{"version":"1.0","type":"agent_native_article","locale":"en","slug":"white-circle-raised-11-million-monitor-ai-safety-mp4s8qs0","title":"White Circle Raised $11 Million to Monitor AI After Nobody Else Wanted To","primary_category":"startups","author":{"name":"Tomás Rivera","slug":"tomas-rivera"},"published_at":"2026-05-14T00:02:28.000Z","total_votes":86,"comment_count":0,"has_map":true,"urls":{"human":"https://sustainabl.net/en/articulo/white-circle-raised-11-million-monitor-ai-safety-mp4s8qs0","agent":"https://sustainabl.net/agent-native/en/articulo/white-circle-raised-11-million-monitor-ai-safety-mp4s8qs0"},"summary":{"one_line":"White Circle is a Paris-based startup building a real-time control layer between enterprise users and AI models, addressing the post-deployment governance gap that model providers have structural incentives not to fully close.","core_question":"Who is responsible for controlling AI model behavior after deployment, and why can't model providers solve this problem themselves?","main_thesis":"AI laboratories have commercial and technical incentives that prevent them from being neutral arbiters of their own models' behavior in enterprise contexts. White Circle bets that post-deployment control is a distinct infrastructure layer that must be built outside the model providers, and that the shift from chatbots to autonomous agents makes this gap increasingly urgent and commercially viable."},"content_markdown":"## White Circle raised $11 million to monitor AI after no one else wanted to do it\n\nOne night in late 2024, Denis Shilov was watching a crime thriller when an experiment came to mind. He wrote a prompt that could make any artificial intelligence model ignore its own safety filters. The trick was conceptually simple: it told the model to stop behaving like a chatbot with rules and start acting like a software access point that simply responds to requests without evaluating whether it should. It worked on every leading model. The next day, his post on X had accumulated enough traction that Anthropic reached out and asked for private access to their systems.\n\nWhat Shilov concluded from that episode was not that he had found a bug. It was that no company had a post-deployment control layer over what their AI models did once users began interacting with them. That observation became White Circle, and on May 12, 2026, the Paris-based startup announced a seed round of **$11 million** backed by figures who know the models from the inside: the head of developer experience at OpenAI, a co-founder of OpenAI now at Anthropic, the co-founder and chief scientist of Mistral, the co-founder and chief scientific officer of Hugging Face, the founder of Datadog, the creator of Keras, and executives from DeepMind and Sentry.\n\nThe capital is not the most interesting part of the story. What is interesting is what kind of business infrastructure justifies that level of conviction so early, and why the market's response to that specific problem took so long to appear.\n\n## The problem that AI labs have incentives not to fully solve\n\nWhen a company deploys a language model in production, it inherits an implicit contract with the model provider: the provider has trained the model to behave in a certain way in general terms, and the company assumes that training is sufficient for its specific use cases. That assumption is becoming increasingly difficult to sustain.\n\nToday's models are both instrument and risk at the same time. A customer support agent can promise a refund the company never authorized. A coding agent can install something on a virtual machine that was never supposed to be touched. A model integrated into a financial application can mishandle sensitive customer data. None of those scenarios are hypothetical; they are documented consequences of deploying capable models in environments with incomplete or ambiguous instructions.\n\nThe standard response from model laboratories is safety fine-tuning during training. But that fine-tuning is, by definition, generic. It is calibrated to prevent the model from explaining how to manufacture weapons or producing harmful content in the abstract. It is not calibrated for the specific policy of a financial services company regarding what can and cannot be promised in a conversation with a customer, nor for a healthcare company's restrictions on which data can be cross-referenced with which other data.\n\nShilov points to something more structural: laboratories charge for input and output tokens even when the model rejects a harmful request. That means they have a limited economic incentive to block abuse before it reaches the model. He also points to the so-called \"alignment tax\": training safer models tends to reduce their performance on tasks such as coding. That tension between safety and performance does not disappear with more funding; it is a technical constraint that laboratories manage, but do not eliminate.