Privacy and data handling
What does the scanner read on disk?
What does the scanner read on disk?
command / args / url, the client, and any project path — not your raw config files. For skills and plugins it submits metadata plus bounded artifact text (capped at 1 MB per file and 5 MB per artifact) so the backend can risk-classify the artifact. See What the scan reads.Can the scan be scoped or limited?
Can the scan be scoped or limited?
node_modules, .git, .venv, caches, Library/Application Support, AppData, and more). Project-level discovery is bounded by --project-depth (default 7) and --project-timeout (default 60 seconds), and --no-projects skips project-level scanning entirely. See What the scan reads.Does it scan network shares or removable drives?
Does it scan network shares or removable drives?
Does it collect file contents or just metadata?
Does it collect file contents or just metadata?
Organization API key
What can the AI Watch organization API key do?
What can the AI Watch organization API key do?
mcp_watch_scan) — and is accepted only on AI Watch submission endpoints: scan, skills/plugins lookup and submit, device check-in, and hooks/sessions. Used against any other API route it returns 403. It has tenant-only identity (it is not tied to a user), cannot impersonate a user, and is blocked from policy-based access control. See Deploy AI Watch and User and Identity Mapping.What is the blast radius if the key leaks?
What is the blast radius if the key leaks?
403). Rotate it from Settings → MDM Configuration — regenerating the configuration mints a new key — and re-push the profile/MSI; the old key stops working once revoked (401). See Troubleshooting → Authentication.How is the key stored?
How is the key stored?
OrgApiKey in macOS managed preferences, or the OrgApiKey registry value under HKLM\Software\Runlayer\AIWatch on Windows, written by the MSI’s AIWATCH_ORG_API_KEY install property). On the Runlayer backend it is stored only as an HMAC-SHA256 hash — the plaintext is shown once at creation and cannot be retrieved later. If it is lost, regenerate the configuration to mint a new one. See Troubleshooting → Authentication.How are scans attributed to users if the key isn't tied to a user?
How are scans attributed to users if the key isn't tied to a user?
Deployment and platform
Is the package custom-built per organization?
Is the package custom-built per organization?
.pkg / .msi is identical for every customer. Your tenant host and organization API key are supplied through MDM configuration, not compiled into the binary. See Package and platform support.Does it require Python or the Runlayer CLI?
Does it require Python or the Runlayer CLI?
aiwatch binary with its runtime bundled, no Python or CLI prerequisite on managed devices. The uv tool install runlayer CLI is only for manual single-device testing. See Package and platform support.Which platforms are supported?
Which platforms are supported?
runlayer scan. For Intel Macs or other architectures, use the CLI path or contact your account team. See Package and platform support.What outbound access does it need?
What outbound access does it need?
Can I change configuration without reinstalling?
Can I change configuration without reinstalling?
Enforcement / Sessions (and other config) only requires re-pushing the profile or MSI properties — on macOS, bump the profile’s PayloadVersion so the MDM re-delivers it. The .pkg / .msi is reinstalled only to upgrade the AI Watch binary. See Package configuration.Operation
Does Sessions work without Enforcement (no blocking)?
Does Sessions work without Enforcement (no blocking)?
Enforcement off (the default), hooks still forward Sessions and event telemetry whenever Sessions is enabled — you get full visibility without blocking. Blocking happens only when Enforcement=true. See Enforce → Monitoring-only rollout.A skill is flagged High or Medium risk but is legitimate — what now?
A skill is flagged High or Medium risk but is legitimate — what now?