Configure an AI service access rule to control user access to web-based AI services and monitor for sensitive or inappropriate content.
ImportantThis is a pre-release sub-feature and is not part of the existing features of an official
commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
|
NoteAI service access rules take priority over internet access rules.
|
Procedure
- On the Secure Access Rules screen, click the AI Service Access tab and then click Create AI Service Access Rule.The rule configuration screen appears with the AI service access rule template selected.
- Specify a unique name and a description for the rule.
- Specify whether the applicable generative AI service is a public or private generative AI service.
- (Optional) To enable or disable the rule, click the toggle next to Status.
Tip
You can also enable or disable rules on the Secure Access Rules screen. - Configure the following rule settings.Rule settingDescriptionOptionsRule targetUsers, devices, and locations targeted by or excluded from the rule
-
Users/Groups/Private IP address groups: Target or exclude users or groups registered with your configured SSO provider. You may alternatively target or exclude private IP address groups from your internal corporate network locations.
-
Only users or groups from the IAM system configured as your SSO provider can be used in rules.
-
Define a new IP address group by clicking Add. The IP addresses or ranges must exist on your internal corporate network.
Important
Rules may not apply to devices without the Secure Access Module installed that do not send HTTP/HTTPS requests containing theX-Forwarded-For (XFF)
header field. The Internet Access Gateway cannot retrieve the private IP addresses of these devices. -
-
Device posture profile: Select or add a device posture profile to exclude compliant devices that access the internet using the Secure Access Module.
- Locations: Target available corporate or public/home network locations as defined on your Internet
Access Cloud Gateway or Internet Access On-Premises Gateways.
-
Define network locations on particular gateways by going to.
-
TrafficThe AI service traffic the rule applies toAI servicesSpecify all available AI services or selected AI services.Important
-
Choose from Services supporting content inspection in order to enable advanced generative AI content filtering. AI services not supporting content inspection can only be allowed or blocked. Supported AI services currently include:
-
Amazon Bedrock
-
Converse and ConverseStream (all versions)
-
InvokeModel and InvokeModelWithResponseStream (Anthropic models only)
-
-
Anthropic API and Claude (all versions)
-
ChatGPT (all versions)
-
Google Gemini (formerly Bard)
-
Microsoft Copilot (formerly Bing Chat)
-
Microsoft Copilot for Microsoft 365
-
- If applying the rule to a public AI service, you must go to
-
Business/Economy
-
Search Engines/Portals
-
Computers/Internet
and add or enable HTTPS inspection rules for the following URL categories:
-
ScheduleThe time period that the rule is appliedChoose Custom to set a weekly schedule. Check Only apply the rule during the specified period and choose a date range to set a specific period.Note
Schedules use the time zones defined in your corporate network locations. Connections from public or home networks use UTC+0.ActionThe action taken when the rule is triggered-
Block AI service access: Blocks access to all supported AI services.
-
Allow AI service access with advanced AI content inspection: Allows access to specified AI services within the specified content inspection parameters for prompts or responses.
-
Prompt settings include:
-
Sensitive data leakage detection: Monitors or blocks prompts containing sensitive data as defined by AI content inspection rules
-
Potential prompt injection detection: Monitor prompts that may attempt to give malicious instructions to the AI service and allow the service to spread malware, steal sensitive data, or take control over systems
-
File upload detection: Monitor or block attempts to upload files to an AI service
-
-
Response settings include:
-
Inappropriate response content detection: Monitors or blocks responses detected as containing inappropriate data as defined by AI content inspection rules
-
Block responses containing malicious URLs as detected by Trend Micro threat experts
-
-
-
- Click Save.View all available rules on the AI Service Access screen.