Enterprise security teams are increasingly being asked to monitor systems that didn’t exist in their original threat models. As generative AI becomes embedded across engineering, operations, and knowledge workflows, organizations are now dealing with security signals generated not only by users and infrastructure, but by AI systems themselves.
That shift is now becoming more operational. Daylight announced that its Managed Detection and Response (MDR) service now integrates with Claude Enterprise, bringing detection and response capabilities to AI-native activity inside one of the fastest-growing enterprise AI platforms. The move is designed to help security teams interpret and act on AI-generated behavior rather than simply observe it.
AI adoption is outpacing traditional security visibility
Tools like Claude Enterprise are being used across organizations for tasks that span document analysis, code generation, workflow automation, and data summarization. As usage expands, so does the complexity of tracking how AI is interacting with enterprise data and systems.
Claude Enterprise has started to address this challenge by providing customers with richer audit logs, including visibility into Claude chat, Claude co-work, and Claude Code activity. These logs offer a foundation for understanding usage patterns, but they do not inherently provide security context.
Security teams still face a fundamental gap: determining whether specific AI actions are expected, risky, or malicious requires correlating AI activity with identity data, endpoint behavior, SaaS activity, and cloud infrastructure signals.
Turning AI logs into actionable security intelligence
Daylight’s MDR integration is designed to bridge that gap. By building detection logic on top of Claude Enterprise audit logs, the platform identifies behaviors that may indicate emerging AI-native threats.
These include unauthorized or newly introduced MCPs, risky Skills and plugins, prompt injection attempts, unusual file access patterns, and anomalous AI-driven behavior that deviates from expected usage.
When potential risks are identified, they are automatically routed into Daylight’s MDR workflow. From there, security analysts investigate incidents by correlating AI activity with broader enterprise context, linking actions to specific users, systems, and data flows to determine scope and impact.
The goal is not only to flag suspicious behavior, but to provide enough context for teams to decide whether intervention is required.
“Security needs to understand AI behavior, not just log it”
“AI adoption is moving faster than traditional security monitoring was designed to support,” said Hagai Shapira, co-founder and CEO of Daylight. “Claude Enterprise gives organizations important visibility. Daylight’s MDR service turns that visibility into detection and response.”
The company’s positioning reflects a broader industry shift toward treating AI activity as a first-class security domain, rather than an extension of existing application logs.
Miro integrates AI activity directly into MDR workflows
Early enterprise adoption is already underway. Miro, which uses Claude Enterprise to support internal collaboration and innovation workflows, has incorporated the Daylight integration into its security operations strategy.
As Miro rolled out Claude Enterprise more broadly across teams, its security organization focused on ensuring that increased AI usage did not create blind spots in monitoring and investigation processes.
“As we adopted Claude Enterprise, we wanted to make sure AI usage didn’t become a new blind spot for our security team,” said Mark Strande, CISO of Miro. “Daylight helped us bring Claude activity into our MDR workflow, giving us visibility into AI-native risks and the context to investigate them.”
One of the key use cases includes tracking newly introduced MCPs and evaluating whether they introduce risk based on their behavior and system interactions.
AI security shifts from visibility to response
The integration highlights a broader evolution in how enterprises are approaching AI security. Early efforts focused on gaining visibility into usage. The next phase is about operationalizing that visibility, turning raw telemetry into structured detection, investigation, and response workflows.
Daylight’s approach reflects that shift by embedding AI activity directly into MDR operations, rather than treating it as a separate analytics layer.
The integration is currently available through Claude Enterprise’s Compliance API, which exposes structured activity data for security use cases.
Toward standardized AI telemetry across platforms
As AI systems mature, the scope of observable activity is expected to expand significantly. Daylight anticipates that platforms will increasingly expose richer telemetry, potentially including prompts, tool calls, Skills usage, and autonomous agent workflows, through standards such as OpenTelemetry and similar frameworks.
The company expects this model of auditability to extend beyond Claude Enterprise over time, including other major AI platforms such as ChatGPT and Gemini, as organizations push for consistent security controls across their AI environments.
For security teams, the direction is clear: AI systems are becoming operational infrastructure, and their activity will need to be monitored, investigated, and responded to with the same rigor as any other critical enterprise system.
