Views:

Configure an AI service access rule to control user access to web-based AI services and monitor for sensitive or inappropriate content.

Important
Important
This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
Note
Note
AI service access rules take priority over internet access rules.

Procedure

  1. On the Secure Access Rules screen, click the AI Service Access tab and then click Create AI Service Access Rule.
    The rule configuration screen appears with the AI service access rule template selected.
  2. Specify a unique name and a description for the rule.
  3. Specify whether the applicable generative AI service is a public or private generative AI service.
  4. (Optional) To enable or disable the rule, click the toggle next to Status.
    Tip
    Tip
    You can also enable or disable rules on the Secure Access Rules screen.
  5. Configure the following rule settings.
    Rule setting
    Description
    Options
    Rule target
    Users, devices, and locations targeted by or excluded from the rule
    • Users/Groups/Private IP address groups: Target or exclude users or groups registered with your configured SSO provider. You may alternatively target or exclude private IP address groups from your internal corporate network locations.
      • Only users or groups from the IAM system configured as your SSO provider can be used in rules.
      • Define a new IP address group by clicking Add. The IP addresses or ranges must exist on your internal corporate network.
      Important
      Important
      Rules may not apply to devices without the Secure Access Module installed that do not send HTTP/HTTPS requests containing the X-Forwarded-For (XFF) header field. The Internet Access Gateway cannot retrieve the private IP addresses of these devices.
    • Device posture profile: Select or add a device posture profile to exclude compliant devices that access the internet using the Secure Access Module.
    • Locations: Target available corporate or public/home network locations as defined on your Internet Access Cloud Gateway or Internet Access On-Premises Gateways.
      • Define network locations on particular gateways by going to Secure Access ConfigurationInternet Access and AI Service Access ConfigurationGateways.
    Traffic
    The AI service traffic the rule applies to
    AI services
    Specify all available AI services or selected AI services.
    Important
    Important
    • Choose from Services supporting content inspection in order to enable advanced generative AI content filtering. AI services not supporting content inspection can only be allowed or blocked. Supported AI services currently include:
      • Amazon Bedrock
        • Converse and ConverseStream (all versions)
        • InvokeModel and InvokeModelWithResponseStream (Anthropic models only)
      • Anthropic API and Claude (all versions)
      • ChatGPT (all versions)
      • Google Gemini (formerly Bard)
      • Microsoft Copilot (formerly Bing Chat)
      • Microsoft Copilot for Microsoft 365
    • If applying the rule to a public AI service, you must go to Internet Access and AI Service Access ConfigurationHTTPS Inspection and add or enable HTTPS inspection rules for the following URL categories:
      • Business/Economy
      • Search Engines/Portals
      • Computers/Internet
    Schedule
    The time period that the rule is applied
    Choose Custom to set a weekly schedule. Check Only apply the rule during the specified period and choose a date range to set a specific period.
    Note
    Note
    Schedules use the time zones defined in your corporate network locations. Connections from public or home networks use UTC+0.
    Action
    The action taken when the rule is triggered
    • Block AI service access: Blocks access to all supported AI services.
    • Allow AI service access with advanced AI content inspection: Allows access to specified AI services within the specified content inspection parameters for prompts or responses.
      • Prompt settings include:
        • Sensitive data leakage detection: Monitors or blocks prompts containing sensitive data as defined by AI content inspection rules
        • Potential prompt injection detection: Monitor prompts that may attempt to give malicious instructions to the AI service and allow the service to spread malware, steal sensitive data, or take control over systems
        • File upload detection: Monitor or block attempts to upload files to an AI service
      • Response settings include:
        • Inappropriate response content detection: Monitors or blocks responses detected as containing inappropriate data as defined by AI content inspection rules
        • Block responses containing malicious URLs as detected by Trend Micro threat experts
  6. Click Save.
    View all available rules on the AI Service Access screen.