How The Hornblower Group secures GenAI to unleash personal productivity and innovation

Client

The Hornblower Group

Global leader in transportation and sightseeing with more than a century of maritime and hospitality innovation. Headquartered in Orland, FL, it operates in 10+ countries and 50+ U.S. cities, serving over 20 million guests annually across water-based experiences, land-based experiences, ferry and transportation services, and marine consulting.

THE CHALLENGE

Empowering employees with GenAI — without losing control

Hornblower’s technology and security leadership recognized the security implications of generative AI earlier than most peers. Internal red-teaming surfaced real data-leakage paths, and the team moved quickly to frame a program that could keep pace with a fast-moving employee user base.

Three problems had to be solved at the same time:

1. ‍No visibility into actual use cases.
   No existing security tool could show which employees were using which GenAI apps, what they were prompting, or what data was being exposed. Without that, leadership
   could not assess risk, coach users or govern the app portfolio.
2. Classified data and PII leaving the company.
   Employees were using tools like ChatGPT for day-to-day work, particularly for writing customer and partner correspondence. Without oversight, those tools created
   a direct route for personally identifiable information, customer data and company identifiers to end up in public models.
3. Ease of deployment in a heterogenous IT landscape.
   Hornblower has grown through acquisitions, which means strong control of identities and networks but a less standardized workstation fleet. Any endpoint-agent security tool would have been slow, expensive and fragile to deploy at scale.

‍
WHY NROC SECURITY

A purpose-built control plane for employee GenAI

Hornblower evaluated the market and chose NROC Security because it was designed from day one for employee use of GenAI apps — not retrofitted from an existing web or DLP product. The platform gave the security team a granular response library, from full block and allow-only sanctioned apps through monitored usage with real-time redaction and just-in-time user coaching.

“NROC Security was purpose-built for this problem and let us calibrate the response — anything from no access to fully monitored usage.”
Dirk Karjack
Director and Deputy CISO, The Hornblower Group

‍
THE SOLUTION

Low-friction deployment, high-signal controls

Hornblower rolled out NROC Security as a cloud-based AI Security Proxy — no endpoint agents, no browser plugins, no compatibility testing against the existing workstation fleet. The proxy auto-configuration (PAC) and certificate were pushed through Group Policy, and user authentication was wired into the company’s existing single sign-on. Every prompt to a public GenAI app is now tied back to a corporate identity — even when the employee logs in with a personal account on a free plan.

On top of the technical rollout sits a simple operating model: a published acceptable-use policy, employee training, a low-friction initial control set for broad visibility, and a steady cadence of sampling, tuning and risky-user follow-up.

‍
RESULTS

What the program is delivering today

Since the original rollout, monthly prompt volume has grown roughly 55% and redactions have grown about 35%, reflecting both broader adoption and deeper coverage. In a typical month the platform now delivers around 5,200 real-time “are you sure?” nudges — a moment for the user to reconsider a borderline prompt. Combined with the logging of end user actions, the “think-agains” are effective in holding users accountable quietly preventing data incidents without a single SOC ticket. The program is operating at scale with healthy guardrails and minimal friction.

‍

[[METRICS]]
METRIC: [15.5k] prompts inspected per month
METRIC: [5,389] classified content redacted per month
METRIC: [74%] of chats on free and personal plans
METRIC: [9%] of active users already prompting skillfully
SOURCE: NROC Security platform telemetry, month of March 2026.
[[/METRICS]]

HOW HORNBLOWER USES THE DATA

Three outcomes the security team is pushing on

1. Data protection, in the GenAI app’s own UI.
   NROC Security redacts PII, customer data and company identifiers in real time — inside the native GenAI experience the employee is already using. The platform also surfaces every interaction happening on free and personal plans, allowing a differentiated policy for apps with a consumer-grade data security promises.
2. Targeted action on risky behavior.
   Risk-based analytics surface a small population of users responsible for a disproportionate share of sensitive-data detections. That enables short, focused coaching and, where needed, policy changes for specific user groups — reducing exposure materially while keeping the broader population productive and unblocked.
3. Productivity and cost insights.
   Hornblower can see which public GenAI apps employees actually use, how often and how well. That informs license decisions — buying only where usage is concentrated — and surfaces the 9% of users who are already prompting at an expert level, a ready-made network of internal champions for broader AI enablement.
   ‍

“I can be more lenient with what employees can do with GenAI, because I have full visibility into usage and all personally identifiable information gets X’d out of the prompts.”
Dirk Karjack
Director and Deputy CISO, The Hornblower Group

‍
WHAT’S NEXT

From personal productivity to agentic and business-process AI

Hornblower’s security team sees three AI frontiers to cover: personal productivity AI (the current program), business-process AI (making sure the right data reaches the right systems) and strategic AI (new customer experiences built on top of AI). The roadmap with NROC Security reflects that progression.

• More granular, role- and department-specific policies as usage matures.
• Visibility and controls for agentic AI, where prompts chain into actions.
• Data-governance controls for business-process AI, so only the right data reaches each system.