Choose your path
Answer 5 questions. Get one recommendation. Takes 30 seconds.
Question 1: What do you want to govern?
- Developer AI tools
- An AI app I'm building
- Existing AI app (no code changes)
- Chat UI pastes (claude.ai, ChatGPT)
- Discover where AI is being used
- Let Claude manage my policies
Recommendation: Coding hooks.
Install a hook into Claude Code, Cursor, Codex CLI, or Gemini CLI. Every tool call (Bash, Read, Write, etc.) is checked against your policy before it runs. No code changes to your projects.
controlzero install claude-code
Continue to: Govern Claude Code - Coding Assistant Hooks guide
Recommendation: SDK. Pick your language in Question 2 below.
The SDK wraps your tool calls with a single cz.guard() check. Works with LangChain, LlamaIndex, custom agent loops, anything.
Recommendation: Gateway proxy.
Change one base URL and every LLM API call (OpenAI, Anthropic, etc.) is governed. Zero code changes. Works for agents you can't touch.
export OPENAI_BASE_URL=https://gateway.controlzero.ai/v1
Continue to: Govern an existing AI app - Gateway guide
Recommendation: Browser extension.
Deploy via MDM. Blocks customer PII and secrets from being pasted into claude.ai, ChatGPT, Gemini, and Perplexity. Users still get their tools; your data stops at the textarea.
Continue to: Block PII in chat UIs - Browser Extension guide
Recommendation: Shadow AI Scout.
Finds unsanctioned AI services across your org from network telemetry. Tells you what to govern before you govern it.
Continue to: Discover shadow AI - Shadow AI Scout guide
Recommendation: MCP server.
Connect Claude Desktop (or any MCP-aware client) to Control Zero. Claude can read audit logs, draft policies, and manage projects through natural language.
Continue to: MCP Server guide
Question 2: Which language? (only if you picked "An AI app I'm building")
- Python
- Node.js / TypeScript
- Go
Recommendation: Python SDK.
First-class support for LangChain, LlamaIndex, OpenAI SDK, Anthropic SDK. Sync and async APIs.
Continue to: Govern a Python AI app - Python SDK reference
Recommendation: Node SDK.
First-class support for Vercel AI SDK, LangChain.js, OpenAI SDK. Full TypeScript types.
Continue to: Govern a Node.js AI app - Node SDK reference
Recommendation: Go SDK.
Core enforcement only. Best for backend services and CLIs. For agent frameworks, use Python or Node.
Continue to: Go SDK reference
Question 3: How do you want to deploy?
- Cloud (SaaS) - recommended
- Self-Hosted (Preview)
Recommendation: Cloud.
We run the dashboard, audit store, and policy distribution. You sign up at app.controlzero.ai and get a Free tier account with 10K governed actions/month. No card required. Most teams start here.
Recommendation: Self-Hosted.
You run Control Zero on your own infrastructure. Same SDK and gateway code as Cloud; only the dashboard URL changes. Pick this if data residency, air-gap, or regulated-industry requirements demand it. Currently in private preview - contact us for access.
Question 4: How do you want policies stored?
Three modes. Pick based on where your policy lives and whether audit logs leave your environment.
| Mode | Where policy lives | Where audit goes | Requires API key | Requires network |
|---|---|---|---|---|
| Hosted Most teams | Control Zero dashboard | Cloud | Yes | Yes |
| Hybrid | File in your repo | Cloud | Yes | Yes |
| Local | File in your repo | Local disk | No | No |
- Hosted (recommended)
- Hybrid
- Local (air-gap)
Edit policy in the dashboard. The SDK fetches a signed policy bundle on first call. Audit ships to the cloud automatically.
from controlzero import Client
cz = Client(api_key="cz_live_...")
Write policy locally, version it in Git. API key sends audit to the dashboard so your team has visibility.
cz = Client(api_key="cz_live_...", policy_file="controlzero.yaml")
No API key, no network calls, no data leaves your environment. Audit logs written to disk.
cz = Client(policy_file="controlzero.yaml")
Question 5: What's your team size?
- Just me
- Small team / startup
- Org-wide / production
Tier: Free ($0). 10K governed actions/month. SDK + proxy + coding hooks (local mode). Hard-blocks at 10K.
Tier: Solo ($29/mo). SDK + proxy + DLP. Overage $10/100K actions. Ideal for a founding team shipping an AI product.
Tier: Teams ($199/mo base + $29/seat + $19/agent). Everything in Solo, plus browser extension, Shadow AI Scout, hosted coding hooks, and hosted MCP. Overage $8/100K actions. See pricing.
You're done - here's your answer
Your setup is: the surface from Q1, in the mode from Q4, on the deployment from Q3, on the tier from Q5.
Examples:
- "Coding hooks, Hosted, Cloud, Solo" - Install Claude Code hooks, sign up at app.controlzero.ai, pick Solo.
- "Python SDK, Hybrid, Cloud, Teams" - Python SDK quickstart, check
controlzero.yamlinto Git, invite your team. - "Gateway, Local, Self-Hosted, Free" - Gateway guide, run the container, point your agents at it.
- "Browser extension, Hosted, Cloud, Teams" - Browser Extension guide, deploy via MDM.
If you want the fastest end-to-end path, start with Quickstart.
Common combos (for scanners)
| Intent | Language / Surface | Deployment | Recommendation |
|---|---|---|---|
| Govern Claude Code on my laptop | Coding hooks | Cloud | Coding hooks, Local or Hosted |
| Production OpenAI agent, no code changes | Gateway | Cloud | Gateway, Hosted |
| New LangChain agent in Python | Python SDK | Cloud | Python SDK, Hosted |
| New Vercel AI SDK agent in TypeScript | Node SDK | Cloud | Node SDK, Hosted |
| Stop PII leaks into ChatGPT | Browser extension | Cloud | Browser ext, Teams tier |
| Find what AI tools my employees use | Shadow AI Scout | Cloud | Scout, Teams tier |
| Air-gapped regulated environment | SDK or Gateway | Self-Hosted | Local mode, contact us |
| Let Claude draft and apply policies | MCP server | Cloud | MCP server |
Still unsure? Open the Quickstart and work through a Hosted/Cloud/Free setup. You can switch modes later without changing SDK code.