TWO LANES INTO ONE ENGINE
Customer-controlled environment
Lane 1 — Salus Desktop (managed devices)

Employee browser AI and desktop AI apps on MDM-managed macOS & Windows devices — on-network, remote, or roaming.

Lane 2 — App & agent gateway (server-side)

Internal applications, services, and agents point their AI base URL at Salus. No TLS interception; scoped virtual keys.

Salus Engine

Both lanes feed the same engine: detect → tokenize → policy → egress → restore. One vault, one audit stream.

tokens → ← response
Outside world
External AI providers

Receive tokenized requests from a caller they were already serving — the workflow is unchanged.

OpenAI Claude Gemini Azure Mistral
and any OpenAI-compatible provider

What the Gateway is for#

Your organization already uses AI: employees in ChatGPT, Claude, and Gemini; desktop AI applications; enterprise tools with AI features; internal services calling provider APIs; agents orchestrating all of the above. The Gateway's job is to protect that existing usage without replacing any of it. Traffic reaches the Salus Engine before it leaves your environment, detected sensitive values cross the boundary as tokens, and restored answers come back to the same tool the user was already in.

The two coverage lanes#

Salus Desktop covers people. It is the Gateway's endpoint agent for managed macOS and Windows devices, deployed via MDM, capturing browser and desktop AI traffic on the device and tunneling it to the central engine — wherever the device is.

The app/agent lane covers software. Applications, internal services, and agents point their AI base URL at the Salus gateway and connect to it as a normal TLS endpoint — no interception involved. Provider keys move into the gateway; each app or agent receives a scoped virtual key that can be rotated, revoked, and budgeted. This lane covers server-side applications, in-house agents, configurable external agents, SDK and API traffic.

Together the lanes cover managed devices, configured apps, and agents. When an app that is already routed through the gateway runs on a managed device, lane precedence ensures traffic is tokenized once, not twice.

One engine behind both lanes#

The lanes are adapters, not products: both feed the same Salus Engine and the same vault. That is what makes tokens consistent across a browser prompt and an API call, policy definable in one place, and the audit trail a single token-only stream to your SIEM. The Workspace — Salus's own AI client — runs on the same engine, as described in Gateway vs. Workspace.

Identity without new accounts#

Nobody gets a "Salus account." Apps and agents authenticate with virtual keys — machine identity. Managed devices authenticate with MDM-provisioned device certificates — the employee never sees a login screen. Every event still attributes cleanly in the audit stream: lane traffic to the app or device identity, resolved to users through your existing MDM and identity provider mappings.