AI Positron Assistant Enterprise Security Layers

Security layers at a glance

1. Approved LLM connection

With AI Positron Enterprise licensing, you can connect the assistant to an approved and vetted LLM provider of your choice by configuring a custom connection in the Connections section of the AI Service Configuration Preferences. The custom connection approach allows you to define connections to providers such as OpenAI, MS Azure AI, Claude, AWS Bedrock, Google Gemini, and xAI Grok. Additional add-ons are also available for Vertex AI or for a custom AI service connector.

This matters because many organizations do not want users connecting to arbitrary public AI services. AI Positron lets teams standardize on approved providers and centrally define how those connections are configured.

The connection between the AI Positron Assistant and your configured LLM connector is direct, no data is passed through any proxy service or used by our organization in any way.

2. Encrypted locally stored data

AI Positron stores sensitive local information such as keys, tokens, chat history, favorites, and caches in a protected way. The Privacy Preferences page also includes a Delete data action that can permanently remove stored AI Positron data, including personal data and preference settings.

This gives users and administrators a practical cleanup mechanism when working with confidential projects or when resetting a workstation.

3. Sensitive data masking before requests are sent

The Privacy Preferences page can automatically identify and mask sensitive information in AI requests. This can include email addresses, phone numbers, IDs, and API keys. You can also define custom masking patterns for organization-specific secrets.

The masked information is automatically restored by the AI Assistant in the AI response, so users still see the correct content while the external AI service receives a safer version of the request.

4. Ignore selected project resources from AI processing

If certain folders or files should never be considered by the assistant, you can place an .ai-ignore file in project folders to exclude resources from AI processing. This is especially useful for confidential drafts, legal material, generated output, or internal-only assets that should remain outside the assistant's working context.

This layer is simple but powerful: not every file in a repository should be visible to AI, and exclusion rules help enforce that boundary.

5. Retrieval-Augmented Generation with explicit scope limits

AI Positron can use Retrieval-Augmented Generation (RAG) to search the current project for relevant content, but this behavior is configurable. In the Tools and RAG Preferences, you can enable project-based RAG, ask for confirmation before each project-based retrieval, and set a content retrieval token limit to cap how much project content may be sent to the AI engine.

You can also restrict where tools are allowed to read and write by using the Limit read/write access to setting. By default, access is restricted to the project directory and the directory of the current root map.

In other words, AI Positron does not have to search your entire machine. You can narrow its working area to the places that make sense for the current documentation project.

6. Controlled access to external web sites

When the assistant attempts to retrieve content from a web site, AI Positron can ask for explicit user confirmation first. The Tools and RAG Preferences include an option to Ask for confirmation before retrieving content from web sites, enabled by default.

This is an important safeguard against silent browsing. Users remain aware when external content is about to be pulled into the AI context, and they can decide whether a particular host should be trusted.

7. Controlled Model Context Protocol (MCP) tool access

AI Positron can be extended with tools provided through the Model Context Protocol Preferences. This is powerful, but it is also where strong controls matter most.

By default, tool calls obtained from MCP servers require user approval. The Unsafe Tool Auto-Approval Preferences page lets you review and manage which tool prefixes are always allowed.

8. Fine-grained approval for other unsafe tools

Some tool calls can be previewed or undone, while others cannot. AI Positron treats tools that cannot be undone or previewed as unsafe. This includes all MCP tools and tools used to run command lines.

That means the assistant does not simply decide on its own to execute potentially risky operations. Instead, the user stays in the loop and can approve a single tool call, always allow a specific tool prefix, or keep requiring confirmation.

9. Control Content Created by the LLM

Security is not only about protecting data. It is also about controlling what the LLM produces. With AI Positron, you can define a project context prompt and attach additional context files so every chat request and AI action is guided by your documentation standards, terminology, and company policies.

You can also create custom AI actions that do much more than generic prompting: they can use precise prompts, target only the current selection or the entire document, choose specific models, invoke tools, validate results, and even insert or replace content in controlled ways. AI Positron offers validation in accordance with the custom validation rules imposed by the company and terminology checking with the Oxygen Terminology Checker add-on.

For more advanced governance, you can create reusable skills that provide domain-specific workflows and best practices on demand, turning the assistant into a specialist for your documentation environment. This means you can build review actions that check style-guide compliance, detect logical inconsistencies, generate structured XML in approved patterns, or enforce organization-specific authoring rules before content is accepted. See the official documentation for AI Positron preferences, creating custom AI actions, and creating custom AI skills.

At any moment in time AI Positron puts you in charge of accepting changes, reviewing and incorporating changes.

Why this layered approach matters

No single checkbox can make AI safe for enterprise use. Real-world deployments need multiple controls working together. A trusted model connection alone is not enough if sensitive data is sent unmasked. Masking alone is not enough if tools can read arbitrary locations. Restricting file access is not enough if unsafe external tools run without approval.

AI Positron addresses this by combining provider control, data protection, scope limitation, and human approval. This layered design makes it easier to introduce AI gradually: start with a vetted connector, enable masking, restrict project access, and only then expand into RAG or MCP integrations where appropriate.

Practical security advice for teams adopting AI Positron

• Start with a company approved connector configured in the AI Service Configuration Preferences.
• Enable built-in masking and add custom patterns for organization-specific secrets in the Privacy Preferences.
• Use .aiignore files to exclude confidential folders from AI processing.
• Keep project-based RAG enabled only for the folders that should actually contribute context, and use confirmation prompts when needed.
• Be conservative with MCP integrations. Prefer read-only or narrowly scoped servers where possible, and review unsafe tool approvals regularly.
• Share project-level preferences when you want a team to follow the same guardrails.

Learn more

If you want to explore the official documentation behind these controls, start with these pages:

• AI Service Configuration Preferences
• Privacy Preferences
• Tools and RAG Preferences
• Unsafe Tool Auto-Approval Preferences
• Model Context Protocol Preferences
• AI Positron Overview