Creating an AI service access rule

Procedure

1. On the Secure Access Rules screen, click the AI Service Access tab and then click Create AI Service Access Rule.
   The rule configuration screen appears with the AI service access rule template selected.
2. Specify a unique name and a description for the rule.
3. (Optional) To enable or disable the rule, click the toggle next to Status.

   Tip You can also enable or disable rules on the Secure Access Rules screen.

4. Configure the following rule settings.

   Rule setting	Description	Options
   Rule target	Users, devices, and locations targeted by or excluded from the rule	Users/Groups/Private IP address groups: Target or exclude users or groups registered with your configured SSO provider. You may alternatively target or exclude private IP address groups from your internal corporate network locations. Only users or groups from the IAM system configured as your SSO provider can be used in rules. Define a new IP address group by clicking Add. The IP addresses or ranges must exist on your internal corporate network. Important Rules may not apply to devices without the Secure Access Module installed that do not send HTTP/HTTPS requests containing the X-Forwarded-For (XFF) header field. The Internet Access Gateway cannot retrieve the private IP addresses of these devices. Device posture profile: Select or add a device posture profile to exclude compliant devices that access the internet using the Secure Access Module. Locations: Target available corporate or public/home network locations as defined on your Internet Access Cloud Gateway or Internet Access On-Premises Gateways. Define network locations on particular gateways by going to Secure Access Configuration → Internet Access and AI Service Access Configuration → Gateways.
   Traffic	The AI service traffic the rule applies to	AI services Specify all available AI services or selected AI services. Important Choose from Services supporting content inspection in order to enable advanced generative AI content filtering. AI services not supporting content inspection can only be allowed or blocked. Supported AI services currently include: ChatGPT (all versions) Google Gemini (formerly Bard) Microsoft Copilot (formerly Bing Chat) Microsoft Copilot for Microsoft 365
   Schedule	The time period that the rule is applied	Choose Custom to set a weekly schedule. Check Only apply the rule during the specified period and choose a date range to set a specific period. Note Schedules use the time zones defined in your corporate network locations. Connections from public or home networks use UTC+0.
   Action	The action taken when the rule is triggered	Block AI service access: Blocks access to all supported AI services. Allow AI service access with advanced AI content inspection: Allows access to specified AI services within the specified content inspection parameters for prompts or responses. Prompt settings include: Sensitive data leakage detection: Monitors or blocks prompts containing sensitive data as defined by AI content inspection rules Potential prompt injection detection: Monitor prompts that may attempt to give malicious instructions to the AI service and allow the service to spread malware, steal sensitive data, or take control over systems File upload detection: Monitor or block attempts to upload files to an AI service Response settings include: Inappropriate response content detection: Monitors or blocks responses detected as containing inappropriate data as defined by AI content inspection rules Block responses containing malicious URLs as detected by Trend Micro threat experts

5. Click Save.
   View all available rules on the AI Service Access screen.