8 Tools to Track and Govern Claude Code Extensions in 2026

Compare 8 tools that discover, track, and govern Claude Code extensions, plugins, and skills across the enterprise in 2026.
The author of the article Chris Shuptrine
Jun 2026
8 Tools to Track and Govern Claude Code Extensions in 2026

Claude Code became the most-used AI coding agent within eight months of launch. By early 2026 it sits on developer laptops across most engineering teams. What rides along with it is the part IT rarely sees. Plugins, skills, hooks, and MCP configs install through slash commands, project settings, and third-party marketplaces ranging from curated to completely unvetted.

The exposure here isn’t hypothetical, and the past year produced the proof. Hooks run arbitrary shell code at user privilege, and confirmed CVEs this year covered hook-based remote execution and credential exfiltration through project files. Skills injected into context open the door to prompt injection. Yet 56% of employees already use unauthorized AI while only 23% use IT-governed tools (IDC), so most of this spreads with no registry and no owner on record.

The eight tools below each tackle a slice of that gap, from discovering who installed what to governing how extensions behave at runtime.

The visibility gap in numbers:

56% of employees use unauthorized AI while only 23% use IT-governed tools (IDC), and Torii's 2026 benchmark found 61.3% of discovered apps run outside formal IT oversight. Claude Code extensions install into exactly that blind spot — through slash commands, project settings, and unvetted marketplaces no registry tracks.

Summary Chart

★ = low · ★★ = medium · ★★★ = high

Tool Extension Discovery Approval Workflow Runtime Policy Breadth Beyond Claude Code Ease of Deployment
Torii ★★★ ★★★ ★★★
Zenity ★★ ★★★
Pillar Security ★★ ★★★
Reco ★★ ★★ ★★
Prompt Security ★★ ★★
Lasso Security ★★★ ★★
Nudge Security ★★ ★★ ★★
Wing Security ★★ ★★ ★★

Table of Contents

Pro Tip: Too long? Ask ChatGPT to summarize →

Torii

torii claude code extension governance for ai management

Torii sits a layer beneath any single Claude Code extension, where the accounts and spending actually live. It’s an AI management platform that discovers every app and AI tool a company runs, so plugins, skills, and the people installing them all roll up into one inventory. Rather than scanning local config files, Torii correlates SSO sign-in logs, OAuth grants, browser activity, and expense data to find who adopted what.

That matters because Torii’s 2026 benchmark found 61.3% of discovered apps run outside formal IT oversight, and most top shadow apps are AI-first. When a developer installs Claude Code through a personal account or expenses a Pro seat, the Torii platform surfaces it and ties the tool back to a named owner. From there, policy-based access requests, automated SSO and MFA enforcement, and offboarding routines turn that visibility into control.

Where Torii fits Claude Code extension governance:

  • Finds ungoverned AI coding tools through finance, SSO, and browser signals
  • Maps every app and account to the employee who owns it
  • Runs access requests and renewals as an ongoing policy loop
  • Revokes access automatically when someone leaves

Pros:

  • Catches ungoverned coding tools by reading expense and sign-in data, not local files
  • Attaches each app, seat, and login to a specific employee
  • Runs governance as a loop through access requests, renewals, and offboarding
  • Spans the whole SaaS estate rather than the developer toolchain alone

Cons:

  • Built for enterprise breadth, so it carries an enterprise price
  • Centered on SaaS and shadow IT, without on-premise runtime enforcement
G2: 4.5/5 (303 reviews) Capterra: 4.9/5 (26 reviews)

Zenity

zenity claude code extension governance for ai management

Zenity treats Claude Code as one agent in a wider fleet of AI coding assistants it has to inventory and watch. As of June 2026 it’s one of the few vendors with a named Anthropic Compliance API integration for Claude Enterprise, which pulls usage and configuration data straight from the source. That feed lets it catalog Claude Code alongside Cursor, Copilot, and Windsurf, plus the MCP servers each one connects to.

The platform records permission and configuration detail for every assistant and shadow AI asset it finds. At build time it enforces an approved-server list so developers can’t wire in catalogs nobody vetted. Its runtime engine then runs intent-based, step-level behavioral analysis that catches indirect prompt injection hidden inside tool outputs, package metadata, or code comments. You can dig into the model on the Zenity platform.

What Zenity adds to Claude Code oversight:

  • A direct Anthropic Compliance API feed for Claude Enterprise
  • Build-time enforcement of approved MCP servers and catalogs
  • Step-level behavioral analysis for injection buried in tool output
  • A Detect-then-Prevent rollout backed by full audit trails

Pros:

  • Rare direct integration with Claude Enterprise through the Compliance API
  • Runtime analysis spots injection that static scans overlook
  • Phased Detect-then-Prevent rollout eases adoption

Cons:

  • Agent-security depth suits security teams more than lean IT shops
  • No public review footprint yet to gauge support

Pillar Security

pillar security claude code extension governance for ai management

Pillar Security speaks the extension layer’s own language when it describes what it finds. Its platform discovers every AI coding agent, MCP server, plugin, and configuration across a fleet, then reads the permissions, credentials, and scopes attached to each. Integrations are agentless, and remediation can ship through existing MDM tooling, so coverage scales without an install on every laptop.

