Browser extension↑
The AQtive Guard (AQG) browser extension provides runtime guardrail protection for browser-based LLM interactions. It intercepts conversations with web-based AI services and routes them through the AI Gateway, where your organization’s guardrail policies are applied to both user inputs and AI responses.
How it works↑
The browser extension intercepts messages exchanged between users and LLM web applications directly in the browser. Each message is sent to the AI Gateway for evaluation against your configured guardrail policies. Depending on the policy outcome, messages may be allowed, blocked, or have sensitive content redacted before submission.
Using the browser extension, guardrails are applied to the outbound prompts (user role), but not to the model outputs (or assistant role).
All guardrail activity is reported back to AQG, giving your security team visibility into how AI services are being used across the organization.
Supported browsers↑
- Google Chrome
- Microsoft Edge
- Other Chromium-based browsers
Firefox and Safari are not currently supported.
Supported AI services↑
The browser extension monitors interactions with popular web-based LLM services, including:
- ChatGPT
- Google Gemini
Enterprise deployment↑
The browser extension is designed for enterprise-wide rollout using MDM (Mobile Device Management) tools. Deployment involves three steps:
- Host the extension files.
- Force-install the extension.
- Configure the gateway URL via managed policy.
Host the extension files↑
Make the extension package available on an internal server with a trusted TLS certificate:
aqtiveguard-extension.crx: the signed extension packageupdate.xml: the update manifest that points to the.crxfile
An example update.xml is:
<?xml version="1.0" encoding="UTF-8"?>
<gupdate xmlns="http://www.google.com/update2/response" protocol="2.0">
<app appid="<extension-id>">
<updatecheck codebase="https://internal-server.yourorg.com/extensions/aqtiveguard-extension.crx"
version="1.0.0" />
</app>
</gupdate>
Note
The server hosting the extension files must use a TLS certificate trusted by the managed devices.
Force-install the extension↑
Use your MDM tool to create a configuration profile that force-installs the extension on managed devices.
Jamf Pro (Chrome):
Create a configuration profile with the following settings:
- Preference domain:
com.google.Chrome - Property:
ExtensionInstallForcelist
{
"ExtensionInstallForcelist": [
"<extension-id>;https://internal-server.yourorg.com/extensions/update.xml"
]
}
Jamf Pro (Edge):
Use the same approach with the Edge preference domain:
- Preference domain:
com.microsoft.Edge - Property:
ExtensionInstallForcelist
{
"ExtensionInstallForcelist": [
"<extension-id>;https://internal-server.yourorg.com/extensions/update.xml"
]
}
Configure the gateway URL↑
Lock the AI Gateway endpoint (apiUrl) so users cannot change it. Create a second configuration profile in your MDM tool:
- Preference domain:
com.google.Chrome.extensions.<extension-id>
For Edge, use com.microsoft.Edge.extensions.<extension-id> as the preference domain.
Important
When the gateway URL is set via MDM policy, users do not need to configure the extension manually. The extension connects to the AI Gateway automatically when it’s installed.
Use↑
When the extension is active:
- A shield icon in the browser toolbar indicates the extension is monitoring AI interactions.
- If a message is blocked, you will see a notification explaining that the message violated a guardrail policy.
- If content is redacted, sensitive information is masked before the message is sent to the AI service.
- All interactions are logged and visible in the AQG AI-SPM dashboard for your security team to review.
Important
The browser extension applies the guardrail policies configured in your AQG instance. To customize which guardrails are active, refer to AI guardrail policies.