Enterprise security teams are increasingly being asked to secure systems that don’t behave like traditional applications. As generative AI becomes embedded in engineering, operations, and knowledge workflows, it is producing activity that is dynamic, context-heavy, and often difficult to interpret through conventional monitoring tools.

In response to this shift, Daylight announced that its Managed Detection and Response (MDR) service now integrates with Claude Enterprise, extending detection and investigation capabilities into AI-native environments where much of this new activity is taking place.

AI systems are becoming operational infrastructure

The adoption of enterprise AI platforms such as Claude Enterprise is no longer limited to isolated productivity use cases. Organizations are embedding these systems into core workflows, ranging from software development and data analysis to internal automation and business operations.

As usage expands, AI systems are interacting with sensitive data and enterprise tools at scale. This creates a new challenge for security teams: understanding not only what users are doing, but how AI agents are participating in those actions.

Claude Enterprise provides audit logs that capture usage across Claude chat, Claude co-work, and Claude Code. These logs represent a meaningful step forward in visibility, but they still require interpretation to become actionable security intelligence.

Turning AI activity into security signals

Daylight’s integration is designed to convert raw AI telemetry into structured detection and response workflows. By building on top of Claude Enterprise audit logs, the MDR platform identifies behaviors that may indicate AI-native risk.

These include unauthorized or newly introduced MCPs, risky Skills or plugins, prompt injection attempts, abnormal file access patterns, and unusual AI-driven behavior that deviates from established usage baselines.

Once identified, these signals are escalated into Daylight’s MDR system, where they are investigated in context. Analysts correlate AI activity with identity data, SaaS usage, endpoint signals, cloud infrastructure, and organizational context to determine what occurred and whether it represents a security concern.

The result is a shift from passive visibility to active investigation.

“AI visibility only matters if you can act on it”

“AI adoption is moving faster than traditional security monitoring was designed to support,” said Hagai Shapira, co-founder and CEO of Daylight. “Claude Enterprise gives organizations important visibility. Daylight’s MDR service turns that visibility into detection and response.”

The statement reflects a broader industry reality: enterprises are rapidly gaining access to AI usage data, but still lack mature systems for interpreting and responding to that data at scale.

Early deployment: integrating AI into real security operations

One of the early adopters of the integration is Miro, which has been expanding its use of Claude Enterprise across internal teams while evolving its security operations to account for AI-driven activity.

As adoption scaled, Miro’s security team prioritized ensuring that AI usage would be fully integrated into existing MDR workflows rather than monitored as a separate surface.

“As we adopted Claude Enterprise, we wanted to make sure AI usage didn’t become a new blind spot for our security team,” said Mark Strande, CISO of Miro. “Daylight helped us bring Claude activity into our MDR workflow, giving us visibility into AI-native risks and the context to investigate them.”

A key area of focus has been monitoring newly introduced MCPs and evaluating whether they introduce risk based on their behavior and system interactions.

A new layer of security operations: AI-aware MDR

The integration highlights a broader shift in how security operations are evolving. MDR platforms were originally designed to detect threats across endpoints, identities, cloud workloads, and SaaS applications. Now, they are being extended to include AI systems as first-class participants in enterprise environments.

In this model, AI activity is no longer treated as auxiliary telemetry. It becomes part of the core security dataset that are analyzed, correlated, and investigated alongside traditional signals.

This evolution effectively positions MDR as a control layer for AI behavior, not just infrastructure behavior.

Expanding toward broader AI observability

Daylight’s integration is currently available through Claude Enterprise’s Compliance API, which exposes structured AI activity data for security use cases. The company expects this type of telemetry to expand as AI platforms mature and adopt more standardized observability frameworks.

Future iterations are likely to include deeper visibility into prompts, tool calls, Skills, and autonomous agent workflows, particularly as standards like OpenTelemetry extend into AI systems.

Daylight also expects similar capabilities to emerge across other enterprise AI platforms, including ChatGPT and Gemini, as organizations push for consistent security coverage across increasingly complex AI ecosystems.

As AI becomes more deeply embedded in enterprise infrastructure, the boundary between application behavior and security behavior continues to narrow, placing MDR systems at the center of how organizations understand and control AI-native risk.