The differentiator is research depth that feeds the product directly. Pillar’s team mapped 20 malware campaigns aimed at AI coding tools between February 2025 and March 2026, including a marketplace-poisoning effort that reached more than 900,000 installs. That threat intelligence shapes runtime controls watching for prompt injection, tool poisoning, and data exfiltration as agents run. The breakdown lives on Pillar’s AI discovery and posture page.

Where Pillar focuses on the coding layer:

  • Fleet-wide discovery of agents, MCP servers, plugins, and configs
  • Permission, credential, and scope analysis on each install
  • Runtime monitoring informed by 20 mapped malware campaigns
  • Agentless integration with MDM-based remediation

Pros:

  • Vocabulary and discovery map cleanly onto plugins and MCP servers
  • Threat research grounds the runtime rules in real campaigns
  • Agentless setup with MDM remediation keeps rollout light

Cons:

  • Broad AI-security scope can overwhelm a narrow use case
  • No public G2 or Capterra rating to reference

Reco

reco claude code extension governance for ai management

Reco frames the problem around connections, asking which developer linked which tool to what. Its vibe coding page names Claude Code, Cursor, and Copilot directly, and the platform tracks the repo access each developer granted plus whether OAuth scopes run past what a role needs. Its SSPM roots show in how it maps data flows from sanctioned SaaS into unauthorized AI.

Discovery pulls from several signals at once rather than a single method. Behavioral analysis, OAuth monitoring, email metadata, network traffic, and browser-extension detection span more than 235 integrations. When a developer leaves, offboarding revokes the access they collected so abandoned connections don’t sit open. The Reco vibe coding page walks through the flow.

What Reco watches on the connection side:

  • Which developer connected which coding assistant
  • Whether granted OAuth scopes exceed the role’s need
  • Data flows running from SaaS into unsanctioned AI
  • Access revocation at offboarding across 235+ integrations

Pros:

  • Names Claude Code and its peers in a dedicated use case
  • Strong on OAuth scope and repo-access governance
  • Maps how company data reaches unsanctioned tools

Cons:

  • Connection focus means lighter runtime threat coverage
  • Small public review base to draw on

G2: 4.9/5 (7 reviews)

Find the Claude Code installs before you govern them:

Most tools here start watching once an extension is already running. Torii works the other end, spotting the Claude Code seats, plugins, and AI accounts your team signed up for through SSO, browser, and expense data, then tying each one to a named owner. See how Torii finds shadow AI.

Prompt Security

prompt security claude code extension governance for ai management

Prompt Security plants itself inside the IDE, where Claude Code actually writes and suggests code. A lightweight agent runs across dozens of assistants and about 30 languages, Claude among them, inspecting what flows in and out in real time. The angle is less about cataloging installs and more about what those installs do with sensitive material.

Real-time data loss prevention sanitizes or redacts secrets, PII, and proprietary IP before any of it leaves the editor. A Vulnerable Code Scanner flags insecure AI-generated code before a developer accepts it, and the inventory separates enterprise seats from free-tier logins so shadow installs surface. Its MCP Gateway stretches the same controls into agentic workflows, and the Prompt Security code-assistant page covers the setup.

Where Prompt Security works inside the editor:

  • An in-IDE agent across dozens of assistants and around 30 languages
  • DLP that redacts secrets, PII, and IP before they leave
  • A scanner that flags insecure AI code before it’s accepted
  • Inventory that separates enterprise seats from free-tier use

Pros:

  • Catches sensitive data at the moment of generation
  • Flags risky AI code before a developer commits to it
  • Free-tier detection exposes quiet shadow usage

Cons:

  • The in-IDE agent needs deploying to each developer
  • No verified public review score yet

Lasso Security

lasso security claude code extension governance for ai management

Lasso Security comes at this from the endpoint and browser, where locally installed tools hide. Its Shadow LLM capability runs always-on discovery of GenAI use across browsers, desktop AI agents, and IDE plugins, then sorts each one by risk. A CrowdStrike Falcon integration folds web and endpoint discovery into a single inventory, closing the gap on local installs that OAuth or email-only methods never see.

An AI-BOM gives each agent a bill of materials covering its models, prompts, tools, and guardrails. Lasso’s own researchers were first to document indirect prompt injection inside Claude Code, so detection here grew out of hands-on findings rather than theory. That endpoint vantage point counts for a CLI tool that may never touch a corporate OAuth flow. The Lasso for employees page lays out the coverage.

