What Proxara sees and governs when a firm runs models on its own machines: the device inventory of local runtimes and models, their two licenses, security posture, and the controls the compliance officer sets.
Updated July 2026
A firm that runs models on its own machines (Ollama, LM Studio, llama.cpp, and the rest) has real AI activity that never touches a hosted provider. Proxara covers those runtimes from the same device agent. The shape is different from the hosted case, and clearer to name first: this surface is an inventory and a set of controls, not redaction. The agent records which local runtimes and models are present, resolves their licenses and security posture, and lets the compliance officer govern them. A prompt an employee sends to a local model stays on the machine, and the agent does not open or redact it.
The device agent runs a quiet background inventory on macOS and Windows. Nothing is self-reported: each runtime is read from the machine itself, and confirmed from several independent signals rather than any one.
The runtimes it recognizes are the common ones: Ollama, LM Studio, llama.cpp, Jan, GPT4All, vLLM, KoboldCpp, LocalAI, llamafile, AnythingLLM, Msty, and Text Generation WebUI.
Every signal is a background read, and the snapshot that leaves the machine is content-free by construction: identifiers and posture, never prompt text and never weight bytes. The local API request reads the model list and the version. For a model in the GGUF format, the agent reads a small header prefix (the model name, architecture, quantization, and any license the file declares) without touching the multi-gigabyte weights that follow.
The inventory is signed on the device and sent to the firm's control plane only when it changes, so a steady fleet never re-reports the same picture.
For every entry the server resolves two independent licenses, because they answer different questions.
Licenses are never guessed toward permissive. An identifier Proxara does not recognize resolves to unknown, not to open, because a false "permissive" is the dangerous direction. Each license carries a class (permissive, GPL copyleft, AGPL network copyleft, restricted open, non-commercial, proprietary, or unknown) and a confidence. Where the class supports the EU AI Act open-source exemption, that is noted too.
Alongside the licenses, each runtime carries a plain-language posture.
Posture always reflects the installs present now. When a device stops running a runtime, its row is kept as evidence and marked no longer observed rather than deleted, so a stale exposure or CVE never outlives the install that carried it.
Governance runs from the console, over a runtime, a specific model, or a whole license class. There are four controls, in increasing force.
| Control | What it does |
|---|---|
| Watch | Keeps the runtime or model on the record, with no other effect |
| Alert | Notifies the firm's channels the first time a matching runtime or model appears, then stays quiet |
| Block downloads | A request to that runtime's dedicated download host returns a clean refusal |
| Stop | Shuts down a matching runtime that is running |
Blocking downloads happens at the network layer, and only the runtime's own dedicated download and installer hosts are touched. Shared hosts such as Hugging Face and GitHub are deliberately never host-blocked, because a firm does legitimate work there; those runtimes are governed by the other controls instead. Stopping a running runtime is the one deliberately visible action, and it only ever targets a runtime confirmed by its executable, never a port-only guess.
A ban on a license class reaches both sides. The agent enforces a software-class ban on the engine itself, and the server expands a weights-class ban into the specific models it matches, since the device cannot resolve a weights license on its own. Every one of these decisions is written to the signed audit log.
The console lists every local runtime the fleet is running, or that the compliance officer has already decided on, with both licenses, the posture, how many devices and owners it reaches, and the governance in force. Above the list sit a few prompts to look at, drawn from the same inventory: a runtime reachable from the network, a copyleft or non-commercial license with no recorded position yet, and a runtime that is spreading to more devices. None of it is a verdict. The firm sees the license class and the evidence, and decides.
This is an inventory-and-governance surface, and two boundaries are worth stating exactly.
A prompt sent to a model running on the employee's own machine stays on that machine. The agent does not open, read, or redact local inference, and the loopback conversation is never intercepted. What Proxara governs here is the runtimes and models themselves, not what is typed into them. A model server the firm runs centrally is inventoried on the machine where the agent is installed; traffic to it from other machines follows the same rule the device proxy applies everywhere, and is opened only when it carries positive evidence of AI.
Detection reaches runtimes that are listening, installed in a known location, or holding models in a known location. A runtime that fits none of those signals, or one the recognized set does not yet include, is not inventoried. The inventory does not run in the sandbox app.