy; endpoint agent. | Pre-action block, prompt rewrite, process kill. Highest-fidelity prevention. TLS interception and classifier matching incur a measurable processing cost. | In-path — under 50 ms typical processing overhead. | Managed forward proxy + corporate CA on endpoints, or Arrakis endpoint agent deployed via MDM. Applicable to Local Assistants and IDE coding agents. |
| Vendor guardrails | Bedrock Guardrails; Azure Content Safety; OpenAI Moderation; Purview DLP; Einstein Trust Layer. | Policy enforcement by the vendor at request time, configured and synchronized by Arrakis. | In-path — vendor-enforced (tens of ms typical). | Vendor’s policy or guardrail surface enabled on the customer tenant; admin credentials with policy-write scope provided to Arrakis. |
| Webhook auto-remediation | Webhook or event stream. | Post-action response: pause agent, revoke credentials, quarantine scope, page SOC. | Under 1 s from event ingestion; subject to vendor webhook delivery SLA. | Vendor webhook subscription configured to the Arrakis ingest endpoint with HMAC signing secret; remediation credentials provisioned per platform (for example, agent-disable API). |
Latency caveats
Inline figures reflect Arrakis processing only; end-to-end latency on the user-facing path also includes the upstream LLM or API round-trip. Webhook latency is gated by vendor delivery — Salesforce Platform Events, ServiceNow audit streams, and similar high-volume tenant feeds can queue under load and exceed 1 s during incidents. SLAs are documented per platform at onboarding.
Observability Data Sources
Arrakis can also ingest telemetry from existing observability platforms, providing governance coverage without additional agent-side instrumentation:
| Platform | Integration Method | Use Case |
|---|---|---|
| Langfuse | API / Blob Storage / OTel | Governance over agents already instrumented with Langfuse |
| LangSmith | API | Ingest historical and live traces from LangSmith projects |
Integration Guides
- LangChain & LangGraph — Native callback-based integration for framework agents
- Langfuse — Observability data source integration for existing Langfuse deployments
Additional per-platform integration guides are coming in a future release.