Teams hand Claude Code to their developers. The agent reads files, calls tools, runs commands, and touches systems across the org. It executes, and it does not push back. Sentinel installs as a native Claude Code hook and checks every tool call in process, before it runs, deterministically, with no model in the enforcement path.
The question is no longer who has access. It is whether this actor should be allowed to do this, here, now.
On-prem. Bring your own keys. Zero external model calls in the enforcement path. The thing protecting the agent does not inherit the prompt injection surface of the agent it watches.
Endpoint watches processes. Network watches traffic. Both are blind to which file an agent read and whether it matched the task it was given. Sentinel runs where the action happens, in process, at the tool-call boundary.
You do not write rules from scratch. init writes a starter policy with a default floor already in place; you tune it, and Sentinel recommends tightening from the actions your developers approve and deny.
Accuracy notes · Claude Code is the only live adapter. Cross-vendor correlation is the next build, not a present claim. Figures reflect the present shipped state and move as the product ships.