The enterprise software stack is undergoing a quiet but fundamental reshaping. Security teams that once focused on endpoints, cloud workloads, and identity systems are now confronting an additional layer of infrastructure: generative AI platforms that actively participate in business workflows.
This shift is not theoretical. AI systems are already analyzing internal documents, writing production code, and connecting to sensitive business applications. As adoption scales, so does the complexity of understanding what these systems are actually doing inside an organization.
In response to this emerging challenge, Daylight has announced an expansion of its managed detection and response (MDR) service to support Claude Enterprise from Anthropic. The integration aims to give security teams a structured way to detect, investigate, and respond to threats originating from AI-native activity.
From Visibility To Interpretation: The Missing Layer In AI Security
Most enterprise AI platforms are now offering expanded logging capabilities, reflecting a growing recognition that visibility is a prerequisite for security. Claude Enterprise, for example, exposes audit logs covering usage across Claude chat, Claude Code, and collaborative AI interactions.
However, security practitioners increasingly argue that visibility alone does not solve the problem.
Raw telemetry does not answer critical operational questions: Is a particular AI interaction benign or malicious? Was a new integration expected or introduced without approval? Does a prompt indicate normal usage or an attempted exploit? And perhaps most importantly, how does AI activity connect to the broader organizational context?
Daylight’s MDR expansion is designed to address precisely this gap by converting AI telemetry into structured detection and response workflows.
Detecting AI-Native Risk Patterns
With the integration, Daylight ingests Claude Enterprise activity data through the platform’s Compliance API and builds a detection layer specifically tuned for AI-native threats.
Rather than relying on conventional security indicators, the system looks for patterns unique to AI environments. These include unauthorized or suspicious MCP integrations, risky Skills or plugin usage, prompt injection attempts, anomalous file access behavior, and unusual sequences of AI-driven actions that may indicate misuse or compromise.
What differentiates this approach is its emphasis on correlation. Instead of evaluating AI activity in isolation, Daylight connects Claude events with identity systems, SaaS applications, endpoint signals, cloud infrastructure activity, and business context.
This allows investigations to move beyond “what happened” toward “why it happened” and “what impact it had.”
“AI adoption is moving faster than traditional security monitoring was designed to support,” said Hagai Shapira, co-founder and CEO of Daylight. “Claude Enterprise gives organizations important visibility. Daylight’s MDR service turns that visibility into detection and response.”
Miro’s Early Experience Highlights Operational Reality
One of the early adopters of the capability is Miro, which has been incorporating Claude Enterprise into its AI-enabled collaboration environment.
For organizations like Miro, the challenge is not whether AI should be used, but how to integrate it safely into existing security frameworks without slowing innovation.
As Claude Enterprise rolled out internally, Miro’s security team focused on ensuring that AI activity could be monitored in real time and incorporated into established MDR workflows. A particular area of attention was the introduction of MCPs, which can extend AI functionality but also introduce potential risk if not properly governed.
Daylight’s integration provided a mechanism to surface these changes and contextualize them within broader security operations.
“As we adopted Claude Enterprise, we wanted to make sure AI usage didn’t become a new blind spot for our security team,” said Mark Strande. “Daylight helped us bring Claude activity into our MDR workflow, giving us visibility into AI-native risks and the context to investigate them.”
The experience reflects a growing reality across enterprises: AI adoption is moving faster than governance frameworks are being defined.
Security Teams Are Being Forced To Redefine Scope
Traditionally, MDR services have been built around relatively well-understood domains such as endpoint detection, cloud security monitoring, and identity threat analysis. AI systems introduce a fundamentally different challenge because they operate both as tools and as autonomous decision-making systems.
This dual role means AI activity can resemble normal user behavior while simultaneously performing complex automated actions that may have security implications.
Industry analysts expect this to drive a significant evolution in MDR platforms, with AI monitoring becoming a standard layer of enterprise security stacks.
Daylight’s expansion into Claude Enterprise suggests that vendors are beginning to treat AI systems not as applications to be secured indirectly, but as environments requiring dedicated detection logic.
Toward A Standardized Model For AI Observability
Looking ahead, Daylight expects that AI observability will become a baseline requirement across enterprise platforms. As systems like Claude, ChatGPT, and Gemini expand their enterprise offerings, similar audit and telemetry frameworks are expected to emerge.
At the same time, advancements in OpenTelemetry and related standards may make it easier to unify AI activity data across platforms, enabling more consistent security monitoring.
Daylight plans to extend its detection capabilities beyond Claude Enterprise as additional AI systems expose richer operational data, including prompts, tool calls, Skills usage, and agent-based workflows.
The broader implication is that enterprise security is entering a new phase—one in which AI systems are no longer just users of infrastructure, but active participants that must themselves be monitored, analyzed, and governed within the security perimeter.
