Multi-tenant AI verification. Sectum AI provisions synthetic tenants on an AI stack, seeds them with cryptographic canary markers, runs benign and adversarial probes from each tenant's session, and detects cross-tenant data leakage across every surface — producing tamper-evident, control-mapped evidence that an auditor accepts.
Sectum AI is multi-tenant AI verification. It is not a runtime guardrail, not a GRC platform, and not a generalist LLM red-team framework. See the positioning and comparisons below.
v0.1.0 tagged; release in flight. The OSS core is feature-complete
for the v1 catalog (Attack Classes 1–11 plus the Class 12 evidence
chain) and ships as a five-package uv workspace under the Apache-2.0
licence. PyPI publication is in flight via a Sigstore-signed Trusted
Publisher pipeline; until that completes, install from source per the
flagship quickstart.
- sectum-ai/sectum-ai — the
flagship open-source core (Apache-2.0): marker substrate, attack
catalog (Classes 1–11), adapter SDK, evidence chain, and the
independent
sectum verifyCLI. - sectum-ai/awesome-multi-tenant-ai-security — a curated list of research, tools, standards, and advisories on multi-tenant AI security.
- sectum-ai/.github — this organisation profile.
- Website: sectum.ai
- Docs: sectum.ai/docs/
- Flagship README: sectum-ai/sectum-ai
- Quickstart: sectum.ai/docs/quickstart
- Attack catalog (12 classes): sectum.ai/docs/attack-catalog
- Sample evidence packs:
| Open Sectum | Sectum Cloud | |
|---|---|---|
| License | Apache-2.0 | Commercial |
| Marker substrate, attack catalog, adapters | yes | yes |
Evidence chain + independent sectum verify |
yes | yes |
sectum CLI (init / seed / probe / report / verify / erasure / baseline / adapters) |
yes | yes |
| Continuous scheduled runs against a customer stack | — | yes |
| Attestation hosting and managed audit-pack delivery | — | yes |
| Dashboard, alerting, and regression baselines across runs | — | yes |
| Auditor / DPO channel: pre-curated evidence packages | — | yes |
Both share the same evidence format. An evidence pack produced by Sectum
Cloud verifies under the open-source sectum verify — there is no
proprietary verification path.
Sectum AI verifies and attests; it does not remediate findings or provide runtime protection. In particular, Sectum AI is not:
- A runtime guardrail or AI firewall (Lakera, NeMo Guardrails, Cisco AI Defense, Protect AI sit in front of inference; Sectum tests across surfaces and produces evidence after the fact).
- A GRC platform (Vanta, Drata automate the controls layer; Sectum produces the evidence those controls can point to for the AI tenant-isolation testing they don't perform).
- A generalist LLM red-team framework (DeepTeam, garak, PyRIT, promptfoo, Rebuff cover broad single-prompt categories; Sectum is narrow and deep on the tenant boundary across surfaces).
- A privacy / DSR workflow (Securiti coordinates erasure requests; Sectum proves erasure actually happened across the AI surfaces that DSR tools don't reach into).
The 12 products buyers most often evaluate alongside Sectum AI, grouped by the layer they actually operate on.
- Sectum AI vs Lakera
- Sectum AI vs NeMo Guardrails
- Sectum AI vs Cisco AI Defense
- Sectum AI vs Protect AI
The work motivating this category:
- OWASP LLM08:2025 — Vector and Embedding Weaknesses. Names multi-tenant context leakage a top-10 LLM risk. https://genai.owasp.org/llmrisk/llm082025-vector-and-embedding-weaknesses/
- Retrieval Pivot Attacks in Hybrid RAG (arXiv, Feb 2026). 334/350 benign queries (95.4%) triggered cross-tenant leakage via shared organic entities; stronger embedding models leak more. Basis of the flagship Class 2 probe.
- Silent Leaks: Implicit Knowledge Extraction Attack on RAG Systems through Benign Queries (arXiv 2505.15420). 91% extraction efficiency, 96% attack success via benign queries; no prompt injection required. https://arxiv.org/abs/2505.15420
- Asana MCP cross-tenant flaw (Coalition for Secure AI, May 2025). ~1,000 enterprises affected by an MCP token-passthrough root cause; motivation for the Class 7 MCP probes.
Open Sectum is Apache-2.0. See LICENSE
in the flagship repo.
Security issues: please follow the coordinated-disclosure process in
SECURITY.md.
Email security@sectum.ai; do not file a public issue for a suspected
vulnerability.