GenAI Governance
GenAI governance in Surface Security is managed on two settings pages that work as a pair. Settings > GenAI Protection defines what happens on AI sites — whether prompts, pastes, and file uploads are inspected, what content is restricted, and whether non-approved sites are blocked outright. Settings > AI Catalog defines which sites those decisions apply to — the per-tenant list of AI applications you have sanctioned, blocked, or ignored.
Together they let you move from "we have no idea what goes into ChatGPT" to a governed posture: approved tools are frictionless, unapproved tools are monitored or blocked, and sensitive content is stopped at the browser before it leaves your organization. The results of these policies are visible on the AI Usage dashboard.
[SCREENSHOT PLACEHOLDER: The GenAI Data Leakage Prevention settings page showing the Enable GenAI Protection master toggle and the Enforcement Mode choice between Content Restrictions and Block Sites]
How it works
When GenAI Protection is enabled, the browser extension recognizes AI sites automatically — major services such as ChatGPT, Claude, Gemini, and Copilot are built in, and you can add your own domains. On recognized sites the extension:
- Shows a policy banner reminding the user of your organization's AI acceptable-use policy (with a link to your policy document if you provide one).
- In Content Restrictions mode, inspects content typed or pasted into the AI tool's inputs and files selected for upload, applying your configured detectors and enforcement.
- In Block Sites mode, refuses access to every non-approved AI site entirely.
Inspection happens locally in the browser. What is reported to the dashboard is the event metadata — the site, the type of content detected, and the action taken — which feeds the Recent AI Policy Events panel on the AI Usage dashboard. Warned and blocked events additionally raise a GenAI data-leakage alert in your alert queue (see Alerts).
Enforcement severity for content restrictions follows your global extension mode: in learning mode activity is logged but nothing is interrupted, in warn mode users see a warning but can proceed, and in block mode the detected content is actively prevented.
Settings > GenAI Protection
Open Settings and choose GenAI Protection (the page is titled GenAI Data Leakage Prevention).
Master toggle and enforcement mode
- Enable GenAI Protection — the master switch. When off, no banners, monitoring, or content restrictions are applied (explicit per-domain blocks from the AI Catalog still apply — see below).
- Enforcement Mode:
- Content Restrictions — monitor content and only block/warn when violations are detected (PII, code, large text, custom patterns). Users can still access non-approved sites.
- Block Sites — completely block access to all non-approved GenAI sites. Users see a blocked page.
If protection is on in Content Restrictions mode but every detector is off, the page shows a warning — No content will be inspected. — with an Enable all three detectors shortcut.
Site lists
- GenAI Policy URL — a link to your acceptable-use policy, shown in the policy banner on GenAI sites.
- Approved AI Sites — domains pre-approved by your organization. In Block Sites mode, only these are accessible. In Content Restrictions mode, these sites are not monitored for content restrictions (the banner may still be shown).
- Custom Monitored AI Sites — additional AI domains to monitor beyond the built-in list, such as an internal LLM front-end.
Content Restrictions
Shown in Content Restrictions mode. Three built-in detectors, each with its own toggle:
| Detector | Options |
|---|---|
| Block/warn on large text | Character threshold slider, 100 to 5,000 characters |
| Block/warn on code snippets | Code detection sensitivity: High, Medium (recommended default), or Low. Pasted code uses this sensitivity; typed code uses a stricter threshold to avoid flagging developers asking coding questions. |
| Block/warn on PII | PII categories to detect — email addresses, SSN, credit cards, phone numbers, API keys, JWT tokens, private keys, secret assignments, AWS secret-like tokens, certificates, connection strings. Selecting none means all categories are detected. |
Custom Content Restrictions
Define your own detection patterns — for example a project codename that must never be pasted into an AI tool. Each pattern has a Pattern Name, a Type (Plain Text (case-insensitive) or Regular Expression), and the pattern itself. Patterns can be toggled on and off individually, and matches trigger the same warn/block enforcement as the built-in detectors.
[SCREENSHOT PLACEHOLDER: The Content Restrictions and Custom Content Restrictions cards, with the PII categories grid expanded and one custom regex pattern in the list]
File Upload & Download Controls
Also shown in Content Restrictions mode:
- Enable file upload controls turns on upload governance for GenAI sites, with:
- Maximum file size (MB) (1–500) with a Block / Warn / Learning enforcement selector.
- Blocked file extensions with one-click presets (Office docs, Archives, Executables) and its own enforcement selector.
- Scan files for sensitive information — by default this inherits from paste-side PII settings, so files are scanned for the same categories as pastes. Click Override to configure it independently (categories: PII, API Keys & Secrets, Private Keys, Certificates, Connection Strings, Code Snippets, plus an enforcement selector), or Reset to inherit to return to the inherited behavior.
- Unscannable files (binary, archives) — choose Block or Allow for files whose contents cannot be inspected.
- Download Controls — Block all file downloads from GenAI sites.
For download and print controls that apply to all sites (not just AI sites), see Browser DLP.
Saving
Click Save GenAI Settings. Saving requires you to re-enter your password. Changes take effect on the next policy sync (hourly) or extension restart.