\n\nWhite Circle is betting that this gap will not be closed from the training side alone. Its product is a real-time application layer that sits between a company's users and its models, reviewing inputs and outputs against that company's specific policies, and capable of blocking or flagging problematic behavior: hallucinations, data leakage, prohibited content, prompt injection, and destructive actions in software environments. The company says it has processed more than **one billion API requests** and has active customers in fintech, legal, and developer tooling, including Lovable. The system supports more than 150 languages and holds SOC 2 Type I and II certifications as well as HIPAA compliance.\n\n## What one billion requests validates and what it does not\n\nOne billion API requests is the kind of number that sounds large and can mean very different things depending on volume per customer, type of request, and retention rate. White Circle was founded in 2025 and has 20 employees, almost all of them engineers. That suggests an architecture designed to scale through infrastructure rather than service headcount, which is consistent with an API model that intercepts existing traffic.\n\nWhat the number does validate, to the extent that public data allows any conclusion, is that the platform has operational traction, not merely public relations traction. There is an important difference between a company that announces funding with a list of prospective customers and one that arrives at the announcement with evidence of sustained use. The benchmark that White Circle published in May 2026, KillBench, also functions as a signal of technical maturity: they ran more than one million experiments across 15 models from OpenAI, Google, Anthropic, and xAI to measure bias in high-stakes decision scenarios. The results showed that models made different decisions based on attributes such as nationality, religion, or phone type, and that those biases worsened when responses were requested in structured formats intended to be read by software — which is exactly how most companies connect models to their production systems.\n\nThat finding has direct consequences for any company using AI in decisions with real-world outcomes. It is not an academic experiment; it is documentation of a risk vector that occurs in the most common integration format.\n\nWhat the number does not yet validate is willingness to pay at scale. The business model of a control layer that intercepts traffic has a potentially powerful mechanic: if it becomes part of the workflow between users and models, it captures budget from multiple lines — security, compliance, content moderation, and model operations. But that also means it competes for budget against teams that already have observability tooling and that may resist adding yet another layer of infrastructure.\n\nThe geographical concentration of the team in Europe, with presence in London, France, and Amsterdam, suggests that expansion into the US market — where the largest enterprise technology budgets reside — requires sales infrastructure that 20 engineers cannot cover. The funding is likely earmarked for exactly that.\n\n## A control layer that models cannot sell on their own\n\nWhite Circle's strongest argument is not technical. It is one of governance.\n\nShilov articulated it precisely: there is a structural trust problem in asking a model provider to judge the behavior of its own models. Anthropic cannot be a neutral arbiter of Claude's behavior when it is the same entity that trains it, commercializes it, and charges for every token it generates. That is not an accusation; it is a description of incentives. AI laboratories are companies with specific commercial interests, and their safety systems are calibrated to those interests, not to those of every company that deploys their models.\n\nThat separation is what makes backing from investors with experience inside the sector's most important laboratories strategically relevant beyond the capital itself. People who understand the technical and commercial constraints of OpenAI, Anthropic, Mistral, and DeepMind from the inside are betting that the post-deployment control problem will not be solved from within those laboratories with the depth that enterprises are going to require. That is both a validation of the problem and a signal about the direction of the market.\n\nThe transition from chatbots to autonomous agents makes that gap more urgent. A chatbot that responds poorly is a reputational problem. An agent that accesses files, executes code, browses the web, and takes actions on behalf of a user can create damage that cannot be undone with an apology message. The market for controlling autonomous agents is in its earliest stages, but the direction of AI spending points there with clarity.\n\nWhite Circle arrived at this announcement with operational usage, published research, compliance certifications, and backing from individuals with technical credibility in the sector. That is no guarantee of success, but it is a starting line that is considerably further ahead than where startups typically find themselves at the seed stage. The next threshold that matters is not the next funding headline; it is how many companies in regulated industries decide they need a control layer between their users and their models before an incident forces them to find one the hard way.","article_map":{"title":"White Circle Raised $11 Million to Monitor AI After Nobody Else Wanted To","entities":[{"name":"White Circle","type":"company","role_in_article":"Subject — Paris-based startup building a real-time AI post-deployment control layer, protagonist of the funding announcement and central case study."