How Lasso reaches local installs:

  • Always-on Shadow LLM discovery across browser, desktop, and IDE
  • A CrowdStrike Falcon integration for endpoint reach
  • An AI-BOM mapping models, prompts, tools, and guardrails
  • Risk categorization grounded in original injection research

Pros:

  • Endpoint reach catches CLI installs other methods miss
  • CrowdStrike tie-in unifies web and device discovery
  • Detection backed by first-hand Claude Code research

Cons:

  • Security-led, with little spend or license context
  • No public review footprint to weigh

Nudge Security

nudge security claude code extension governance for ai management

Nudge Security starts from the premise that a workforce uses about three times more AI and SaaS than IT thinks. It discovers adoption through email genealogy, OAuth grant analysis, and a passive browser extension, then attributes each tool to the person who signed up. In May 2026 it became the first to add browser-based discovery of shadow AI agents.

Each agent it finds gets mapped back to its human creator alongside concrete risk signals. Those cover public exposure, hardcoded credentials, unauthenticated MCP connections, and creators who have already left the company. Remediation runs through automated nudge workflows that prompt the user directly instead of routing every case through a security queue, an approach detailed on the Nudge Security AI page.

What Nudge surfaces about AI agents:

  • The human creator behind each agent
  • Public exposure and hardcoded credential risks
  • Unauthenticated MCP connections tied to a named owner
  • Automated nudges prompting users to clean up their own tools

Pros:

  • Creator attribution pins each agent to a real person
  • Self-serve nudges cut the security team’s workload
  • Early mover on browser-based agent discovery

Cons:

  • Signal-based discovery is lighter on standalone CLI installs
  • Coverage leans toward OAuth-connected tools

G2: 4.7/5 (8 reviews)

Wing Security

wing security claude code extension governance for ai management

Wing Security repositioned late in 2025 from pure SSPM toward an AI-security focus. A dedicated use case covers how assistants like Claude, Copilot, and Cursor read source, reach repositories, and trigger downstream workflows. Four agentless discovery methods feed it: API access, OAuth grants, email-level scanning, and app-to-app connectivity across roughly 10,000 AI and AI-infused apps.

On top of discovery, Wing applies posture guardrails tuned for AI assistants. It reviews access scopes, retention and training-sharing settings, OAuth token hygiene, and whether SSO and MFA are enforced. Anomaly detection and automated remediation, including key revocation, handle the response when an assistant drifts out of policy. The Wing Security code-assistant page shows it in practice.

Where Wing tightens posture:

  • Access-scope and OAuth token hygiene review
  • Retention and training-sharing settings checks
  • SSO and MFA enforcement validation
  • Anomaly detection with automated key revocation

Pros:

  • Deep posture checks on OAuth-connected assistants
  • Four discovery methods across a large app catalog
  • Automated remediation down to key revocation

Cons:

  • Posture strength leans on OAuth-connected tools
  • Thin public review base so far

G2: 4.9/5 (4 reviews)

How to Choose a Claude Code Governance Tool

The right tool depends on where your Claude Code risk actually concentrates. Teams focused on runtime behavior lean toward Zenity, Pillar Security, or Lasso Security, while those governing connections and posture look at Reco or Wing Security. Prompt Security fits editor-level data control, and Nudge Security suits creator attribution across OAuth-connected tools.

All of that assumes you already know which AI coding tools exist, and that is the harder half. Torii starts there, discovering shadow AI across the company through SSO, browser, and expense signals, then tying each extension and account to the employee who owns it.

Frequently Asked Questions

Use a mix of discovery signals: SSO and expense correlation (Torii), endpoint and browser Shadow LLM detection (Lasso), browser/email genealogy (Nudge), OAuth and repo-access mapping (Reco), and agentless app scans (Wing) to build an inventory and owner map.

Runtime-focused vendors like Zenity, Pillar Security, and Lasso Security provide behavioral analysis, step-level injection detection, threat-research-driven runtime rules, and endpoint monitoring to catch prompt injection, tool poisoning, and credential exfiltration as agents execute.

Tie installs to identities by correlating SSO logins, OAuth grants, expense records, browser activity, and email genealogy. Tools like Torii, Reco and Nudge map seats and tokens back to named owners so you can run access requests and offboarding.

Deploy an in-IDE agent (Prompt Security) for real-time DLP that redacts secrets, PII, and IP. Combine with a Vulnerable Code Scanner to flag risky AI-generated code, and MCP gateway rules to enforce safer runtime behavior before commits.

Prioritize posture and OAuth hygiene when risks center on excessive scopes, token hygiene, data retention, and repository access. Tools like Wing, Reco, and Torii are best for access control, tenant-wide policy, and offboarding; choose runtime tools later if behavioral attacks surface.

SaaS discovery tools often incur enterprise pricing and miss local CLI or offline installs. They may lack on-prem runtime enforcement and provide less depth on endpoint behavior, so pair them with endpoint or in-IDE controls to close blind spots.