Settings > AI Catalog
The AI Catalog page (open it via the Manage sanctioned, blocked, and ignored AI apps link on the GenAI settings page, or Manage AI catalog on the AI Usage dashboard) is the persistent record of every AI app decision in your tenant.
- Filter chips at the top: All, Sanctioned, Blocked, Ignored, each with a count.
- The table shows each app's name and vendor, its Domains, Category, Status badges, and Actions.
- Per-row actions: Block / Unblock, and Promote (mark sanctioned) for apps that are not yet sanctioned.
The three statuses are independent flags:
| Status | Effect |
|---|---|
| Sanctioned | Approved. Also feeds the Approved AI Sites behavior — the extension does not warn or restrict content on these domains. |
| Blocked | Hard navigation block. Enforced in every enforcement mode, even if GenAI protection is otherwise off — explicit blocks always win. |
| Ignored | Suppressed from Shadow AI Discovery. Not blocked, not sanctioned. |
Entries with none of the three flags show a Custom badge (a cataloged app awaiting a decision).
[SCREENSHOT PLACEHOLDER: The AI Catalog page filtered to Blocked, showing status badges and the Unblock action on a row]
How the two pages work together
- Approved AI Sites (GenAI settings) and Sanctioned (AI Catalog) express the same decision: this tool is allowed. Promoting an app from the catalog or the AI Usage dashboard has the same effect as approving its domains.
- The Blocked list in the catalog overrides everything, including Block Sites / Content Restrictions mode selection and the master toggle.
- Everything not approved and not blocked gets your enforcement-mode treatment: monitored under Content Restrictions, refused under Block Sites.
- New, unrecognized AI domains surface in Shadow AI Discovery on the AI Usage dashboard, where Promote / Block / Ignore write directly into this catalog.
Catalog changes propagate to browsers on the next policy sync — 60 minutes by default, tunable via the policySyncInterval managed setting. See AI Usage Dashboard configuration for propagation details.
Worked example: a measured rollout
- Week 1 — observe. Enable GenAI Protection, choose Content Restrictions, turn on all three detectors, and leave the global extension mode in learning. Nothing is interrupted; the AI Usage dashboard starts filling with policy events and sensitive-data egress data.
- Week 2 — decide. The dashboard shows heavy legitimate use of two assistants. Promote them on the AI Catalog page so they are Sanctioned. Block one high-risk transcription site outright.
- Week 3 — enforce. Switch the extension mode to warn: users pasting PII or code into non-approved AI tools now see a warning banner but can proceed. Add a custom pattern for the codename of an unannounced product, and enable file upload controls with the Executables preset blocked and sensitive-information scanning inherited from the paste-side PII settings.
- Ongoing. Warned and blocked events appear both in Recent AI Policy Events on the dashboard and as alerts in your triage queue. Shadow AI Discovery catches each new tool as it appears.
Troubleshooting
My save is rejected even though I only changed one toggle. The whole GenAI settings form is validated together. If file upload controls are enabled, all of their enforcement selectors must hold a valid value, and the code-detection sensitivity must be set. Check the file-controls card for anything left blank, then save again. Saving always requires re-entering your password.
The policy banner is not appearing on an internal AI tool. Built-in recognition covers major public services. Internal or niche tools must be added under Custom Monitored AI Sites. Also confirm Enable GenAI Protection is on and allow up to one policy sync (hourly) or an extension restart for the change to reach browsers.
PII detection is on, but nothing is ever detected. Check three things: the site may be on Approved AI Sites (approved sites are not monitored for content restrictions); the global extension mode may be in learning (activity is logged, not warned or blocked — check the AI Usage dashboard's policy events for logged entries); or your PII categories to detect selection may not include the data types actually being pasted. Remember that selecting no categories means all categories are detected — it is not the off switch.
Users say a blocked AI site is still loading. Blocks and approvals propagate on the extension's next policy sync (default 60 minutes). For urgent containment, add a DNS or firewall block in parallel.
FAQ
Do approved sites still show the policy banner? They can. Approval removes content monitoring and restrictions; the banner is informational and may still appear.
What is the difference between Learning enforcement on a file rule and the global learning mode? They behave the same way — the event is recorded but the user is not warned or blocked. The per-rule Learning option lets you trial one control (say, the file-size limit) while others actively warn or block.
We blocked a site but a user reached it minutes later. Why? Blocks reach each browser at its next policy sync (default 60 minutes). For immediate containment, add a DNS or firewall rule as well.
Does content inspection send prompt text to Surface Security? Detection runs in the browser. Events describe what category was detected and what action was taken — see the metadata columns on the AI Usage dashboard's policy events table.
Can I tune detectors based on real traffic instead of guessing? Yes — the policy auto-tuner analyzes your event history and proposes threshold and rule changes for human review. It never applies changes on its own. See Policy Auto-Tuner.
How does this relate to the general browser DLP controls? The GenAI layer applies only on AI sites. Organization-wide paste, upload, download, and print controls — including the global download and print policies — are configured separately; see Browser DLP.