},{"name":"Denis Shilov","type":"person","role_in_article":"Founder of White Circle — discovered the post-deployment control gap through a prompt injection experiment and built the company around that structural observation."},{"name":"Anthropic","type":"company","role_in_article":"Referenced as a model provider that contacted Shilov after his experiment, and as an example of why model providers cannot be neutral arbiters of their own models' behavior."},{"name":"OpenAI","type":"company","role_in_article":"Referenced as a model provider whose head of developer experience and a co-founder are investors in White Circle."},{"name":"Mistral","type":"company","role_in_article":"Referenced as a model provider whose co-founder and chief scientist is an investor in White Circle."},{"name":"Hugging Face","type":"company","role_in_article":"Referenced as a model provider whose co-founder and CSO is an investor in White Circle."},{"name":"DeepMind","type":"institution","role_in_article":"Referenced as a source of investor credibility — executives from DeepMind backed White Circle."},{"name":"Datadog","type":"company","role_in_article":"Referenced as a company whose founder backed White Circle — relevant as an observability infrastructure analogy."},{"name":"Lovable","type":"company","role_in_article":"Named as an active customer of White Circle in the developer tooling category."},{"name":"KillBench","type":"product","role_in_article":"Benchmark published by White Circle in May 2026 to document AI model bias in high-stakes decision scenarios across structured output formats."},{"name":"Keras","type":"product","role_in_article":"Referenced as a product whose creator is an investor in White Circle, signaling deep ML infrastructure credibility among backers."}],"tradeoffs":["Safety vs. performance: training safer models reduces performance on tasks like coding — labs manage this tension but do not eliminate it","Generic safety fine-tuning vs. company-specific policy enforcement: model provider safety is calibrated for general harm, not for a specific enterprise's operational rules","Proactive governance adoption vs. incident-driven adoption: regulated enterprises may delay until an AI failure forces compliance investment","Infrastructure layer value vs. budget competition: a control layer that captures security, compliance, and observability budgets also competes against existing tooling in each of those categories","Engineering-led scaling vs. sales-led expansion: 20 engineers can build infrastructure that scales, but cannot cover US enterprise sales cycles in regulated industries","Early market entry vs. market readiness: the agentic AI control market is in its earliest stages — timing is strategically early but commercial validation at scale is unproven"],"key_claims":[{"claim":"Denis Shilov's prompt bypassed safety filters on every leading AI model in late 2024, prompting Anthropic to request private access to their systems.","confidence":"high","support_type":"reported_fact"},{"claim":"White Circle raised $11 million in a seed round announced on May 12, 2026.","confidence":"high","support_type":"reported_fact"},{"claim":"The platform has processed more than one billion API requests and has active customers in fintech, legal, and developer tooling including Lovable.","confidence":"high","support_type":"reported_fact"},{"claim":"White Circle holds SOC 2 Type I and II certifications and HIPAA compliance, and supports more than 150 languages.","confidence":"high","support_type":"reported_fact"},{"claim":"AI laboratories have limited economic incentive to block abuse before it reaches the model because they charge per token even on rejected requests.","confidence":"medium","support_type":"inference"},{"claim":"The 'alignment tax' — reduced model performance from safety fine-tuning — is a structural constraint that labs manage but do not eliminate.","confidence":"medium","support_type":"reported_fact"},{"claim":"KillBench experiments showed that model biases based on nationality, religion, or device type worsen when responses are requested in structured formats used in production integrations.","confidence":"high","support_type":"reported_fact"},{"claim":"The post-deployment control problem will not be solved from within AI laboratories with the depth enterprises will require.","confidence":"interpretive","support_type":"editorial_judgment"}],"main_thesis":"AI laboratories have commercial and technical incentives that prevent them from being neutral arbiters of their own models' behavior in enterprise contexts. White Circle bets that post-deployment control is a distinct infrastructure layer that must be built outside