Govern Claude on Chrome before it clicks the wrong button.
The policy layer for Claude in Chrome. Block the critical actions. Approve them in one click. Decide what Claude can touch, send, and submit. Per app. Per URL. Per user.
Claude in Chrome just emailed your client list to an outsider.
One prompt. The agent opens Salesforce, exports every account and what it pays as a CSV, attaches it in Gmail, and addresses it outside the company. The only thing in its way is a yellow "high risk" banner and an "act without asking" toggle.
Claude in Chrome acts as the user, carrying the user's cookies, tokens, and OAuth scopes across every open tab.
Gmail. Salesforce. Jira. Your admin consoles. Permissions are blanket, and the first misread instruction becomes the postmortem.
You don't need to ban it. You need to govern it.
Three controls. Built for security teams. Free for the org.
Approve
Nothing risky leaves the browser until a human says yes. Send, submit, post, pay, delete, publish, upload. Willow freezes the agent at the action and shows the full payload: recipient, body, attachment, URL. Deny. Allow once. Always allow. Nothing ships until someone signs off.
Scope
The agent's allowlist is too wide. Willow narrows it. Most tools hand the agent the keys to a whole domain and every subdomain. Willow scopes access down to the page and the data. The agent works in Salesforce, but the financial view stays locked. Per app, per URL, per action.
Guard
The agent only sees what you allow. Tell Willow the agent can't read email, and the inbox comes back blank. PII and secrets fade out before the agent ever reads them. Redaction happens in the browser, before the data reaches the model.
Policy at the action level. Not the tab level.
Install once. Govern from day one.
Install the extension.
Chrome Web Store or your MDM. 30 seconds.
Pick a policy.
Start with Willow defaults. Customize anytime.
Share with your team.
One link. Same rules. SCIM and Okta optional.
Watch from the Basecamp.
Every action flows back. Splunk and Loki ready.
The OWASP LLM06 problem, solved at the browser.
Browser agents fail three OWASP LLM06 sub-categories at install time. Willow closes all three at the action layer.
| OWASP LLM06 sub-category | What it controls | Claude in Chrome default | Willow for Chrome |
|---|---|---|---|
| Excessive Functionality | Which tools an agent can reach | ✕Per-user allowlist only | ✓Org-managed, per-action |
| Excessive Permissions | What it can do inside each tool | ✕Blanket. Domain-level. | ✓Read / edit / send / block, per verb |
| Excessive Autonomy | When, on what data, under what conditions | ✕Model heuristic | ✓Policy-enforced, human-in-the-loop, audit-logged |
Built like enterprise infrastructure. Shipped like a free tool.
Open source
Chrome Web Store and GitHub. Read the code yourself.
Runs locally
No prompt, action, or page content leaves the browser by default.
SSO ready
Okta, Azure AD, JumpCloud. Optional, when you're ready.
Enterprise governance at scale
2M+ tool calls governed every week.
SOC 2 Type II
Willow platform certified. GDPR-aligned.
Audit-ready logs
Splunk and Loki integrations available. Real-time.
Chrome is one surface. The Willow Basecamp governs the rest.
Willow for Chrome is the forward outpost. The AI Basecamp is the platform underneath. One control plane for every AI agent your org runs.
Your agents already work in your browser. Decide who's in charge.
FAQS
Your agents are already in the wild.
Give them a Basecamp. Go from AI chaos to AI work, in minutes.
