Create an AI secure access rule

Procedure

1. On the Secure Access Rules screen, click the AI Secure Access tab and then click Create AI Secure Access Rule.
   The rule configuration screen appears with the AI secure access rule template selected.
2. Specify a unique name and a description for the rule.
3. Specify whether the applicable generative AI service is a public generative AI service, private generative AI service, or public MCP server..
4. To enable or disable the rule, click the toggle next to Status.

   Tip You can also enable or disable rules on the Secure Access Rules screen.

5. Configure the following rule settings.

   AI Services

   Rule setting	Description	Options
   Rule target	Users, devices, and locations targeted by or excluded from the rule	Users / Groups/ IP address groups: Target or exclude users or groups registered with your configured SSO provider. You may alternatively target or exclude both public and private IP address groups. Only users or groups from the IAM system configured as your SSO provider can be used in rules. Define a new IP address group by clicking Add, and select either a Public or Private IP address group. If you have selected Private IP address, the IP addresses or ranges must exist on your internal corporate network. You can include and exclude both custom URLS and custom cloud apps. Important Rules may not apply to devices without the Secure Access Module installed that do not send HTTP/HTTPS requests containing the X-Forwarded-For (XFF) header field. The Internet Access Gateway cannot retrieve the private IP addresses of these devices. Device posture profile: Select or add a device posture profile to exclude compliant devices that access the internet using the Secure Access Module. Locations: Target available corporate or public/home network locations as defined on your Internet Access Cloud Gateway or Internet Access On-Premises Gateways. Define network locations on particular gateways by going to Secure Access Configuration → Internet Access and AI Secure Access Configuration → Gateways.
   Traffic	The AI service traffic the rule applies to	AI services Specify all available AI services or selected AI services. For more information on supported AI services, see Public AI service categories. Important Choose from Services supporting content inspection to enable advanced generative AI content filtering. AI services not supporting content inspection can only be allow or block. Supported AI services currently include: Amazon Bedrock Converse and ConverseStream (all versions) InvokeModel and InvokeModelWithResponseStream (Anthropic models only) Anthropic API and Claude (all versions) ChatGPT (all versions) DeepSeek (all versions) GitHub Copilot (Visual Studio Code – chat panel only) Requires IDE Plugin version 1.5.6.5692 or later Requires Secure Access Module (SAM) For more information, see Configuring Copilot subscription-based network routing for your organization Google Gemini (formerly Bard) Microsoft Copilot (formerly Bing Chat) Microsoft Copilot for Microsoft 365 Perplexity (all versions) If applying the rule to a public AI service, you must go to Internet Access and AI Secure Access Configuration → HTTPS Inspection and add or enable HTTPS inspection rules for the following URL categories: Business/Economy Search Engines/Portals Computers/Internet Public MCP Server
   Schedule	The time period that the rule is applied	Choose Custom to set a weekly schedule. Check Only apply the rule during the specified period and choose a date range to set a specific period. Note Schedules use the time zones defined in your corporate network locations. Connections from public or home networks use UTC+0.
   Action	The action taken when the rule is triggered	Block AI secure access: Blocks access to all supported AI services. Allow AI secure access with advanced AI content inspection: Allows access to specified AI services within the specified content inspection parameters for prompts or responses. Note By default, all parameters are set to "Allow". You can set the individual parameters to: Monitor. This allows the prompt or response access to supported AI services, but logs the event. Block. Blocks access to all supported AI services. Enable tenancy restriction. Restricts access to public AI platforms such as ChatGPT so that access is only allowed when using accounts from the corporate domain. In other words, it prevents your end users from logging into the platform with a personal account such as Gmail or Outlook from your corporate network. Note Tenancy restriction applies only to public AI secure access rules. This option does not appear in private AI secure access rules. Note The tenancy restriction rule supports only ChatGPT. Prompt settings include: File upload detection: Monitor or block attempts to upload files to an AI service Sensitive data loss prompt detection: Monitors or blocks prompts files containing sensitive data as defined by AI content inspection rules.. If you select this setting, must select an AI content inspection rule . Note Currently, ZTSA only supports 3 AI services for sensitive data content inspection: Google Gemini (Google Bard) Microsoft Copilot / Bing Copilot / Bing Search Microsoft Copilot for Microsoft 365 OpenAI ChatGPT Potential prompt injection detection: Monitor or block prompts that may attempt to give malicious instructions to the AI service and allow the service to spread malware, steal sensitive data, or take control over systems Harmful prompt detection: Monitor or block the following harmful prompts: Hate: Language that deliberately expresses discrimination, harassment, threats, insults or profanity. Obscene: Content involving sexually explicit behavior and/or graphic imagery. Violence and illegal: Language describing unlawful or dangerous acts. File upload detection: Monitor or block attempts to upload files to an AI service Response settings include: Inappropriate response content detection: Monitors or blocks responses detected as containing inappropriate data as defined by AI content inspection rules Block responses containing malicious URLs as detected by Trend Micro threat experts