the model providers, and that the shift from chatbots to autonomous agents makes this gap increasingly urgent and commercially viable.","core_question":"Who is responsible for controlling AI model behavior after deployment, and why can't model providers solve this problem themselves?","core_tensions":["Model providers as both the source of AI capability and the entities least able to neutrally govern their own models' behavior in enterprise contexts","The alignment tax: making AI safer degrades performance, creating a permanent tradeoff that labs optimize around but cannot eliminate","Post-deployment control as a governance necessity vs. an additional infrastructure cost that enterprises may resist until an incident forces adoption","European startup with global AI infrastructure ambitions vs. US-concentrated enterprise technology budgets requiring sales infrastructure that does not yet exist at current headcount","Operational traction (1B requests) as evidence of product-market fit vs. unvalidated willingness to pay at enterprise scale"],"open_questions":["Will regulated enterprises adopt post-deployment AI control layers proactively, or only after a high-profile AI incident forces compliance investment?","Can White Circle capture budget across security, compliance, and model operations simultaneously, or will organizational silos force it to compete in only one budget category?","How does White Circle's control layer interact with model providers' own safety systems — complementary, redundant, or conflicting?","What is the revenue concentration behind the one billion API requests — is this distributed across many customers or concentrated in a few?","As AI agents become more autonomous and capable, does the control layer need to become more sophisticated in ways that require more than 20 engineers to maintain?","Will model providers eventually build company-specific policy enforcement into their own products, closing the gap White Circle is betting will remain open?","How does White Circle's European regulatory environment (GDPR, EU AI Act) affect its product architecture and create either advantage or friction in US enterprise sales?"],"training_value":{"recommended_for":["Enterprise technology buyers evaluating AI governance tooling","Investors building theses in AI safety, compliance, or observability infrastructure","Founders identifying structural gaps in AI deployment stacks","CTOs and CISOs designing AI agent deployment policies in regulated industries","Product managers building on top of foundation models who need to understand post-deployment risk vectors"],"when_this_article_is_useful":["When evaluating build vs. buy decisions for AI governance and post-deployment monitoring infrastructure","When assessing enterprise AI risk in regulated industries (fintech, healthcare, legal) where model behavior has compliance consequences","When analyzing the competitive dynamics between AI model providers and third-party infrastructure layers","When building investment theses around AI safety, observability, or compliance infrastructure","When designing AI agent deployment architectures that require policy enforcement beyond model provider defaults","When benchmarking seed-stage AI infrastructure startups against operational and technical maturity signals"],"what_a_business_agent_can_learn":["How to identify a structural market gap created by incumbent incentive misalignment — model providers cannot neutrally govern their own models","How to use investor composition as a market signal, not just a capital signal — insiders betting against their own employers' ability to solve a problem is directional information","How to distinguish operational traction from commercial validation — one billion API requests proves infrastructure adoption, not yet willingness to pay at scale","How compliance certifications (SOC 2, HIPAA) function as enterprise sales infrastructure, not just legal requirements","How published benchmarks can serve as sales collateral by documenting the exact risk vector a product addresses","How the shift from chatbots to autonomous agents changes the risk profile and addressable market for AI governance infrastructure","How to evaluate a seed-stage startup's claims when key metrics (revenue, customer concentration, retention) are not disclosed"]},"argument_outline":[{"label":"The triggering insight","point":"Denis Shilov discovered in late 2024 that a simple prompt could bypass safety filters on every leading AI model, and that no company had a post-deployment control layer in place.","why_it_matters":"This was not a bug report — it was a structural observation about a missing layer of enterprise infrastructure, which became the founding thesis of White Circle."},{"label":"Why model providers cannot fully solve this","point":"AI labs charge per token even when a request is rejected, creating limited economic incentive to block abuse pre-model. Safer training also reduces model performance (the 'alignment tax'), creating a technical constraint labs manage but do not eliminate.","why_it_matters":"The governance gap is not accidental — it is structurally embedded in the business model and technical tradeoffs of model providers, making third-party control layers a durable market opportunity."