AI Governance
Prompt Guard: Stop Secrets Leaking into ChatGPT & Claude — and Prove It for ISO 42001
July 1, 2026 · 7 min read
Your team pastes API keys and source code into AI chatbots every day. Here’s an open-source, local-first way to stop it — and to turn each blocked leak into audit evidence.
In 2023 Samsung banned ChatGPT after engineers pasted source code into it. The behaviour did not stop — it spread. Today roughly a third of the data employees put into AI tools is sensitive, and source code is the single most-leaked category. Every prompt typed into ChatGPT, Claude or Gemini crosses your corporate boundary into a model you do not control, and once it lands there you cannot take it back.
The blind spot in every AI rollout
Most data-loss tooling was built for files and email, not prompts. The few “AI DLP” products that exist are network proxies or SaaS the prompt has to travel to in order to be inspected — and certificate pinning in modern apps quietly defeats them. Meanwhile a large share of real usage happens on personal devices and in browser tabs that never touch the corporate network at all. The result: a governance gap precisely where the most sensitive data is moving.
Prompt Guard: local-first prompt hygiene
Prompt Guard takes a different approach. It scans the prompt on your own machine, detects secrets, API keys and PII, and swaps each one for a stable placeholder such as «PG:AWS_ACCESS_KEY_ID:1» before the request is ever sent. The redaction is reversible: the model reasons over the placeholder and its answer is re-hydrated locally, so you still get a useful response while the real secret never leaves the laptop. Nothing is sent anywhere to perform the scan itself.
It meets developers where they already work, across the surfaces where pasted secrets actually leak:
- A one-line terminal wrapper — put promptguard wrap -- in front of claude, llm or ollama and keep typing as normal.
- A block-on-secret hook for interactive Claude Code: if a typed prompt contains a secret it is blocked before it reaches the model (fail-closed), and the prevented egress is logged.
- A browser extension that redacts pastes into ChatGPT, Claude and Gemini on the web.
Open source, by design
Prompt Guard is MIT licensed and developed in the open as part of CATAAM’s open-source security toolkit. That is a deliberate choice. Detection rules are the heart of the tool, and the highest-leverage way for the community to help is to add one — every rule is plain JSON in an inspectable rule pack, so contributing a new secret format or a piece of regional PII needs no code change. Security tooling that decides what counts as a secret should be auditable by the people who depend on it, not a black box.
“The prompt is scanned on your laptop, the rules are open, and the secret never leaves the machine. That is the whole point.”
From redaction to ISO 42001 evidence
Here is where Prompt Guard becomes more than a redactor. Every redaction — and every blocked prompt — is recorded as an immutable control event carrying only non-sensitive previews, never the raw secret, mapped to ISO 42001, the NIST AI RMF and EU AI Act Article 12. Push those events into the ISO 42001 AI Management System in CATAAM and they latch as evidence for the “AI prompt/data egress to public LLMs is controlled” control. The continuous-monitoring tile flips to PASS automatically.
That closes a loop most AI-governance programs leave open. Auditors increasingly ask not just whether you have a policy about employees and public AI, but whether you can show it is enforced. A blocked leak with a timestamp, a category and a control mapping is exactly that proof — generated as a by-product of people simply doing their work.
Why this matters for AI governance
The EU AI Act’s Article 12 expects record-keeping; the NIST AI RMF asks you to measure and manage data-leakage risk; ISO 42001 Annex A covers responsible use and event logging. Prompt Guard turns all three from a written assertion into living, queryable evidence. If you are standing up an AI Management System, it is a concrete first control you can put in force this week — see how the ISO 42001 platform ties it together.
Keep your secrets out of the models
Explore Prompt Guard →Frequently asked questions
- What is Prompt Guard?
- Prompt Guard is a free, open-source tool from CATAAM that detects and redacts secrets, API keys and PII from a prompt before it leaves your machine, so they never reach public LLMs like ChatGPT, Claude or Gemini. Redaction is reversible, and every prevented leak is recorded as auditor-ready AI-governance evidence.
- How does Prompt Guard help with ISO 42001?
- Each redaction or blocked prompt becomes an immutable control event mapped to ISO 42001, NIST AI RMF and EU AI Act Article 12. Pushed into CATAAM, the events latch as evidence for the “AI prompt/data egress to public LLMs is controlled” control, and the continuous-monitoring tile turns to PASS.
- Is Prompt Guard really open source?
- Yes. It is MIT licensed and developed in the open at github.com/cataam-security/cataam, with no runtime dependencies in the core. Detection rules are plain JSON, so contributing a new secret pattern needs no code change.
- Does the evidence contain the raw secret?
- No. Evidence records carry only non-sensitive previews such as “AKI…LE (20 chars)”, the detection category, severity and the mapped controls — never the raw value. The reversible mapping is kept locally and never transmitted.