Skip to content
GOVERN Docs

Detection Layers (L1/L2/L3)

GOVERN uses a three-layer detection architecture. Each layer adds depth to governance coverage. Together they provide comprehensive visibility from the infrastructure level to the individual inference level.

Layer 1 (L1): Infrastructure

L1 detection operates at the network and infrastructure level. It does not inspect inference content — it detects the presence of AI activity.

  • Network traffic analysis (DNS, TLS SNI, IP ranges)
  • Container image scanning for AI libraries and model files
  • Cloud API call logs (AWS Bedrock, Azure OpenAI, GCP Vertex)
  • Software inventory scanning

L1 is the foundation of shadow AI detection. It catches AI usage that was never registered.

Layer 2 (L2): Assessment

L2 detection operates on individual inferences passing through GOVERN. It applies policy scorers to the prompt and response.

  • Content safety scoring
  • PII and data leakage detection
  • Prompt injection detection
  • Toxicity and harmful content scoring
  • Factual consistency and hallucination signals

L2 is the primary governance layer for registered, monitored systems.

Layer 3 (L3): Behavioral

L3 detection operates on aggregated patterns over time. It detects issues that are invisible at the single-inference level.

  • Drift detection (distribution shift from baseline)
  • Anomalous usage patterns (unusual volume, timing, user behavior)
  • Cross-session correlation (coordinated abuse patterns)
  • Long-term fairness analysis (disparate impact over populations)

L3 catches systemic issues that L1 and L2 miss because they manifest only over time.