Identity Enforcement & Multi-Account Handling

Users often access AI services using multiple identities (e.g., personal Gmail accounts, anonymous sessions, or shared accounts).

To ensure proper attribution and control, administrators can configure the AI Firewall to require authentication (Tue/False)in the account settings.

When set to true- the Prompt guardian will display a yellow line with a warning with text from the settings

Default: “You need to authenticate by company policy to allow proper governance of using AI. Please click here”

• Authentication is enforced using the corporate identity provider, ensuring users sign in with their company domain account.

🧠 Identity Correlation

Once authenticated:

• The user’s primary (work) identity is stored:

  • In a browser cookie (web usage)

  • In the extension local storage (extension usage)

• Every request sent through the AI Firewall includes:

  • ✅ Primary identity (e.g., bob@agatsoftware.com)

  • ➕ Service identity in use (e.g., anonymous, bob@gmail.com) (AIServiceUser)

📊 Auditing & Visibility

• All activity is audited under the primary (work) identity

• Each event also includes the associated service identity for full context

👁️ Admin Visibility

• In the Users view, administrators can:

  • See all service identities mapped to each corporate user

• In Audit & Search:

  • Search and filter by:

    • Primary (work) identity

    • Service identity

The primary user is saved in the “created by” field. In addition, there is a separate field for the AI service user identity.

When the system is not authenticated as the primary user, the core API sets the “AI service user identity” as the primary identity and the IA service identity, which is set as a member of the company domain.

For example, bob@gmail.com will be saved as the creator by (primary) and is part of the company's domain.

When the user does not sign into the AI (anonymous), the value anonymous@[companydomain].com is saved in both.

To identify users who have not signed in to the system, the report searches for Primary users who are either outside the company domain or anonymous.
Filter name : Authenticated users (yes /no/all).

Tooltip- show user that have not signed into the system.