   MCP Server

   Rule setting	Description	Options
   Rule target	Users, devices, and locations targeted by or excluded from the rule	Users / Groups/ IP address groups: Target or exclude users or groups registered with your configured SSO provider. You may alternatively target or exclude both public and private IP address groups. Only users or groups from the IAM system configured as your SSO provider can be used in rules. Define a new IP address group by clicking Add, and select either a Public or Private IP address group. If you have selected Private IP address, the IP addresses or ranges must exist on your internal corporate network. You can include and exclude both custom URLS and custom cloud apps. Important Rules may not apply to devices without the Secure Access Module installed that do not send HTTP/HTTPS requests containing the X-Forwarded-For (XFF) header field. The Internet Access Gateway cannot retrieve the private IP addresses of these devices. Device posture profile: Select or add a device posture profile to exclude compliant devices that access the internet using the Secure Access Module. Locations: Target available corporate or public/home network locations as defined on your Internet Access Cloud Gateway or Internet Access On-Premises Gateways. Define network locations on particular gateways by going to Secure Access Configuration → Internet Access and AI Secure Access Configuration → Gateways.
   Traffic	The AI Public MCP servers that the rule applies to	Public MCP Server Select either: All available public MCP servers. The rule to applies to all available public MCP servers. Selected public MCP servers: You can select the MCP servers that you want to include from the following categories: Predefined public MCP servers Predefined public servers are those known and listed by ZTSA Discovered public MCP servers Discovered MCP servers are URLs that are identified by ZTSA as MCP servers through customer traffic. They do not include Predefined public MCP servers. Custom URL public MCP servers Custom public MCP Servers are added by users. Note When adding servers, remember that ZTSA does not distinguish between MCP and non-MCP servers. Note You can exclude specific customer public MCP servers URLs. You cannot exclude predefined or discovered public MCP servers.
   Schedule	The time period that the rule is applied	Choose Custom to set a weekly schedule. Check Only apply the rule during the specified period and choose a date range to set a specific period. Note Schedules use the time zones defined in your corporate network locations. Connections from public or home networks use UTC+0.
   Action	The action taken when the rule is triggered	Block public MCP server access: Blocks access to all public MCP servers. Allow public MCP server access with advanced AI content inspection: Allows access to specified public MCP Servers within the specified content inspection parameters for prompts or responses. Note By default, all parameters are set to "Allow". You can set the individual parameters to: Monitor. This allows the prompt or response access to the public MCP servers, but logs the event. Block. Blocks access to all public MCP servers. Request settings include: Sensitive data loss prompt detection: Monitors or blocks URLs containing sensitive data as defined by AI content inspection rules. If you select this setting, must select an AI content inspection rule. Response settings include: Inappropriate response content detection: Monitors or blocks URLs detected as containing inappropriate data as defined by AI content inspection rules Block responses containing malicious URLs as detected by Trend Micro threat experts

6. Click Save.
   View all available rules on the AI Secure Access screen.