},{"label":"The product and its traction","point":"White Circle's product sits between users and models, reviewing inputs and outputs against company-specific policies in real time. It has processed over one billion API requests, supports 150+ languages, and holds SOC 2 Type I/II and HIPAA certifications.","why_it_matters":"Operational traction at this scale before a seed announcement signals infrastructure adoption, not just PR momentum — a meaningful distinction at the seed stage."},{"label":"The KillBench research signal","point":"White Circle published KillBench in May 2026, running over one million experiments across 15 models to document bias in high-stakes decision scenarios, finding that biases worsen in structured output formats used in production integrations.","why_it_matters":"This is not academic research — it documents a risk vector in the exact integration format most enterprises use, strengthening the compliance and governance case for a control layer."},{"label":"The investor composition as market signal","point":"Backers include the head of developer experience at OpenAI, a co-founder of OpenAI now at Anthropic, the co-founder and chief scientist of Mistral, the co-founder and CSO of Hugging Face, the founder of Datadog, and executives from DeepMind and Sentry.","why_it_matters":"Insiders from the most important AI labs are betting the post-deployment control problem will not be solved from within those labs — this is both problem validation and directional market signal."},{"label":"The agentic AI escalation","point":"The transition from chatbots to autonomous agents that access files, execute code, and browse the web makes post-deployment control exponentially more critical — a chatbot error is reputational, an agent error can be irreversible.","why_it_matters":"The addressable market for White Circle's control layer grows as AI moves from conversational to agentic, making the timing of this seed round strategically early relative to where enterprise AI spending is heading."}],"one_line_summary":"White Circle is a Paris-based startup building a real-time control layer between enterprise users and AI models, addressing the post-deployment governance gap that model providers have structural incentives not to fully close.","related_articles":[{"reason":"Directly addresses why enterprise AI agents fail from a security and governance perspective before external attacks — the same structural gap White Circle is building infrastructure to close.","article_id":12608},{"reason":"Covers enterprise AI acquisition dynamics and how Anthropic and OpenAI are building enterprise structures — relevant context for understanding why third-party control layers exist outside model providers.","article_id":12496},{"reason":"Examines conviction capital and fast funding decisions at the seed stage — directly relevant to understanding the investor behavior and market signals behind White Circle's $11M round.","article_id":12441}],"business_patterns":["Infrastructure wedge: position a compliance/security layer as essential middleware between existing systems (users and models), capturing budget from multiple lines without replacing any single tool","Insider validation as go-to-market signal: recruit investors with operational credibility inside the problem domain (AI lab insiders) to signal technical legitimacy before enterprise sales cycles begin","Research as sales collateral: publish benchmarks (KillBench) that document the exact risk vector the product addresses, converting academic credibility into enterprise procurement justification","Compliance certification as enterprise unlock: achieve SOC 2 and HIPAA certifications early to remove procurement blockers in regulated industries before scaling sales","Seed-stage traction anchoring: arrive at a funding announcement with operational metrics (1B API requests) rather than only prospective customers, shifting the narrative from promise to evidence","Structural gap identification: find a problem that incumbents have incentives not to fully solve, then build the solution as a neutral third party"],"business_decisions":["Whether to build a post-deployment AI control layer internally or procure it from a third-party infrastructure provider like White Circle","Whether to treat AI model governance as a security budget item, a compliance budget item, or a model operations budget item — and which team owns the decision","Whether to adopt a control layer proactively before an AI incident or reactively after one forces the issue","Whether to trust model provider safety fine-tuning as sufficient for company-specific policy enforcement in regulated industries","How to evaluate operational traction claims (e.g., one billion API requests) when volume per customer, request type, and retention are not disclosed","Whether to expand a European-headquartered AI infrastructure startup into the US market and what sales infrastructure that requires at 20 employees"]}}